Expired certificate - am I being hacked?

jwriter

Valued Member
I am getting an expired certificate notice (please see attached)? Should I contact mail.com directly? Thank you.
 

Attachments

  • screen_01.jpg
    screen_01.jpg
    54.6 KB · Views: 1,060
  • screen_02.jpg
    screen_02.jpg
    32.6 KB · Views: 931

popowich

EQ Forum Admin
Staff member
Yes, I would try opening a ticket from your mail.com account and let them know that the SSL certificate applied to pop.mail.com expired over 2 months ago.

Update! No, don't contact them, see two posts below.
 

popowich

EQ Forum Admin
Staff member
For the technically curious, how to verify by connecting directly with openssl from a Linux server:

> openssl s_client -connect pop.mail.com:995
CONNECTED(00000004)
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=Pennsylvania/L=Chesterbrook/O=1&1 Mail & Media Inc./CN=pop.mail.com
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEnTCCA4WgAwIBAgIQGftdGf/pKRYxqB1k9FUVSDANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTEzMDkyNDAwMDAwMFoXDTE0MTAwNDIzNTk1OVowcjEL
MAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEVMBMGA1UEBxQMQ2hl
c3RlcmJyb29rMR4wHAYDVQQKFBUxJjEgTWFpbCAmIE1lZGlhIEluYy4xFTATBgNV
BAMUDHBvcC5tYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKFbU6iDB4QUKl79eMYNRmnYp+ZUSBoHD+laaweMHft8qsH0iT/2wIIKWc0Ycapg
W7I/CiWnk9/itrEN/gtsbtF/qt2oWcQEf+hw5IwzlVFWolqCplHJBHGUnWVdQ8rb
W9Ak0ikjwpZ/yH/ia83rITSRo2Z8DyT6Wvc/Zsl3KYQ38eKE1dQDRG1W1L09UZUE
q9T6atFpCtVT00e3QK4T7lR/tEmXRr5wCRnP29XuPDfwWdcS8h9VTUwDkamk9XcW
xVMfo4x2aUnmg4NzXkJm5C6K01t8xR5SdudHJpGRhCJhp99OLtZ4JAb336DLsNGI
Z7nAqdKEwpU553tUvkLpC9ECAwEAAaOCAWMwggFfMBcGA1UdEQQQMA6CDHBvcC5t
YWlsLmNvbTAJBgNVHRMEAjAAMEIGA1UdIAQ7MDkwNwYKYIZIAYb4RQEHNjApMCcG
CCsGAQUFBwIBFhtodHRwczovL3d3dy50aGF3dGUuY29tL2Nwcy8wDgYDVR0PAQH/
BAQDAgWgMB8GA1UdIwQYMBaAFKeig7s0RUA9/NUwTxK5PqEBn/bbMDoGA1UdHwQz
MDEwL6AtoCuGKWh0dHA6Ly9zdnItb3YtY3JsLnRoYXd0ZS5jb20vVGhhd3RlT1Yu
Y3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBpBggrBgEFBQcBAQRd
MFswIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wNQYIKwYBBQUH
MAKGKWh0dHA6Ly9zdnItb3YtYWlhLnRoYXd0ZS5jb20vVGhhd3RlT1YuY2VyMA0G
CSqGSIb3DQEBBQUAA4IBAQA2mljmrq+SyL4jniLjHTVkDNW3l5av4lLLmWZKt0dt
FnUXudCAqHmFgkp8B8rhx01AuuelDVY9XzMCeytcjfNiBZcDKhFG5sEpsw1sPaJy
WsM0A9nabbOpwkYGWDRFgzVQUcCPrLo0q7MDn75VBIcGerp5/8LQwF/R54bFtQlB
CAxPhw+TEAfR1zOLhfP8FYRTgXZ5LWnwkdm7DFUNh2NIE7ENsrbQSktjWrZFlI9R
WtasCKqLyXgi9xQUl/gYa9RZ0S47HKcC7GZW+wYIdDSbg9Ll8HDWi5a+Ra+MFSPY
9PuywqgaXXzrrovJEO/RQ3AIY7Kph+57tqZm6hKNW4Yn
-----END CERTIFICATE-----


Save the certificate to a file, in my case mailcom.crt, then:

