Tag Archives: mitigation

Revisiting Eudora SSL Certificate Failures

updatedIntroduction
Back in January I wrote an article about remedying failed certificate errors in Eudora. The article came about because I had a problem, the solution I puzzled out wasn’t terribly obvious, and I hoped to help others in a similar bind.

The article exceeded my expectations! Go read the comments and you’ll see what I mean. I’ll wait.

I’ve learned a lot, too! There are WAY more Eudora enthusiasts than I had ever imagined. There’s a rather active, reasonably high signal-to-noise ratio mailing list dedicated to Eudora for Windows (eudora-win@hades.listmoms.net) where you’ll find plenty of expertise. There I learned a few other tweaks and adjustments that have made my Eudora experiences even better, despite my many years using it.

Thank you all for your support and for passing my article around! I can’t believe some of the help desks it’s touched.


Criticism
While the solution I discovered was effective, I received criticism that it was more complicated than necessary. There’s no need to go through the steps to import or install a certificate, I was told, and in fact, the import/install steps could actually lead to other problems.

I’ve since learned that this is largely true – although I haven’t heard of any instances where trouble actually resulted from the import/install steps I outlined.

This article presents a shortened solution. It omits the unnecessary steps and borrows a bit from stuff on the mailing list. It includes images of the dialogue panels you can expect to see – because I received a ton of positive feedback on that.


Revised Steps
Once again, I’m using Eudora version 7.1.0.9. I can’t think of a single reason anyone should use an earlier version. I’m also running on Windows 10, which should lay to rest any doubt that Eudora runs just as well there as ever. I think that’ll  stay true until email address internationalization becomes a standard and gains traction.

A quick word about the dialogue panel graphics shown in this article. They’re actual screen shots so the default action button appears slightly different from the other buttons. (This graphic, for example, shows the Close button as the default action.) In the instructions which follow, however, the button(s) that require clicking are not necessarily the default action.

 

It’s most likely that you’ll encounter a certificate rejection when checking email; most of us check email more often than we send. And failures occur with increased frequency lately with Gmail; they seem to change certificates more often than other providers. So let’s assume that’s the case and Eudora has thrown this error panel at us during a check on Gmail:

Server SSL Certificate Rejected
Server SSL Certificate Rejected during a Gmail check.

 

Take note of the Eudora Persona which produced the error, if you can. A clue sometimes be seen in the status area. In our example it’s one of my Gmail accounts.

The status area at the bottom of the screen may tell you which Persona has produced the certificate error.
The status area at the bottom of the screen may provide a clue as to which Persona has produced the certificate error.

 

If you use multiple Persona in Eudora and can’t tell which one experienced the certificate rejection then you’ll need to look at each until you find the correct Persona to adjust. Working with the wrong one will just frustrate you. We’ll come back to this a little later.

For now, Click the Yes button in the Server SSL Certificate Rejected panel. Clicking Yes won’t actually fix the problem but it’ll let Eudora finish the tasks that are running. Allow Eudora’s activities to continue until they complete.

Without closing Eudora, access the Properties of the Persona with the rejected certificate.  In our example, we know the rejection occurred during a mail check so we’ll access the Incoming Mail tab of that Persona. The Properties appear in the Account Settings panel.

The account settings panel for the Persona that rejected the certificate.
The account settings panel for the Persona that rejected the certificate. We’re looking at the Incoming Mail tab because we know the certificate rejection occurred while checking for new email. Had the rejection occurred during a send we’d be looking at the Generic Properties tab instead.

 

Click the Last SSL Info button. The Eudora SSL Connection Information Manager panel appears.

eudoracert04-3
The Last SSL Info button will only show this panel if this Persona has used SSL since Eudora was last launched. The green arrow indicates the Certificate Information Manager button mentioned below. Yes, that large grey bar is a button!

 

Click the Certificate Information Manager button, which I’ve indicated with a green arrow in the graphic above. DO NOT click OK if you are trying to get to the Certificate Information Manager. The Eudora Certificate Information Manager panel appears.

