Tag Archives: networking

Revisiting Eudora SSL Certificate Failures

updatedIntroduction
Back in January I wrote an article about remedying failed certificate errors in Eudora. The article came about because I had a problem, the solution I puzzled out wasn’t terribly obvious, and I hoped to help others in a similar bind.

The article exceeded my expectations! Go read the comments and you’ll see what I mean. I’ll wait.

I’ve learned a lot, too! There are WAY more Eudora enthusiasts than I had ever imagined. There’s a rather active, reasonably high signal-to-noise ratio mailing list dedicated to Eudora for Windows (eudora-win@hades.listmoms.net) where you’ll find plenty of expertise. There I learned a few other tweaks and adjustments that have made my Eudora experiences even better, despite my many years using it.

Thank you all for your support and for passing my article around! I can’t believe some of the help desks it’s touched.


Criticism
While the solution I discovered was effective, I received criticism that it was more complicated than necessary. There’s no need to go through the steps to import or install a certificate, I was told, and in fact, the import/install steps could actually lead to other problems.

I’ve since learned that this is largely true – although I haven’t heard of any instances where trouble actually resulted from the import/install steps I outlined.

This article presents a shortened solution. It omits the unnecessary steps and borrows a bit from stuff on the mailing list. It includes images of the dialogue panels you can expect to see – because I received a ton of positive feedback on that.


Revised Steps
Once again, I’m using Eudora version 7.1.0.9. I can’t think of a single reason anyone should use an earlier version. I’m also running on Windows 10, which should lay to rest any doubt that Eudora runs just as well there as ever. I think that’ll  stay true until email address internationalization becomes a standard and gains traction.

A quick word about the dialogue panel graphics shown in this article. They’re actual screen shots so the default action button appears slightly different from the other buttons. (This graphic, for example, shows the Close button as the default action.) In the instructions which follow, however, the button(s) that require clicking are not necessarily the default action.

 

It’s most likely that you’ll encounter a certificate rejection when checking email; most of us check email more often than we send. And failures occur with increased frequency lately with Gmail; they seem to change certificates more often than other providers. So let’s assume that’s the case and Eudora has thrown this error panel at us during a check on Gmail:

Server SSL Certificate Rejected
Server SSL Certificate Rejected during a Gmail check.

 

Take note of the Eudora Persona which produced the error, if you can. A clue sometimes be seen in the status area. In our example it’s one of my Gmail accounts.

The status area at the bottom of the screen may tell you which Persona has produced the certificate error.
The status area at the bottom of the screen may provide a clue as to which Persona has produced the certificate error.

 

If you use multiple Persona in Eudora and can’t tell which one experienced the certificate rejection then you’ll need to look at each until you find the correct Persona to adjust. Working with the wrong one will just frustrate you. We’ll come back to this a little later.

For now, Click the Yes button in the Server SSL Certificate Rejected panel. Clicking Yes won’t actually fix the problem but it’ll let Eudora finish the tasks that are running. Allow Eudora’s activities to continue until they complete.

Without closing Eudora, access the Properties of the Persona with the rejected certificate.  In our example, we know the rejection occurred during a mail check so we’ll access the Incoming Mail tab of that Persona. The Properties appear in the Account Settings panel.

The account settings panel for the Persona that rejected the certificate.
The account settings panel for the Persona that rejected the certificate. We’re looking at the Incoming Mail tab because we know the certificate rejection occurred while checking for new email. Had the rejection occurred during a send we’d be looking at the Generic Properties tab instead.

 

Click the Last SSL Info button. The Eudora SSL Connection Information Manager panel appears.

eudoracert04-3
The Last SSL Info button will only show this panel if this Persona has used SSL since Eudora was last launched. The green arrow indicates the Certificate Information Manager button mentioned below. Yes, that large grey bar is a button!

 

Click the Certificate Information Manager button, which I’ve indicated with a green arrow in the graphic above. DO NOT click OK if you are trying to get to the Certificate Information Manager. The Eudora Certificate Information Manager panel appears.

The Certificate Information Manager displays and allows you to manipulate the certificate chain.
The Certificate Information Manager displays and allows you to manipulate the certificate chain.

