Pages: 1 2 Next
RSS
Unknown CA certificate, How to disable the "Unknown CA certificate window"
 
I work in a Company and don't have control over the IMAP server.

Every time I access the server I get a message window titled "Unknown CA certificate" saying "The server didn't provide a root certificate during the session, and there is no corresponding root certificate in your address book. This connection may not be secure. Please contact your system administrator. Continue anyway?"

If I click OK the email is properly shown and I can download it.

Is there anyway to disable the annoying error window? All the other e-mail clients I tried (Netscape, Outlook, Outlook express, Opera) works fine with my IMAP server without any issue.

FYI, I use TLS connection (It's the only one my IMAP server work with).

Thanks for your help
 
Isn't there an option to add the certificate to the "trusted" set? I have that option when I see that window. Once you have told TB to trust the certificate it should stop asking.
iviarck
 
Mark,

thank you for your prompt reply.

I do have in the window the option you are mentioning, but unfortunately it is disabled (grayed out) so I can't add the certificate to the trusted. Also the "view certificate" option is grayed out.

My speculation on the buttons greyed out is because the server not even provide a certificate... But, as I was saying, it looks all the other e-mail clients don't care, while The Bat is picky about it.

Gianluca
 
Mark,

any other suggestion?

Thanks

Gianluca
 
Delete RootCA.EBD and IntermCA.EBD (backup this files) and start TB. Try to connect and then add certyficate to trusted.
 
Hi Sebastian,

thanks for your reply.

I tried to backup the ABD files (I think you mispelled ABD in EBD) and restarted TB but unfortunately I'm still unable to add the certificate because the "Add to Trusted" button is grayed out...

Thank you anyway

Gianluca
 
Quote
I think you mispelled ABD in EBD
Yes I use encrypted data base.

Maybe TLS certificate ist wrong. Maybe date or common name in this certificate is not correct with RFC2246? Check also ctrl+shift+A maybe you see what's wrong.
 
Sebastian,

the problem is that I suspect my IMAP mail server is not providing a CA certificate AT ALL. Other e-mail clients (Netscape, Eudora, pocomail, Opera) doesn't seem to care, but TB does.

Gianluca
 
Does anybody else have any idea?

Gianluca
 
You said
Quote
My speculation on the buttons greyed out is because the server not even provide a certificate

If that's true, turn off SSL / TLS / StartTLS. Clearly, if the server does not provide a certificate, secure communications is not being used.
iviarck
 
Mark,

thank you for the suggestion.

I tried to disable TLS and use both regular and STARTTLS type of connection, but I can't downloads e-mails. TB hangs on the Connection Centre until timout occurs.

TLS is the only connection which works. Also, I tried while connecting through TLS to change the Authentication mode (I tried them all), but the usual "Unknown CA certificate" window always appers.

There is no way to plan "an improvement" for future TB versions to have the possibility to disable the "Unknown CA certificate" window?

Thanks

Gianluca
 
No this is not really viable. To use TLS, there must be a valid certificate otherwise there is no point.

The point of TLS is to encrypt the transfer. To encrypt the transfer a certficate is used. The certificate contains the keys used for encryption.

What you may be able to do is to use regular POP3 and manually set the port number to that of the secure connection - 995.

Try that.
iviarck
 
Marck,

tried it, still same thing. One thing I noted: the other e-mail browser are defining SSL as security protocol to establish with the server (and they do work); TB offers only STARTTLS and TLS (and it doesn't). Maybe this is the issue? Is there any way to set in TB SSL as security protocol?

Gianluca
 
SSL is a subset of StartTLS and is already defined. I have no idea what the possible use of SSL without a key certificate to manage the encryption. It makes no sense. You probably have to raise this as a problem ticket with RITlabs. I've not come across this requirement anywhere else. Perhaps the guys who implemented the protocols may have a better idea about what you're asking for.  
iviarck
 
Marck,

I issued ticket #5942 on January 10th. Mr. Alexander Leschinsky was supposed to support me, but I never got a reply by him.

On January 17th I issued ticket #6421 asking help referring ticket #5942. Never got a reply.

On January 19th I enrolled myself in the Forum posting my problem. I have had a prompt support, but unfortunately my problem is still there.

I WOULD LOVE to get Mr. Alexander Leschinsky (or any other guy) getting in touch with me... If you have any suggestion/phone number I can call to get immediate assistance (I mean, a living person to talk directly to) you can e-mail it to me.

Thanks

Gianluca
 
In that case I think you can look on this as something of a "brick wall". Alexander is pretty much "the man". If he doesn't have an answer, then there very likely isn't one.

I'm really sorry to have to be so negative but I think there's a gap in TB's gullibility that the other software that works on that connection aren't limited by. I stand by my earlier comments that it makes no sense to provide a secure mail service with a certificate for encryption and can't quite figure out how the server hoodwinks the others into talking un-encrypted down the encrypted SSL channel like that. TB isn't playing.

I will re-refer your above comments to the ticket system and see if there will be any official comment...
iviarck
 
Hi,

I had similar problem ... and I resolved it ... it looks simple: find RootCA of your e-mail server and import it to Trusted CA address book ...

