Pages: 1 2 Next
RSS
The Bat! 2.12 - Gmail - Unsupported Certificate, Gmail Certificate problem
 
Hi!
I am a happy user of The Bat! since several years.
I am using the 2.12 Version, I know... I know it is very old, but works for me all this years and to now I dont had intention of upgrade.
But from 14/07/2015 I have a problem with Gmail certificate. The error is this:

TLS handshake failure. Unsupported certificate

Is there any way to fix it without upgrade to last version (Euro 39)??
The log at the moment of error is this:
Code
 14/07/2015, 11:14:39: FETCH - Initiating TLS handshake
>14/07/2015, 11:14:40: FETCH - Certificate S/N: 028D5AB8E184B4C0, algorithm: RSA (2048 bits), issued from 01 jul 2015 to 29 sep 2015, for 1 host(s): pop.gmail.com.
>14/07/2015, 11:14:40: FETCH - Owner: US, California, Mountain View, Google Inc, pop.gmail.com.
>14/07/2015, 11:14:40: FETCH - Issuer: US, Google Inc, Google Internet Authority G2.
 14/07/2015, 11:14:40: FETCH - TLS handshake complete
 14/07/2015, 11:14:40: FETCH - connected to POP3 server
 14/07/2015, 11:14:41: FETCH - authenticated (plain)
 14/07/2015, 11:14:42: FETCH - 6 messages in the mailbox, 0 new
 14/07/2015, 11:14:42: FETCH - connection finished - 0 messages received
 14/07/2015, 12:14:41: FETCH - receiving mail messages
 14/07/2015, 12:14:43: FETCH - Initiating TLS handshake
>14/07/2015, 12:14:43: FETCH - Certificate S/N: 028D5AB8E184B4C0, algorithm: RSA (2048 bits), issued from 01 jul 2015 to 29 sep 2015, for 1 host(s): pop.gmail.com.
>14/07/2015, 12:14:43: FETCH - Owner: US, California, Mountain View, Google Inc, pop.gmail.com.
>14/07/2015, 12:14:43: FETCH - Issuer: US, Google Inc, Google Internet Authority G2.
 14/07/2015, 12:14:43: FETCH - TLS handshake complete
 14/07/2015, 12:14:43: FETCH - connected to POP3 server
 14/07/2015, 12:14:44: FETCH - authenticated (plain)
 14/07/2015, 12:14:45: FETCH - 6 messages in the mailbox, 0 new
 14/07/2015, 12:14:46: FETCH - connection finished - 0 messages received
 14/07/2015, 13:14:44: FETCH - receiving mail messages
 14/07/2015, 13:14:45: FETCH - Initiating TLS handshake
!14/07/2015, 13:14:45: FETCH - TLS handshake failure. Unsupported certificate
 14/07/2015, 14:14:47: FETCH - receiving mail messages
 14/07/2015, 14:14:50: FETCH - Initiating TLS handshake
!14/07/2015, 14:14:50: FETCH - TLS handshake failure. Unsupported certificate
 14/07/2015, 14:15:24: FETCH - receiving mail messages
 14/07/2015, 14:15:24: FETCH - Initiating TLS handshake
!14/07/2015, 14:15:24: FETCH - TLS handshake failure. Unsupported certificate
 14/07/2015, 15:15:32: FETCH - receiving mail messages
 14/07/2015, 15:15:33: FETCH - Initiating TLS handshake
!14/07/2015, 15:15:33: FETCH - TLS handshake failure. Unsupported certificate
 14/07/2015, 16:15:35: FETCH - receiving mail messages
 
Thanks in advance.
 
As a temporary measure you can switch to the Microsoft CryptoAPI.
Options>S/MIME and TLS. Click the radio button Microsoft CryptoAPI (Microsoft certificate store) then OK. Hotmail/Outlook/Windows Live should work again.
 