> openssl x509 -in mailcom.crt -noout -text

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
19:fb:5d:19:ff:e9:29:16:31:a8:1d:64:f4:55:15:48
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Thawte, Inc., CN=Thawte SSL CA
Validity
Not Before: Sep 24 00:00:00 2013 GMT
Not After : Oct 4 23:59:59 2014 GMT
Subject: C=US, ST=Pennsylvania, L=Chesterbrook, O=1&1 Mail & Media Inc., CN=pop.mail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a1:5b:53:a8:83:07:84:14:2a:5e:fd:78:c6:0d:
46:69:d8:a7:e6:54:48:1a:07:0f:e9:5a:6b:07:8c:
1d:fb:7c:aa:c1:f4:89:3f:f6:c0:82:0a:59:cd:18:
71:aa:60:5b:b2:3f:0a:25:a7:93:df:e2:b6:b1:0d:
fe:0b:6c:6e:d1:7f:aa:dd:a8:59:c4:04:7f:e8:70:
e4:8c:33:95:51:56:a2:5a:82:a6:51:c9:04:71:94:
9d:65:5d:43:ca:db:5b:d0:24:d2:29:23:c2:96:7f:
c8:7f:e2:6b:cd:eb:21:34:91:a3:66:7c:0f:24:fa:
5a:f7:3f:66:c9:77:29:84:37:f1:e2:84:d5:d4:03:
44:6d:56:d4:bd:3d:51:95:04:ab:d4:fa:6a:d1:69:
0a:d5:53:d3:47:b7:40:ae:13:ee:54:7f:b4:49:97:
46:be:70:09:19:cf:db:d5:ee:3c:37:f0:59:d7:12:
f2:1f:55:4d:4c:03:91:a9:a4:f5:77:16:c5:53:1f:
a3:8c:76:69:49:e6:83:83:73:5e:42:66:e4:2e:8a:
d3:5b:7c:c5:1e:52:76:e7:47:26:91:91:84:22:61:
a7:df:4e:2e:d6:78:24:06:f7:df:a0:cb:b0:d1:88:
67:b9:c0:a9:d2:84:c2:95:39:e7:7b:54:be:42:e9:
0b:d1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:pop.mail.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
CPS: https://www.thawte.com/cps/

X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Authority Key Identifier:
keyid:A7:A2:83:BB:34:45:40:3D:FC:D5:30:4F:12:B9:3E:A1:01:9F:F6:DB

X509v3 CRL Distribution Points:
URI:http://svr-ov-crl.thawte.com/ThawteOV.crl

X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Authority Information Access:
OCSP - URI:http://ocsp.thawte.com
CA Issuers - URI:http://svr-ov-aia.thawte.com/ThawteOV.cer

Signature Algorithm: sha1WithRSAEncryption
36:9a:58:e6:ae:af:92:c8:be:23:9e:22:e3:1d:35:64:0c:d5:
b7:97:96:af:e2:52:cb:99:66:4a:b7:47:6d:16:75:17:b9:d0:
80:a8:79:85:82:4a:7c:07:ca:e1:c7:4d:40:ba:e7:a5:0d:56:
3d:5f:33:02:7b:2b:5c:8d:f3:62:05:97:03:2a:11:46:e6:c1:
29:b3:0d:6c:3d:a2:72:5a:c3:34:03:d9:da:6d:b3:a9:c2:46:
06:58:34:45:83:35:50:51:c0:8f:ac:ba:34:ab:b3:03:9f:be:
55:04:87:06:7a:ba:79:ff:c2:d0:c0:5f:d1:e7:86:c5:b5:09:
41:08:0c:4f:87:0f:93:10:07:d1:d7:33:8b:85:f3:fc:15:84:
53:81:76:79:2d:69:f0:91:d9:bb:0c:55:0d:87:63:48:13:b1:
0d:b2:b6:d0:4a:4b:63:5a:b6:45:94:8f:51:5a:d6:ac:08:aa:
8b:c9:78:22:f7:14:14:97:f8:18:6b:d4:59:d1:2e:3b:1c:a7:
02:ec:66:56:fb:06:08:74:34:9b:83:d2:e5:f0:70:d6:8b:96:
be:45:af:8c:15:23:d8:f4:fb:b2:c2:a8:1a:5d:7c:eb:ae:8b:
c9:10:ef:d1:43:70:08:63:b2:a9:87:ee:7b:b6:a6:66:ea:12:
8d:5b:86:27
 

popowich

EQ Forum Admin
Staff member
I take back my original answer. Do not contact mail.com, their certificate is updated. You are seeing the old legitimate but expired certificate. Accept the new certificate. You might need to delete and recreate the configuration in your mail program (sometimes that happens with Outlook or some phones) to force them to download the new certificate.
 

jwriter

Valued Member
Thanks Popovich. For you mac owners, you can type "openssl s_client -connect pop.mail.com:995" into your Terminal and you will get the results shown.