The Certificate Information Manager displays and allows you to manipulate the certificate chain.
The Certificate Information Manager displays and allows you to manipulate the certificate chain.

 

Looking at the top-most section of the Certificate Information Manager panel, the first row under Server Certificates (that’s the topmost row with the smiley face in the image above) contains the rejected certificate. You can’t actually see the problem certificate yet because it’s actually the last (or near the last) in a chain of certificates. Like the layers of an onion, you can’t see inside until you remove a layer. (Some refer to it as a series of locked doors, where you need to unlock one before you can see the next.) In any case, the rejected certificate we seek is inside. Click the plus sign next to the top smiley row to expand the chain, which is like peeling away the first layer of the onion.

Here we've expanded the chain of certificates just once.
Here we’ve expanded the chain of certificates just once. Notice the smiley face icon we saw earlier changes to an open mouth. The expansion has revealed… another certificate with another smiley face – the next link in the certificate chain.

 

Keep expanding the certificate chain by clicking the plus sign of each certificate in turn, peeling away layer after layer of our imaginary onion. Eventually you’ll see a skull and crossbones icon instead of a smiley face.

Here we see the fully expanded certificate chain. The final certificate - the one with the skull and crossbones icon - is the one that was rejected because it was untrusted.
Here we see the fully expanded certificate chain. The final certificate – the one with the skull and crossbones icon – is the one that was rejected because it was untrusted.

 

In this example I needed to expand the chain four times to reach the problem certificate. You may need to expand the chain more times or less times, and that’s perfectly okay.

Remember several steps back I mentioned working with the correct Eudora Persona when chasing a rejected certificate, and that I’d come back to it later? Welcome to later.

Let’s imagine for a second that we took all these steps and expanded the certificate chain all the way to the end – no more plus signs to click – yet didn’t end up with a certificate marked with a skull and crossbones. What then?

Simply, it means that we’re looking in the wrong place! If you’re not seeing the rejected certificate you can’t very well fix it, can you? So if you gotten this far with no skull and crossbones then close the Certificate Information Manager panel and close the Eudora SSL Connection Information Manager panel. Choose another Persona to work with (or the other tab of the Persona if you don’t know whether you were receiving or sending when the error appeared) and try again.

In order to get Eudora to accept the failed certificate you must first find it! And it’s indicated by a skull and crossbones icon. No skull equals no fix. This is sometimes a point of frustration.

But let’s assume that you have found the certificate with the skull and crossbones. Select it by clicking on it, so it looks like this in the Certificate Information Manager:

The rejected, untrusted certificate with the skull and crossbones icon is selected, indicated by appearing highlighted.
The rejected, untrusted certificate with the skull and crossbones icon is selected.

 

Now we’re ready for action!

Click the Add To Trusted button. When you do that the certificate chain we took so much trouble to expand will contract. The Certificate Information Manager panel will look much the same as it did when we first opened it.

The Certificate Information Manager panel just after the Add To Trusted button is clicked.
The Certificate Information Manager panel just after the Add To Trusted button is clicked.

 

All that’s left to do is dismiss all these panels and test.

Click the Done button in the Certificate Information Manager panel to dismiss it. Click the OK button in the The Eudora SSL Connection Information Manager panel to dismiss it. Click the OK button in the Account Settings panel to dismiss it.

Finally, try collecting (or sending) your email again.

Did it work? It did? Great, you’re done. Well, until next time Eudora rejects an untrusted certificate.

Oh, wait, it didn’t work? Don’t panic. Just go back and follow the steps again.

Think back to the certificate chain, the onion layers, the series of locked doors. You need to trust a certificate in the chain before you can see what lies beyond it. The next run though the steps you’ll find that the certificate chain expands one more time before revealing another certificate with the skull and crossbones icon. When you find it, trust it and test again.

As non-intuitive as that may sound, you may need to step through the fix two or more times before achieving success.


Conclusion
If you compare this discussion to my earlier article you’ll see that there are actually WAY fewer steps. Once you’ve gotten through it a few times (and you certainly will if you use Gmail) you’ll see that trusting new certificates only takes a handful of clicks.