Try this first
http://pki.google.com/
Then these
https://www.geotrust.com/resources/root-certificates/index.html
http://secure.globalsign.net/cacert/Root-R1.crt

Once saved they mut be imported into your address book
 
@Ajit Khodke is Gmail the problem. Hotmail/Outlook is just fine.

@Rick G I try to import all that certificates, some give errors. Unfortunely the error Unsupported Certificate persists.

Thanks.
 
I'm having the exact same problem with The Bat v3.64.01 Pro on Windows XP Pro sp3 -- I'm getting the same 'Unsupported Certificate' error.

At first it happened only sporadically, then frequently, and now all the time. I guess Google has been updating its servers one by one and in the end, all servers in the pop.googlemail.com farm had the troublesome certificate. As far as I know, nothing has changed in my system or settings.

I tried the suggestions above (MS CryptoAPI and importing various root certificates) but unfortunately they did not work (like Juan, I noticed that my The_Bat could not import all of the certificates - some apparently were not recognized as S/MIME certificates).

Is anyone still successfully retrieving mail from pop.googlemail.com or pop.gmail.com?

I have captured one of these failed pop retrieval sessions using Wireshark. I have uploaded the Wireshark log + pcap file to my Dropbox [edit: link removed after problem was solved]. I would be great if a knowledgeable person could have a look to find out what is going wrong exactly. Do I need another root certificate or is something else going on? (I see some checksum errors?).

Thanks kindly in advance for any help!
Edited: Daniel van Rooijen - 17 July 2015 14:55:26
 
Hi there,

since a few days ago i had the same Problems with my old 3.65 and gmail. Gmx, with the same tls settings works fine. Only gmail is the troublemaker.

I use Avast and tried some settings. Turn of SSL in avast works for one day, but now.. nothing. Sending Mail by gmail/theBat! works fine, only POP3 is a problem.

And yes, i imported the certs into adressbook.

best regs from Berlin

Peter
 
Today slightly after noon (Brussels time) my Gmail pop3 mail started to come in again.. apparently Google fixed the problem on their end.
 
Good luck, here in Germany it doesn't work, yet
 
Thanks for the update Daniel!
Here in Argentina doesn't work, yet.
 
Well, maybe I spoke too soon! I have been getting mail, but I'm also still getting a lot of failed pop3 sessions, with the 'unsupported certificate' error. When I check my log, I see alternating periods of approximately 15 minutes during which it either works fine, or it does not. Still, it's better than the past few days. I hope you guys will soon see some improvement, too!

btw, when the session works alright, it is always with this certificate:
Code
>17-7-2015, 15:31:12: FETCH - Certificate S/N: 2994CDF73C1C2647, algorithm: RSA (2048 bits), issued from 01 jul 2015 to 29 sep 2015, for 1 host(s): pop.googlemail.com.
>17-7-2015, 15:31:12: FETCH - Owner: US, California, Mountain View, Google Inc, pop.googlemail.com.
>17-7-2015, 15:31:12: FETCH - Issuer: US, Google Inc, Google Internet Authority G2.
 
Well, it looks like, that google solved the problems today. Hope...


Edit: Ha ha ha .. 6pm Errors
Code
 18.07.2015, 17:46:25: FETCH - Empfange Nachrichten
 18.07.2015, 17:46:25: FETCH - Einleitung TLS-Handshake
>18.07.2015, 17:46:25: FETCH - Zertifikat S/N: 4BB46F51140E6E409EECE33BE260BAA5, Algorithmus: RSA (2048 Bits), ausgestellt von 01 Jul 2015 bis 29 Sep 2015, für 1 Host(s): pop.googlemail.com.
>18.07.2015, 17:46:25: FETCH - Besitzer: US, California, Mountain View, Google Inc, pop.googlemail.com.
>18.07.2015, 17:46:25: FETCH - Aussteller: generated by avast! antivirus for SSL/TLS scanning, avast! Web/Mail Shield, avast! Web/Mail Shield Root.
 18.07.2015, 17:46:25: FETCH - TLS-Handshake vollständig
 18.07.2015, 17:46:25: FETCH - Verbunden mit dem POP3-Server
 18.07.2015, 17:46:27: FETCH - bestätigt (Standard)
 18.07.2015, 17:46:27: FETCH - 0 Nachrichten in der Mailbox, 0 neu
 18.07.2015, 17:46:27: FETCH - TLS-Verbindung erfolgreich aufgebaut
 18.07.2015, 17:46:27: FETCH - Verbindung beendet - 0 Nachrichten empfangen
 18.07.2015, 18:01:25: FETCH - Empfange Nachrichten
 18.07.2015, 18:01:25: FETCH - Einleitung TLS-Handshake
!18.07.2015, 18:01:25: FETCH - TLS-Handshakefehler. Nicht unterstütztes Zertifikat
Edited: Peter Schoutz - 18 July 2015 19:05:36
 