 

Looking at the top-most section of the Certificate Information Manager panel, the first row under Server Certificates (that’s the topmost row with the smiley face in the image above) contains the rejected certificate. You can’t actually see the problem certificate yet because it’s actually the last (or near the last) in a chain of certificates. Like the layers of an onion, you can’t see inside until you remove a layer. (Some refer to it as a series of locked doors, where you need to unlock one before you can see the next.) In any case, the rejected certificate we seek is inside. Click the plus sign next to the top smiley row to expand the chain, which is like peeling away the first layer of the onion.

Here we've expanded the chain of certificates just once.
Here we’ve expanded the chain of certificates just once. Notice the smiley face icon we saw earlier changes to an open mouth. The expansion has revealed… another certificate with another smiley face – the next link in the certificate chain.

 

Keep expanding the certificate chain by clicking the plus sign of each certificate in turn, peeling away layer after layer of our imaginary onion. Eventually you’ll see a skull and crossbones icon instead of a smiley face.

Here we see the fully expanded certificate chain. The final certificate - the one with the skull and crossbones icon - is the one that was rejected because it was untrusted.
Here we see the fully expanded certificate chain. The final certificate – the one with the skull and crossbones icon – is the one that was rejected because it was untrusted.

 

In this example I needed to expand the chain four times to reach the problem certificate. You may need to expand the chain more times or less times, and that’s perfectly okay.

Remember several steps back I mentioned working with the correct Eudora Persona when chasing a rejected certificate, and that I’d come back to it later? Welcome to later.

Let’s imagine for a second that we took all these steps and expanded the certificate chain all the way to the end – no more plus signs to click – yet didn’t end up with a certificate marked with a skull and crossbones. What then?

Simply, it means that we’re looking in the wrong place! If you’re not seeing the rejected certificate you can’t very well fix it, can you? So if you gotten this far with no skull and crossbones then close the Certificate Information Manager panel and close the Eudora SSL Connection Information Manager panel. Choose another Persona to work with (or the other tab of the Persona if you don’t know whether you were receiving or sending when the error appeared) and try again.

In order to get Eudora to accept the failed certificate you must first find it! And it’s indicated by a skull and crossbones icon. No skull equals no fix. This is sometimes a point of frustration.

But let’s assume that you have found the certificate with the skull and crossbones. Select it by clicking on it, so it looks like this in the Certificate Information Manager:

The rejected, untrusted certificate with the skull and crossbones icon is selected, indicated by appearing highlighted.
The rejected, untrusted certificate with the skull and crossbones icon is selected.

 

Now we’re ready for action!

Click the Add To Trusted button. When you do that the certificate chain we took so much trouble to expand will contract. The Certificate Information Manager panel will look much the same as it did when we first opened it.

The Certificate Information Manager panel just after the Add To Trusted button is clicked.
The Certificate Information Manager panel just after the Add To Trusted button is clicked.

 

All that’s left to do is dismiss all these panels and test.

Click the Done button in the Certificate Information Manager panel to dismiss it. Click the OK button in the The Eudora SSL Connection Information Manager panel to dismiss it. Click the OK button in the Account Settings panel to dismiss it.

Finally, try collecting (or sending) your email again.

Did it work? It did? Great, you’re done. Well, until next time Eudora rejects an untrusted certificate.

Oh, wait, it didn’t work? Don’t panic. Just go back and follow the steps again.

Think back to the certificate chain, the onion layers, the series of locked doors. You need to trust a certificate in the chain before you can see what lies beyond it. The next run though the steps you’ll find that the certificate chain expands one more time before revealing another certificate with the skull and crossbones icon. When you find it, trust it and test again.

As non-intuitive as that may sound, you may need to step through the fix two or more times before achieving success.


Conclusion
If you compare this discussion to my earlier article you’ll see that there are actually WAY fewer steps. Once you’ve gotten through it a few times (and you certainly will if you use Gmail) you’ll see that trusting new certificates only takes a handful of clicks.

Yes, this article seems/is long and ponderous, with several panel images that look nearly the same. That’s because I’m trying to do a better job describing the areas about which I’ve fielded many questions privately.

A tip o’ the hat to Jane who, after working through some frustration, circled back to tell me what she had learned. Jane helped bring clarity to a possibly confusing section of this article. Thanks!

Eudora and SSL Certificate Failures

September 9, 2015 – I’ve revised this article, simplifying and shortening the steps involved!

See the revised article here.


Eudora rocks.