Yes, this article seems/is long and ponderous, with several panel images that look nearly the same. That’s because I’m trying to do a better job describing the areas about which I’ve fielded many questions privately.

A tip o’ the hat to Jane who, after working through some frustration, circled back to tell me what she had learned. Jane helped bring clarity to a possibly confusing section of this article. Thanks!

Eudora and SSL Certificate Failures

September 9, 2015 – I’ve revised this article, simplifying and shortening the steps involved!

See the revised article here.


Eudora rocks.

I’ve used this old and outdated Windows mail client since it was kind of new, more than 25 years ago. I chose it when I was moving my message store from a shell account to a PC, right around when PCs started to get reliable enough such work. Eudora was the first client I discovered whose message store was a simple transfer from Unix, drop-in, and run. I never looked back. Since then I’ve developed a rather extensive set of filters and such to efficiently manage dozens of email accounts and tens of GB of messages.

Bummer, Eudora hasn’t been actively supported since Qualcomm gave it up in 2006. Yeah, I know, it went Open Source. But IMHO they went and screwed it up.

As with any unsupported software, sometimes the passage of time breaks things. More than a few times I’ve cast about for another capable email client. It’s always gone the same way: I find none, get tired of searching, and turn my attention to propping the old girl up just a bit longer.

One afternoon in October last year one of my email hosts suddenly rejected its SSL certificate. It happens. When it does, Eudora offers to trust the new certificate. Thereafter all’s well. Not this time.

It wasn’t my host, and it wasn’t a critical account. Via trouble tickets, I went back and forth with the admins at the hosting company for the better part of a month. They’d suggest something, I’d try it – and maybe try a few things on my own – but nothing worked. Along the way I cast about for a replacement client and I came up dry. Finally I just shut off SSL for the account and got on with life. Not the best solution, but it worked. I really do need to find a new client! Maybe tomorrow… Yeah, right.

Last night Eudora rejected more certificates. This time it affected a multiple accounts on different domains. These were more important to me so I needed a solution.

And I found one.

First, some groundwork. My Eudora is version 7.1.0.9 running on Windows 8.1 Update 1. Of note, Eudora has a patched QCSSL.dll, needed since Microsoft made some changes to a library that caused the old client to loop for a Very… Long… Time… on the first use of SSL. I think that was around the time Windows 7 launched. Depending on your version(s), you may find differences in the dialogues and steps. I tried to give enough detail that you might find your way.

Let’s get started. The certificate rejection error looks like this:

Server SSL Certificate Rejected
Server SSL Certificate Rejected

See the question in the dialogue, “Do you want to trust this certificate in future sessions?”

It once was a simple matter of clicking the Yes button and that would be that. But that didn’t work in October and it didn’t work last night either.

Heres what to do to fix the problem.

Close the error dialogue and open Properties for the affected Persona. On the Incoming Mail tab (because it’s likely that a receive operation failed first), click the Last SSL Info button. The Eudora SSL Connection Information Manager opens. It looks like this:

Eudora SSL Connection Information Manager
Eudora SSL Connection Information Manager

There’s some weirdness in this dialogue, some confusion over host names. I think it’s a junk message. Click the Certificate Information Manager button. The Certificate Information Manager opens, and it looks like this:

Certificate Information Manager
Certificate Information Manager

Look at the section called Server Certificates. See the smiley face? That means trusted status. Expand that certificate tree in the usual way – click the plus sign next to it. Keep expanding, drilling down until you see one that’s untrusted. That’s the one with the skull ‘n crossbones. Of course.

The Certificate Information Manager panel, with the untrusted certificate, will now look something like this:

Certificate Information Managed - Expanded to show untrusted certificate
Certificate Information Managed – Expanded to show untrusted certificate

Click the offending untrusted certificate to select it then click the View Certificate Details button. The Certificate opens. It looks like this:

Certificate panel
Certificate panel

Select the General tab, if necessary, and click the Install Certificate button. The Certificate Import Wizard panel opens. It looks like this:

Certificate Import Wizard
Certificate Import Wizard – Location

Choose a Store Location – Current User or Local Machine – as needed for your situation. I chose the Current User because I’m the only user on this box. Click the Next button. The Certificate Import Wizard continues, and it looks like this:

Certificate Import Wizard – Certificate Store

The wizard asks where to store the certificate. Windows can automatically choose the Store based on the type of certificate, and that’s a pretty good choice. It’s also the default. Click the Next button to display a confirmation panel. It looks like this.