No, it's not google that matters, it seems that you have an antivirus that intercepts the traffic.

>18.07.2015, 17:46:25: FETCH - Aussteller: generated by avast! antivirus for SSL/TLS scanning, avast! Web/Mail Shield, avast! Web/Mail Shield Root.
 
  • I am using the 2.12 Version, [...] but works for me all this years and to now I dont had intention of upgrade.
  • But from 14/07/2015 I have a problem with Gmail certificate.
Makes me smile to see someone else using the good old 2.12... I have the same version of TheBat! running for many years and between 13/07/2015 and 15/07/2015 I started to see the very same error message:

FETCH - TLS handshake failure. Unsupported certificate

I use googlemail.com's POP3 to download emails, since IIRC there was some certification issue with IMAP (many years ago)... should that make a difference.

Tried: Options>S/MIME and TLS. Click the radio button Microsoft CryptoAPI ==> failed to work.

Following the above tips installed these certificates in the Address Book (F8, New Contact, if they did not already exist):
  • Equifax_Secure_Certificate_Authority.pem
  • GeoTrust_Global_CA_CER.cer
  • GeoTrust_Global_CA_PEM.pem
  • GeoTrust_Primary_CA.pem
  • GIAG2.crt <-- did not exist
  • oldGIAG2.crt <-- did not exist
  • Root-R1.crt <-- IIRC it was already up to date
I am located in Germany and only use two @googlemail.com accounts. Not the new @gmail.com ones that have apparently recently become possible in Germany as well. I use Microsoft Security Essentials should that suddenly be an issue.

Account set-up in TheBat!:

Send mail
SMTP Server: smtp.gmail.com
Authentication: Perform SMTP Authentication (RFC 2554) and Use settings of Mail Retrieval
Connection: Secure to regular port (STARTTLS)
Port: 587

Receive mail
Mail Server: pop.gmail.com
Authentication: Regular
Protocol: POP3
Connection: Secure to dedicated port (TLS)
Port: 995

I looked through the list of certificates in the Address Book but none of the other ones would specifically have expired in 2015... most are long dead others expire in a few years.

So either something else expired or I am missing some certificate still.

Hope the extra info helps in some way and this can be resolved... thanks.
Edited: Christoph Loewe - 21 July 2015 00:18:59 (Added more details.)
 
Here the log... seems to be exactly the same issue as the initial poster has with the certificate:
Code
 7/13/2015, 15:01:23: FETCH - Initiating TLS handshake
>7/13/2015, 15:01:23: FETCH - Certificate S/N: 028D5AB8E184B4C0, algorithm: RSA (2048 bits), issued from 01 Jul 2015 to 29 Sep 2015, for 1 host(s): pop.gmail.com.
>7/13/2015, 15:01:23: FETCH - Owner: US, California, Mountain View, Google Inc, pop.gmail.com.
>7/13/2015, 15:01:23: FETCH - Issuer: US, Google Inc, Google Internet Authority G2.
 7/13/2015, 15:01:23: FETCH - TLS handshake complete
 7/13/2015, 15:01:23: FETCH - connected to POP3 server
 7/13/2015, 15:01:25: FETCH - authenticated (plain)
 7/13/2015, 15:01:26: FETCH - 3 messages in the mailbox, 3 new
 7/13/2015, 15:01:28: FETCH - 3 messages deleted on server
 7/13/2015, 15:01:28: FETCH - connection finished - 3 messages received