I’ve used this old and outdated Windows mail client since it was kind of new, more than 25 years ago. I chose it when I was moving my message store from a shell account to a PC, right around when PCs started to get reliable enough such work. Eudora was the first client I discovered whose message store was a simple transfer from Unix, drop-in, and run. I never looked back. Since then I’ve developed a rather extensive set of filters and such to efficiently manage dozens of email accounts and tens of GB of messages.

Bummer, Eudora hasn’t been actively supported since Qualcomm gave it up in 2006. Yeah, I know, it went Open Source. But IMHO they went and screwed it up.

As with any unsupported software, sometimes the passage of time breaks things. More than a few times I’ve cast about for another capable email client. It’s always gone the same way: I find none, get tired of searching, and turn my attention to propping the old girl up just a bit longer.

One afternoon in October last year one of my email hosts suddenly rejected its SSL certificate. It happens. When it does, Eudora offers to trust the new certificate. Thereafter all’s well. Not this time.

It wasn’t my host, and it wasn’t a critical account. Via trouble tickets, I went back and forth with the admins at the hosting company for the better part of a month. They’d suggest something, I’d try it – and maybe try a few things on my own – but nothing worked. Along the way I cast about for a replacement client and I came up dry. Finally I just shut off SSL for the account and got on with life. Not the best solution, but it worked. I really do need to find a new client! Maybe tomorrow… Yeah, right.

Last night Eudora rejected more certificates. This time it affected a multiple accounts on different domains. These were more important to me so I needed a solution.

And I found one.

First, some groundwork. My Eudora is version 7.1.0.9 running on Windows 8.1 Update 1. Of note, Eudora has a patched QCSSL.dll, needed since Microsoft made some changes to a library that caused the old client to loop for a Very… Long… Time… on the first use of SSL. I think that was around the time Windows 7 launched. Depending on your version(s), you may find differences in the dialogues and steps. I tried to give enough detail that you might find your way.

Let’s get started. The certificate rejection error looks like this:

Server SSL Certificate Rejected
Server SSL Certificate Rejected

See the question in the dialogue, “Do you want to trust this certificate in future sessions?”

It once was a simple matter of clicking the Yes button and that would be that. But that didn’t work in October and it didn’t work last night either.

Heres what to do to fix the problem.

Close the error dialogue and open Properties for the affected Persona. On the Incoming Mail tab (because it’s likely that a receive operation failed first), click the Last SSL Info button. The Eudora SSL Connection Information Manager opens. It looks like this:

Eudora SSL Connection Information Manager
Eudora SSL Connection Information Manager

There’s some weirdness in this dialogue, some confusion over host names. I think it’s a junk message. Click the Certificate Information Manager button. The Certificate Information Manager opens, and it looks like this:

Certificate Information Manager
Certificate Information Manager

Look at the section called Server Certificates. See the smiley face? That means trusted status. Expand that certificate tree in the usual way – click the plus sign next to it. Keep expanding, drilling down until you see one that’s untrusted. That’s the one with the skull ‘n crossbones. Of course.

The Certificate Information Manager panel, with the untrusted certificate, will now look something like this:

Certificate Information Managed - Expanded to show untrusted certificate
Certificate Information Managed – Expanded to show untrusted certificate

Click the offending untrusted certificate to select it then click the View Certificate Details button. The Certificate opens. It looks like this:

Certificate panel
Certificate panel

Select the General tab, if necessary, and click the Install Certificate button. The Certificate Import Wizard panel opens. It looks like this:

Certificate Import Wizard
Certificate Import Wizard – Location

Choose a Store Location – Current User or Local Machine – as needed for your situation. I chose the Current User because I’m the only user on this box. Click the Next button. The Certificate Import Wizard continues, and it looks like this:

Certificate Import Wizard – Certificate Store

The wizard asks where to store the certificate. Windows can automatically choose the Store based on the type of certificate, and that’s a pretty good choice. It’s also the default. Click the Next button to display a confirmation panel. It looks like this.

Certificate Import Wizard - Completing the Certificate Import Wizard
Certificate Import Wizard – Completing the Certificate Import Wizard

Click the Finish button.

Whew! It looks like the import was successful.

Certificate Import Wizard - Success!
Certificate Import Wizard – Success!

Click the OK button to close the Certificate Import Wizard.

Now, you’ll be looking at the Certificate Information Manager again, just how we left it.