I see the new certificate is valid from Sep 24 2013 to Oct 4 2014. My question is, when did the old certificate expire and why am I just seeing this notification?
 

popowich

EQ Forum Admin
Staff member
According to your second screen shot above the old certificate expired in October 2013.

I'm not sure why your mail program waited until now to generate a warning.

Which mail program do you use?
 

Req

New Email
Same here.
Thunderbird 24.1.0
pop.mail.com:995

Also I see a fresh cert with openssl win32 binaries
openssl s_client -connect pop.mail.com:995
openssl x509 -in mailcom.crt -noout -text
on the same machine.

Deleting cert8.db didn't help to resolve the problem.
 

Req

New Email
I see this error in batches, not for every pop request I made.
I think mail.com using some kind of round robin service based on multiple servers/machines. And one/few of those boxes was configured improperly (with expired cert file). This is the only explanation I can suggest based on irregular error pattern.
 

Req

New Email
Got it finally.

>openssl s_client -connect pop.mail.com:995

.......................skip...........

-----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQYvQAjJGCctv7WxS7FJOk9DANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTEyMDkyNDAwMDAwMFoXDTEzMTAwNDIzNTk1OVowgYUx
CzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExFTATBgNVBAcUDENo
ZXN0ZXJicm9vazEeMBwGA1UEChQVMSYxIE1haWwgJiBNZWRpYSBJbmMuMREwDwYD
VQQLFAhNQUlMLmNvbTEVMBMGA1UEAxQMcG9wLm1haWwuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxMK7jE9kPKA3kjOS9REsNVSV+Hr/hluokZgh
k+HgFrwPvyCvooLSXGm0TinO9v8LIdbFekV97dXNVae6KttFQXeDuo+Qrv2d4A94
HmHJsrQkkY0Lx9J4sQx1wP4hPpbgfpEfANeHQa4x4PMZn7KeCVkAWK+Yn5XkvMPd
B1ceMl055x+Q42heBXJmNzxxO8B7TwGeLX9hsgdiKpr3w+oxXfe1MTyWqD61IZvV
JE8Rmv+hyyqXHNCObbfiSLM1czqgtbBbEmdtvXxKLoaDnEs32Pu1bikN7EuQ3Z3O
YKDJU8cwO7srvnQNT/0ohfEj8mqqJovcQa0tTWMbgHkZALOs7wIDAQABo4IBYzCC
AV8wFwYDVR0RBBAwDoIMcG9wLm1haWwuY29tMAkGA1UdEwQCMAAwQgYDVR0gBDsw
OTA3BgpghkgBhvhFAQc2MCkwJwYIKwYBBQUHAgEWG2h0dHBzOi8vd3d3LnRoYXd0
ZS5jb20vY3BzLzAOBgNVHQ8BAf8EBAMCBaAwHwYDVR0jBBgwFoAUp6KDuzRFQD38
1TBPErk+oQGf9tswOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1vdi1jcmwu
dGhhd3RlLmNvbS9UaGF3dGVPVi5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMGkGCCsGAQUFBwEBBF0wWzAiBggrBgEFBQcwAYYWaHR0cDovL29jc3Au
dGhhd3RlLmNvbTA1BggrBgEFBQcwAoYpaHR0cDovL3N2ci1vdi1haWEudGhhd3Rl
LmNvbS9UaGF3dGVPVi5jZXIwDQYJKoZIhvcNAQEFBQADggEBAD3TH8vuKMXbiD2L
nwSD1g1b3munu7BdKaun2L3HBGllUYJ4eFdS4uRE3OXyrLlloHKaxkvwsRnfFtzX
m+JwP8GeeFQMwwqnuPmIF8i03+inKM0PeNFVroaCFf6s6fPqQAEgiLBI7z0RVUoD
ycc4dSEl7PZzp8cOy3fbwrvbnFlHipNOOXPoaK+f2EGnDmsPFIaHnnR1pXMDkm7u
csQ4m50zcecfZVw8mRF/YMrDMTDuKHlOqEoA6+x4EBFq7fPQTFa9bAzsiEDh172c
448Ysv2cEhF01r08fKfjDph1tHMefT5eXlSV7gNTukxvazVEurx99aXZ2PGs25mj
tIyAt20=
-----END CERTIFICATE-----

.....skip...........