 7/15/2015, 18:03:44: FETCH - receiving mail messages
 7/15/2015, 18:03:44: FETCH - Initiating TLS handshake
!7/15/2015, 18:03:44: FETCH - TLS handshake failure. Unsupported certificate
 7/15/2015, 18:04:05: FETCH - receiving mail messages
 7/15/2015, 18:04:05: FETCH - Initiating TLS handshake
!7/15/2015, 18:04:05: FETCH - TLS handshake failure. Unsupported certificate
 7/15/2015, 18:04:27: FETCH - receiving mail messages
 7/15/2015, 18:04:27: FETCH - Initiating TLS handshake


Things I am wondering about:
  1. Would instead of using POP3 using IMAP make any difference?
  2. Would updating to 6.8.8 (buying the latest version, 64bit) work? (This brings up the issue of 2.12 migration to 6.8.8 and if it is possible to have both versions installed in parallel?)
Any help appreciated.
Edited: Christoph Loewe - 21 July 2015 14:03:35
 
Well... I bit the bullet and got TheBat! 6.8.8 Home (64bit), since I really don't need the Pro version. Installed it in parallel to my v2.12 version. This is possible without issues since 2.12 is 32 bit and uses the Program Files (x86) folder and the new v6.8.8 uses the Program Files folder. On launching TheBat! 6.8.8 immediately recognized all the 2.12 settings and my email accounts and immediately downloaded all my outstanding emails.

If ever a tool deserved updating this one did. Neat. I will finally be able to drag and drop images and send them off... in 2.12 I had issues with that... now to see how the filter system works and what needs to be installed for it.

Thanks to Ritlabs team.
Edited: Christoph Loewe - 21 July 2015 20:30:27
 
To day, here in Argentina the problem persist.
Could any confirm if in another country (Belgium, Germany...) the problem has been fixed?
If in another countries google fixed I wait to the solution arrived here, if the problem persist I think what for me it is time to change my mail client. :(

@Maxim Masiutin : I dont have any antivirus or firewall what interfere with google servers. There is ANY solution to apply for my side o I have to wait to Google change the certificate?

Thanks!
Edited: Juan Pablo - 22 July 2015 18:11:16
 
Juan, I'm still getting the Unsupported Certificate error too.. all the time now, in fact. I'm in Holland.
 
The following three certificates are involved in my failed SSL sessions with pop.googlemail.com:
Code
 Certificate (id-at-commonName=pop.googlemail.com,id-at-organizationName=Google Inc,id-at-localityName=Mountain View,id-at-stateOrProvinceName=California,id-at-countryName=US)
 serialNumber: -1688114756
 printableString: Google Inc
 printableString: Google Internet Authority G2
 subjectPublicKey: 3082010A0282010100BB3E1E3C22C6FCC804F239C7057ABD...
 dNSName: pop.googlemail.com
 uniformResourceIdentifier: http://pki.google.com/GIAG2.crt
 uniformResourceIdentifier: http://clients1.google.com/ocsp
 SubjectKeyIdentifier: 5528E316CF6D63365E55FC89DDEFA4EC5E274953
 keyIdentifier: 4ADD06161BBCF668B576F581B6BB621ABA5A812F
 uniformResourceIdentifier: http://pki.google.com/GIAG2.crl

 
 Certificate (id-at-commonName=Google Internet Authority G2,id-at-organizationName=Google Inc,id-at-countryName=US)
 serialNumber: 146038
 printableString: GeoTrust Inc.
 printableString: GeoTrust Global CA
 printableString: Google Inc
 printableString: Google Internet Authority G2
 subjectPublicKey: 3082010A02820101009C2A04775CD850913A06A382E0D850...
 keyIdentifier: C07A98688D89FBAB05640C117DAA7D65B8CACC4E
 SubjectKeyIdentifier: 4ADD06161BBCF668B576F581B6BB621ABA5A812F
 cA: True
 KeyUsage: 06 (keyCertSign, cRLSign)
 uniformResourceIdentifier: http://g.symcb.com/crls/gtglobal.crl
 uniformResourceIdentifier: http://g.symcd.com