Certificate Information Managed - Expanded to show untrusted certificate
Certificate Information Managed – Expanded to show untrusted certificate

 

With the untrusted skull ‘n crossbones certificate highlighted, click the Add To Trusted button. Then click the Done button to close the Certificate Information Manager.

Finally, try to reach the server that rejected the SSL certificate in the first place.

Did it work?

If it did then you’re finished.

Uh oh, waddya mean, it didn’t work?

You’ll need to go back and follow those steps again.

I hear you now. “Only an idiot does the same thing over and over expecting different results.”

Well, you’ll notice that the next time through the Certificate Information Manager will show a deeper tree of Server Certificates before you get to the untrusted certificate. You’ll need to drill deeper.

You may need to import and add several before achieving success. After a couple of imports it’s easy to forget the Add To Trusted button. Don’t ask me how I know!

I hope that helps someone.

Sometimes I think I’m the very last Eudora user out there. I’d love to hear from others. In fact, if you’ve moved off Eudora and found a decent replacement, I’d love to hear that, too. I know it’s only a matter of time.


 

Additional information added April 17, 2015…

One person described, in the comments below, that he she had some difficulty with the Add To Trusted button in the Certificate Information Manager when working with Google’s new certificates. His Her insight came when he she realized that he she was simultaneously viewing this post with Google Chrome. When he she closed Chrome and went through the process again, everything worked.

A big THANK YOU goes out to one Pat Toner for checkin’ in and increasing the value of this post with his her feedback. I owe you a beer, Pat. And an apology for my gender assumption based on name.

40 Years of the Internet

It seems like only yesterday that Joe and me would while away the wee hours on the printer-terminals in the basement at Hill Center, ‘playing’ on the ARPANET after shooting pool and drinking beers… That was actually in the ’70s. The ‘net has come quite a way from those days, hasn’t it?

http://apnews.myway.com/article/20090830/D9ADCOL00.html

Here’s what the ARPANET looked like in 1982. [link died: http://thadlabs.com/FILES/ARPANET_Sept_1982.pdf]

Kinda different today. Say, I’m a little curious. Does anyone remember the pain of using bangist-style email addresses in the ancient, pre-DNS days? Stuff that looked like this:

fishpond!mcdphx!asuvax!cs.utexas.edu!usc!apple!portal!cup.portal.com!plav

Yeah, that’s actually an email address. It used to reach me, in fact – well, from some networks, anyway. Getting it all to work together used to be really, really hard work!

Automatic Trust Revisited

I got a distressing email from a friend earlier this evening. He wrote of picking up a trojan on his personal laptop. It was asking for money to undo the shenanigans. And my friend was asking for advice before he reformatted and reinstalled.

First thing I did, like any of you would do, was upload some useful tools to one of my servers for him. But now I’m sitting here thinking…

We all send attachments back and forth in email and there are certain people that you trust. Instead of the trash, instead of treading carefully, the automatic trust thing (and the all-too-human trait of being in too much of a hurry) makes us open, run, visit or whatever.

Perhaps that trust is misguided. My friend’s one of the folks I trusted that way. But as I write I’m running checks on his recent attachments!

Will his box be clean tonight? Tomorrow? Next week? What will he do, what will he run before sending something else? Multiply the risk by the number of people with ‘trusted’ status.

I feel like I dodged a bullet.

As it happens I’ll be seeing my friend tomorrow. This will certainly be one topic of conversation.

Mobile Phone Adventure

Verizon Wireless, my mobile carrier, has been pestering me lately. An equipment upgrade offer was pending. My pair of old Motorola RAZR V3c handsets serve me quite well so it seemed like a perfect opportunity to add a third number and a new handset for my son, something we’ve been talking about for a while. Yesterday we stopped at one of their local brick-and-mortar facilities to get that done. I don’t know about you, but every time I have to physically show up to do something with my mobile phones there is trouble of one sort or another…

I’m an unusual wireless customer. I use my phone to make and receive voice calls. For email, Web, music, pictures, videos, ad nauseum, I’ll reach for a more appropriate piece of equipment. I’m not thrilled with Verizon Wireless’ closed network, either, or the way they nickel-and-dime you for every little thing. But their performance – at least where I use it – is second to none. I cannot recall the last time I had a call drop or not go through. Each ‘line’ (an archaic term in the wireless world) draws from a single pool of enough minutes that we use it without thinking and never need to buy extra, thanks to a reasonably priced grandfathered contract, sans enhanced services, that they haven’t offered in years. I’ve been a steady customer for better than a decade and a half. I’m an unusual customer.