Certificate Import Wizard - Completing the Certificate Import Wizard
Certificate Import Wizard – Completing the Certificate Import Wizard

Click the Finish button.

Whew! It looks like the import was successful.

Certificate Import Wizard - Success!
Certificate Import Wizard – Success!

Click the OK button to close the Certificate Import Wizard.

Now, you’ll be looking at the Certificate Information Manager again, just how we left it.

Certificate Information Managed - Expanded to show untrusted certificate
Certificate Information Managed – Expanded to show untrusted certificate

 

With the untrusted skull ‘n crossbones certificate highlighted, click the Add To Trusted button. Then click the Done button to close the Certificate Information Manager.

Finally, try to reach the server that rejected the SSL certificate in the first place.

Did it work?

If it did then you’re finished.

Uh oh, waddya mean, it didn’t work?

You’ll need to go back and follow those steps again.

I hear you now. “Only an idiot does the same thing over and over expecting different results.”

Well, you’ll notice that the next time through the Certificate Information Manager will show a deeper tree of Server Certificates before you get to the untrusted certificate. You’ll need to drill deeper.

You may need to import and add several before achieving success. After a couple of imports it’s easy to forget the Add To Trusted button. Don’t ask me how I know!

I hope that helps someone.

Sometimes I think I’m the very last Eudora user out there. I’d love to hear from others. In fact, if you’ve moved off Eudora and found a decent replacement, I’d love to hear that, too. I know it’s only a matter of time.


 

Additional information added April 17, 2015…

One person described, in the comments below, that he she had some difficulty with the Add To Trusted button in the Certificate Information Manager when working with Google’s new certificates. His Her insight came when he she realized that he she was simultaneously viewing this post with Google Chrome. When he she closed Chrome and went through the process again, everything worked.

A big THANK YOU goes out to one Pat Toner for checkin’ in and increasing the value of this post with his her feedback. I owe you a beer, Pat. And an apology for my gender assumption based on name.

When It Rains It Pours

The day before yesterday I bought a flaring tool. A ruptured brake line in the Jeep needed repair and I couldn’t find mine, tools still in ~70% disarray since the move…

Overflowing Pool
Not my pool, but you get the general idea. That sucker’s FULL.

So yesterday it rained. All day. Relentlessly. It rained and rained and rained. Then it rained some more. And I didn’t work on the Jeep. Come nightfall it rained. Thursday turned into Friday and it kept raining.

In Florida it doesn’t matter how much it rains. Remember the genie in the 1996 movie Aladdin and the King of Thieves? “Sand… It’s everywhere, get used to it.” The sand just soaks up rain like… well, like sand.

It works great except, duh, where there’s no freakin’ sand! The driveway doesn’t soak up the rain, but it drains into – you guessed it – sand. No problem there. Then there’s the pool. Uh oh, the pool’s full of water, the same stuff that rain’s made of. And pools don’t automatically drain, no siree, they contain. So this morning I found the pool full – TOO full – of water. Close to overflowing, it was, so much water that the skimmer couldn’t skim. Up until then I had no idea that it was possible for a pool to have too much water. Live and learn.

It took about two hours to lower the water to the correct level.

Later in the day I formed a piece of brake line and installed it. I was about to begin bleeding the system when… uh huh… it started to rain.

Utah Joins NY in Toughening Texting-While-Driving Laws

As a motorcyclist, I can talk for hours and hours about first-hand encounters with drivers preoccupied with their cell phones (not to mention food, newspapers, computers, GPS units, ad nauseum). We (the editorial we) pass all kinds of stupid laws all the time, why can’t we have more like these? Just as, or perhaps even more importantly, why can’t we actually enforce them as vigorously as needed in order that they’re effective in changing behavior?

http://www.nytimes.com/2009/08/29/technology/29distracted.html?_r=1

Fighting The Good Fight

 

The amount of spam I’ve been receiving on this blog had been skyrocketing lately. It reached the point that it was pretty much an everyday chore to clear it out. So, like many before me I decided to activate the Akismet (version 2.2.1) plug-in.