 
 Certificate (id-at-commonName=GeoTrust Global CA,id-at-organizationName=GeoTrust Inc.,id-at-countryName=US)
 serialNumber: 1227750
 printableString: Equifax
 printableString: Equifax Secure Certificate Authority
 printableString: GeoTrust Inc.
 printableString: GeoTrust Global CA
 subjectPublicKey: 3082010A0282010100DACC186330FDF417231A567E5BDF3C...
 keyIdentifier: 48E668F92BD2B295D747D82320104F3398909FD4
 SubjectKeyIdentifier: C07A98688D89FBAB05640C117DAA7D65B8CACC4E
 cA: True
 KeyUsage: 06 (keyCertSign, cRLSign)
 uniformResourceIdentifier: http://crl.geotrust.com/crls/secureca.crl
 DirectoryString: https://www.geotrust.com/resources/repository
I have downloaded these GIAG2.crl, secureca.crl and gtglobal.crl certificates, but I can't import them in the address book and when I try to convert them at https://www.sslchecker.com/ssl_converter, it doesn't recognize them either, and says that they may be corrupt...

Aaargh!
 
My gmail messages have begun to pour in again!

I have been fiddling a lot with certificates this afternoon.. I'm not sure if that solved it, or if the gmail engineers sorted it on their end. I'm still getting Unsupported Certificate errors too, but many times when I check mail now, it just works.
 
Sorry guys, but looks like internal bug of THEBat.
The Bat cannot use new Google security certificate because parameter Key Usage is set.
Cert without Key Usage is needed from google.
 
Hey guys, I have the same problem, "FETCH - TLS handshake failure. Unsupported certificate". I'm from Hungary, my last downloaded mail is from 29/07/2015, since then I can only check my gmail in the browser.

Any suggestion? I also use Avast, tried to set it off temporary, but nothing has changed.
I use The Bat V4.0.16.2 Pro.
 
I'm using TheBat! 4.0.7 and have the "unsupported certificate" error and can't download email from Gmail since 29/7/15.

Is this the end for TheBat! or is a solution likely?
 
I've been having the same "unsupported certificate" problem with The Bat/gmail for a few weeks. I have been using version 4.x. I have downloaded and installed the latest Bat 6.8.8 and it seems to work just fine and imported my acc'ts and emails without any problems.

If there isn't a solution to be able to fix older Bat versions to deal with this I guess I will have to purchase the latest when the trial expires.

My main concern is that if Bat developers don't want to try and fix older versions then how long will it be before the newest Bat is considered an old version and fixes for that stop as well. I love the Bat and have been using it for many years and have recommended it to a lot of people but this is not making me too happy.
Edited: h bushell - 02 August 2015 17:19:59
 
Maybe I have good news for some of you! :)

I contacted Ritlabs' support and they told me that my v3.64.01 license was valid until version v4.0.38 - and users of that version have reported that it works well with Gmail POP3. So, if I want to, I can upgrade for free to a version that works with Gmail (I may still opt to buy the upgrade to the newest version though. I'm not rich, but the money that I spent on The Bat is futile compared to all the time that it has saved me and all the things that it has enabled me to do).

So, if you registered at the time of v4.0.7 (David) or v4.0.16.2 (Peter) or v4.x (H. Bushell), maybe your license is also valid for v4.0.38, in which case you could still upgrade for free.

The download archive for older versions can be found here (but better check first if your license covers it. Use 'support' in the main menu of this site to ask Ritlabs).
 
Thanks for Julia at The Bat support, my pro version license is valid till The Bat! v5.0.36. I updated to it and it works now!
Pages: 1 2 Next