We found a handset my son liked and made our way to the counter only to learn that the upgrade offer applied only to my V3c. But nothing’s carved in stone and after some discussion we found a way: a temporary upgrade. I buy a new handset (an LG VX9100, free after the promotion) and move my number to it. I buy an additional ‘line’ for my son, and assign the new number to my old V3c. Finally, the next day, we would swap the numbers between the two handsets, under the auspices that I’m unhappy with the new handset. Normally that swap would be $20 a pop, but there would be no charge. And everybody would be happy.

A while later we discovered that my V3c didn’t respond on the new number. Things went downhill fast from there. Tech Support reported that the new number belonged to a Blackberry belonging to Merrill Lynch, that my contract shows only two numbers, and that my V3c ESN no longer exists. Oops.

Back at the store they tried to get me to just replace the handset, “Just take the best we’ve got, no charge!” No thanks, I want the one I’ve got, please fix it. They finally managed to install a dummy ESN onto it and assign the new number, and get my contract to recognize them both. But because of the dummy ESN the handset doesn’t do anything, it’s a brick. Tomorrow, they say, they will be able to finish straightening it out.

I need to digress with some history… Verizon Wireless was probably the last carrier on Earth to add the incredibly popular – and profitable – Motorola RAZR handsets. The reasons were two-fold. First, the CDMA chipset was physically larger, and Motorola had some difficulty making it fit into the small package. Second, all Verizon Wireless phones (at the time) sported an external antenna, which helped them to provide their outstanding network performance. The RAZR’s antenna is internal. As for me, I wanted the small size but I was unwilling to switch carriers. So I waited it out. Eventually Motorola got the hardware into the handset and got the antenna performance good enough to pass Verizon Wireless’ performance testing (it took several rounds of testing which led to yet more delays). Finally they were set to roll ’em out. Just in time for Christmas! Well, sort of.

In the mobile phone industry, a hardware manufacturer will develop a new handset and the base software to make it the features work, as well as an SDK. A carrier will take that and develop their own software layer, which in turn becomes the set of services and capabilities that differentiate one carrier from another. In the case of Verizon Wireless, with their closed network, part of their software development is to lock down the handset. The customized RAZR software, due to the Christmas sale deadline, was a rush job.

Watching all that unfold, I bought my handsets a day or two before they became available at the stores. My handsets are not locked down. The best thing about this is my Bluetooth profiles include OBEX. And that means I can add custom rings I make myself, get images and voice recordings on and off, use the crappy little camera (when needed and nothing better is available), use it as a wireless (or wired, via USB) modem with the laptop, and so on, all without incurring Verizon Wireless charges.

And that’s why I don’t want to give up these handsets or upgrade their firmware. Whenever I need to explain this, the representative smiles and understands. [Ed. 6 July 2008: My wife, OTOH, never really understood why I held those capabilities so dear. That is, until the latest bill arrived. My son had bought a ringtone. $2.95, no big deal, but the browsing charges, the megabyte charges, and the fact that he tried the Web browsers on all of our handsets by the time he was through, had brought the cost of that stupid ringtone to near $20. When I explained how billing works, and had real examples to use, the lightbulb went on.]

So today I will see whether they can get this mess straightened out. I’m nervously optimistic.

Community Bulletin Board

Supermarkets here, and I guess everywhere, have some space set aside where you can place stuff you want others to see. People tack up their business cards, notices of lost pets, stuff for sale and all manner of things.

It’s an amazingly effective tool!

I had an unused TV taking up space in the garage. I muscled the set onto a motorcycle jack and took a picture. I fiddled with PowerPoint for a few minutes to craft my ad. Then my son and I grabbed our helmets and took a little motorcycle tour of a few area supermarkets to post my ads.

We deployed five before wheeling into Stewart’s for a frosty root beer.

By the time we got home there was voice mail. The first caller soon arrived and bought the set. Interestingly enough, the buyer and I turned out to have some mutual friends. It’s a small world.

Today I’ll retrace the ride and collect the dead ads.

Sometimes the real world beats the snot out of online.