All was well for a few days. But then, out of nowhere, Akismet began calling my attention to an unbelievable amount of trackback spam. By ‘unbelievable’ I mean several a minute, sometimes. Hundreds and hundreds overnight.

Now, that shouldn’t be a problem because they’ll go away on their own after a period of time. But what about legitimate stuff? There could be some of that, and it’s important to flag it so Akismet ‘learns’.  Um, that’s what they say, anyway. The trouble, of course, is that the longer the list of stuff to look over becomes, the harder it is to identify the good stuff.

This morning I logged on to see 17 l-o-n-g pages of it. Something would have to be done!

Here’s what a typical entry on the Akismet Caught Spam page looks like.

All instances share the IP address of 82.233.30.32 which is linked to a whois search. If I point my browser at the IP directly I see a typical Apache test page – the server the offending server is powered by CentOS. A reverse-DNS doesn’t give any more insight – no other host names. Google doesn’t have it cached, either. The IP is probably spoofed…

The text of the spam changes a bit, as does the host name. When I point my browser at the host name, though, there’s some kind of content for just the briefest instant, but then it quickly changes to a typical blog has been removed page. In fact, every one I’ve looked at is exactly like this.

Whaddya know, onlinecasino21.blogspot.com doesn’t resolve to the IP address I mentioned earlier, either. What a surprise, right?

Anyway, it would be nice if Akismet allowed you to filter the spam and apply a delete all to the result. But it doesn’t, so we’ll have to take more drastic measures.

Turning off trackbacks and pingbacks (same setting) would probably work but I’d rather not do that. Blacklisting the address in WordPress doesn’t work, Akismet still gets it first. Here’s what I did. In my .htaccess file I added these sections.

And that seems to have applied the brakes. I haven’t seen another instance of this spam for several hours.

Another thing that just might be worth mentioning. I run several blogs and when I was activating Akismet to mine I activated it on the others as well. But this – my personal blog – is the only one that’s been troubled by this onslaught of trackback spam. I don’t know who I pissed off out there, but somebody – or something – has latched on and it ain’t letting go.

Disaster Planning

I recently handled a routine data recovery job for a client. Well, routine for me but definitely not routine for the client. The drive was in a failed PC serving three users, a family. Photos, original art and music, school documents, college applications – all were at risk. The client was worried.
Continue reading Disaster Planning

Ultimate Screen Protection

I was reading recently about a company that sells a screen protection system for the iPhone. Like anything oriented toward Apple products, it’s pricey. The article was compelling because the iPhone strikes me as a device that would be prone to getting all scratched up fairly easily. (For fun, go check out the iPhone episode of Will It Blend!)

Over the years I’ve had a number of PDAs and I’m well aware how necessary it is to employ addition protection to keep prevent screen damage. The product I was reading about sure looked good, but ouch! What a price!

With a bit of digging I uncovered someone else’s research. Go check out the folks at X-Pel. They’re in the business of protecting automotive finishes, but it sure looks like the Ultimate Screen Protector to me. I mean, what do you think is the tougher environment? The highway? Or the scratching of a little plastic stylus?

X-Pel sells small quantities for very reasonable prices. Under the Products menu select Bulk Film by Inch. If this is the stuff used by the iPhone product folks then damn, I sure wish I thought of it first. What a markup! They must be raking in the dough.

I haven’t tried it yet and I don’t know anyone who has, so if you totally hose your screen please don’t come whining to me. Experiment at your own risk. As for me, I’m ordering some film to play with.

Disclaimer: I don’t have any interest in X-Pel or Apple. Before last week I never heard of the former and the nearest I come to Apple these days is that my wife and kid have iPods and come to me for help when iTunes barfs.