>openssl x509 -in mailcom2.crt -noout -text

........skip.........

Validity
Not Before: Sep 24 00:00:00 2012 GMT
Not After : Oct 4 23:59:59 2013 GMT
Subject: C=US, ST=Pennsylvania, L=Chesterbrook, O=1&1 Mail & Media Inc., OU=MAIL.com, CN=pop.mail.com

........skip.........

So it's 100% on mail.com side.

You can catch it also. Just cycle thru this command for some time
openssl s_client -connect pop.mail.com:995
and look for "tIyAt20=" at the end of cert body. This is expired cert signature.

The right cert (updated one) is ending by "KNW4Yn":

-----BEGIN CERTIFICATE-----
MIIEnTCCA4WgAwIBAgIQGftdGf/pKRYxqB1k9FUVSDANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTEzMDkyNDAwMDAwMFoXDTE0MTAwNDIzNTk1OVowcjEL
MAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEVMBMGA1UEBxQMQ2hl
c3RlcmJyb29rMR4wHAYDVQQKFBUxJjEgTWFpbCAmIE1lZGlhIEluYy4xFTATBgNV
BAMUDHBvcC5tYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKFbU6iDB4QUKl79eMYNRmnYp+ZUSBoHD+laaweMHft8qsH0iT/2wIIKWc0Ycapg
W7I/CiWnk9/itrEN/gtsbtF/qt2oWcQEf+hw5IwzlVFWolqCplHJBHGUnWVdQ8rb
W9Ak0ikjwpZ/yH/ia83rITSRo2Z8DyT6Wvc/Zsl3KYQ38eKE1dQDRG1W1L09UZUE
q9T6atFpCtVT00e3QK4T7lR/tEmXRr5wCRnP29XuPDfwWdcS8h9VTUwDkamk9XcW
xVMfo4x2aUnmg4NzXkJm5C6K01t8xR5SdudHJpGRhCJhp99OLtZ4JAb336DLsNGI
Z7nAqdKEwpU553tUvkLpC9ECAwEAAaOCAWMwggFfMBcGA1UdEQQQMA6CDHBvcC5t
YWlsLmNvbTAJBgNVHRMEAjAAMEIGA1UdIAQ7MDkwNwYKYIZIAYb4RQEHNjApMCcG
CCsGAQUFBwIBFhtodHRwczovL3d3dy50aGF3dGUuY29tL2Nwcy8wDgYDVR0PAQH/
BAQDAgWgMB8GA1UdIwQYMBaAFKeig7s0RUA9/NUwTxK5PqEBn/bbMDoGA1UdHwQz
MDEwL6AtoCuGKWh0dHA6Ly9zdnItb3YtY3JsLnRoYXd0ZS5jb20vVGhhd3RlT1Yu
Y3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBpBggrBgEFBQcBAQRd
MFswIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wNQYIKwYBBQUH
MAKGKWh0dHA6Ly9zdnItb3YtYWlhLnRoYXd0ZS5jb20vVGhhd3RlT1YuY2VyMA0G
CSqGSIb3DQEBBQUAA4IBAQA2mljmrq+SyL4jniLjHTVkDNW3l5av4lLLmWZKt0dt
FnUXudCAqHmFgkp8B8rhx01AuuelDVY9XzMCeytcjfNiBZcDKhFG5sEpsw1sPaJy
WsM0A9nabbOpwkYGWDRFgzVQUcCPrLo0q7MDn75VBIcGerp5/8LQwF/R54bFtQlB
CAxPhw+TEAfR1zOLhfP8FYRTgXZ5LWnwkdm7DFUNh2NIE7ENsrbQSktjWrZFlI9R
WtasCKqLyXgi9xQUl/gYa9RZ0S47HKcC7GZW+wYIdDSbg9Ll8HDWi5a+Ra+MFSPY
9PuywqgaXXzrrovJEO/RQ3AIY7Kph+57tqZm6hKNW4Yn
-----END CERTIFICATE-----

openssl x509 -in mailcom.crt -noout -text

....skip......

Not Before: Sep 24 00:00:00 2013 GMT
Not After : Oct 4 23:59:59 2014 GMT

....skip......
 

Req

New Email
Reported to mail.com premium support few days ago.

"We would like to inform you that the reported matter has been solved".

No more expired certs warnings on my side at the moment.
Thank you guys for your help here.
 
Top