I found in my account log:
>2005-05-20, 18:40:45: FETCH - Certificate S/N: 035E, algorithm: RSA (1024 bits), issued from 10 maj 2005 to 10 maj 2006, for 1 host(s): poczta.polsl.pl.
>2005-05-20, 18:40:45: FETCH - Owner: poczta.polsl.pl, Centrum Komputerowe, Politechnika Slaska, Gliwice, Slaskie, PL.
>2005-05-20, 18:40:45: FETCH - Issuer: PL, EuroPKI, EuroPKI Polish Certification Authority.
!2005-05-20, 18:40:45: FETCH - TLS handshake failure. Invalid server certificate (The issuer of this certificate chain was not found).

I found on my server (poczta.polsl.pl) info where to find CA files. Try to find appropriate files for your account/server.

I don't know why buttons are grayed, why TB! doesn't want to import certificates itself ... but as I remember Outlook doesn't do it too. They need to be imported to Windows base "by hand".

Marcin K.
 
Marcin K. is right.

This problem occurs because TheBat needs digital certificate to decrypt the public key it receives from SSL/TLS server.

SSL/TLS session cannot be initiated unless public key is decrypted and digital signiture of the issuing Certificate Authority is verified. For that, there has to be the corresponding CA's certificate present in the address book. If it's a root certificate, it has to be in  the 'Trusted Root CA' address book, but sometimes you may need several certificates including intermediate ones (in 'Intermediate CA' address book) - if certificate chain or certification path is used.

So the proper way to deal with this problem is not to disable the warning window, but go to the CA's website and import proper certificates into address book. The account log will show which CA the TLS server's certificate is issued by.
 
that's it - as the log said: "...server didn't provide a root certificate during the session..."

AFAIK often the root certificate is "chained" into the server certificate - this way you can easily check and add it to your base

if not, you have to manually get the root certificate of the Issuer (!) - so that line is particularly important...
 
Hi

I have similar problem, except that my mail provider DOES have the root certificate, and I have imported it into The Bat!, plus I put it into the address bbok trusted root. Now when I go to Account/Properties/Personal Certificates/View it says "The certificate is valid". Still when I want to send a mail, I get the "The server didn't provide a root certificate during ... etc blah blah", the two buttons greyed, and when I say "YES, I want to continue" then the mail is sent.

Curiously, I see no possibility to input the fingerprint - although this might be the clue. In Pegasus mail I was ONLY prompted for the digital fingerprint, and then it was able to send my mails with  no problem.

Please help. I do not want to switch to Pegasus mail... Thanks!

Gabi
 
The certificate is probably valid but you simply don't have the root CA in your trusted root store.

TheBat is rather stubborn with that problem: you need to work around a bug in order to get the CA in the collection.

First, you need the root certificate and all intermediate certificates (if any).

Then, you need to work around an old bug in The Bat: In order to see the list of certificates, you need to go to the "options" menu and select the "S/MIME" entry. There, select "internal implementation". Validate and re-start the bat.

Now, open your Address book: you'll see two new folders: Intermediate CA and Trusted Root CA. You need to create a new contact for each intermediate and root CA certificate you have and, in the certificate tab, import the certs you got from your mail server.

Once you've done this, close the address book, change the S/MIME option back to CriptoAPI and restart the bat: it should now work properly.

One word of caution, though: getting a root CA from a third party is NOT something to do without carefull considerations. If your mail server is from your company, then it's probably ok. If it's from a third-party, you should go back to them and recommend them to invest in a real certificate.
 
Thanks a lot, Stephane.
But it does not help... The CA root certificate is sitting in the Address book (Trusted root), it is valid, everything seems OK as long as I do not try to send a message... Because then I just meet the "usual" message...  :cry:
Strange.
Might you please have a look at the certificates?
They are here:
http://www.ca.niif.hu/rootkey.htm
Should I download only one of them or all? Where can I input the fingerprint?

Is it easier to solve this problem with the newest TB! version?

Thanks a lot!
 
Hi, I have the same problem as you all:

View Certificate and
Add to Trusted

disabled

And the certificate is already in Trusted ones because I'm talking about Gmail one.

So, the certificate is trusted, is in list, I can download email as well, but every time I have to say OK to that window to go on.

Any idea?

Thanks
 
Hi Giulia

I posted this error message, and after some time it was assigned as "not a bug"... So, what can I do??? Press the "Yes" all the time... Otherwise TB is the best e-mail client ever, I have tested several others, no alternative (if somebody knows an equallly good one, please let me know asap!!!)...
 
I'm having this problem again. Annoying pop-up that "The server didn't provide a root certificate during the session, and there is no corresponding root certificate in your address book".

I downloaded the Root Certificate from Issuer CA website and imported it into Trusted Root CA Address Book. It did not help this time :(

I think I know what the problem is. When I click on the properties of the entry (in Trusted Root CA Address Book), go to "Certificates Tab", click "View" certificate, it says:

The Bat can use this certificate for:
message encryption - no,
verifying digital signiture of a message - no,
TLS connections - no.

I need to make the Bat use this certificate for TLS connections. How can I do that?

Under "Certification path" there is a button "Add to Trusted" which is always grayed out.
Pages: 1 2 Next