Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: BaluBig on March 02, 2013, 11:14:06 AM
-
Hello,
After upgrading to version 8 my email client started to show certificate errors when using SSL-enabled mail servers, like this:
02.03.2013, 12:01:23: FETCH - Connecting to POP3 server pop.gmail.com on port 995
02.03.2013, 12:01:23: FETCH - Initiating TLS handshake
>02.03.2013, 12:01:23: FETCH - Certificate S/N: 3B7494C80000000068A7, algorithm: RSA (2048 bits), issued from 9/12/2012 11:57:23 AM to 6/7/2013 7:43:27 PM, for 1 host(s): pop.gmail.com.
>02.03.2013, 12:01:23: FETCH - Owner: US, California, Mountain View, Google Inc, pop.gmail.com.
>02.03.2013, 12:01:23: FETCH - Issuer: generated by avast! antivirus for SSL scanning, avast! Mail Scanner, avast! Mail Scanner Root.
!02.03.2013, 12:01:23: FETCH - TLS handshake failure. Invalid server certificate (The issuer of this certificate chain was not found).
Unfortunately the email client I use, TheBat have got no 'Always trust this' option for this case.
Please advise.
Some system info:
Win 7 x64 Enterprise
AIS 8.0.1482
TheBat! v.5.2.2
Best regards - Serge.
-
Hello,
I have the same problem! I asked support for help but they suggested to reinstall the avast. I didn't do that yet because I guess that can not resolve the problem. I have been using the avast 7 for the whole year and SSL scanning worked perfectly.
Best regards.
-
Hello sanders,
so do I, everything worked fine in version 7, now with version 8 only turning off SSL-scanning helps to prevent getting error messages.
Kind regards,
-
I had the same issue. I deleted the certificates within Thunderbird for all my mail servers, including IMAP, closed Thunderbird and then restarted. All appears to be working well with SSL scanning enabled within Avast! Check out this article for how to delete the certificates. Strangely, those certificates were grouped under an Avast! header.
http://support.appstate.edu/answers/certificate-error-thunderbird
-
Here is solution of the problem: https://feedback.avast.com/responses/mail-shield-related-ssl-eror-unable-to-get-local-issuer-certificate
-
Yes, it used to work for 7.X
I see no Avast certificate installed in my system. Perhaps this is the cause of the problem (btw, solutions for Thunderbird will not work for me, I don't use Thunderbird :P). Quite probably it will appear after I reinstall AIS cleanly, will try later.
Best regards - Serge.
-
Yes, it used to work for 7.X
The above solution worked under avast! v8.XX for me too.
Quite probably it will appear after I reinstall AIS cleanly, will try later.
It seems that you have not choice ;)
-
Hello,
I tried to reinstall AIS (with aswclear.exe)... Unfortunatelly without effect for SSL and TheBat! :'(
-
The above solution worked under avast! v8.XX for me too.
Does this mean you see the AVAST's certificate installed in your system when using the certmgr.msc snap-in?
It seems that you have not choice ;)
Actually I do ;) I use two ssl-enabled mail servers, gmail and a corporate one. I trust the antivirus protection on both so currently the "check SSL" option is disabled.
Best regards - Serge.
-
Does this mean you see the AVAST's certificate installed in your system when using the certmgr.msc snap-in?
Yes, it does. I exported the certificate from the certmgr.msc snap-in and imported it to The Bat! successfully. There is no more any annoying messages and SSL mail checking works well.
-
Hello,
I tried to reinstall AIS (with aswclear.exe)... Unfortunatelly without effect for SSL and TheBat! :'(
Hello sanders,
after following the above instructions, did you try to import the "avast! Mail Scanner Root"- certificate into the addressbook of TheBat! ?
Cordially,
-
The above solution helped me twice already. Here are two screenshots. Sorry for Russian.
This is AVAST's certificate in the certmgr.msc snap-in:
(http://savepic.ru/4251045m.jpg) (http://savepic.ru/4251045.htm)
This is the same certificate imported to The Bat!:
(http://savepic.ru/4237733m.jpg) (http://savepic.ru/4237733.htm)
-
So we are getting to the bottom of it :) Thanks everyone :)
It is necessary to have the certificate that was not installed into my system for some reason (and for the worst case it will never be installed by the installer).
It would be great if Avast team could make it publicly downloadable.
Best regards - Serge.
-
It is necessary to have the certificate that was not installed into my system for some reason (and for the worst case it will never be installed by the installer).
It would be great if Avast team could make it publicly downloadable.
Well, I am not sure but it can be unique for each installation.
-
Hello,
I tried to reinstall AIS (with aswclear.exe)... Unfortunatelly without effect for SSL and TheBat! :'(
after following the above instructions, did you try to import the "avast! Mail Scanner Root"- certificate into the addressbook of TheBat! ?
I can't found the avast certificate in system storage, so I don't import that certificate into the thebat storage.
-
Hi Serge,
It is necessary to have the certificate that was not installed into my system for some reason (and for the worst case it will never be installed by the installer).
Do you mean you have installed "invalid" avast certificate in your system before?
Please could you describe step by step what you did to fix the issue?
Thanks.
-
Hi sanders,
Do you mean you have installed "invalid" avast certificate in your system before?
Not sure. I used to use 7.x and have upgraded to 8 using it's own program update facility, not the exe installer. I don't know if 7.x uses an installed certificate to handle SSL, just had no problems with it and never looked into the certificate store.
Please could you describe step by step what you did to fix the issue?
Unfortunately it is not fixed yet as this currently is not a real security issue for me. I'm going to try installing it cleanly.
Btw, I don't think the certificate is unique for each installation. To be trusted by Windows by default it has to be issued and signed by a trusted certification authority, you cannot generate certificates yourself, that is the key point of certification.
Best regards - Serge.
-
To be trusted by Windows by default it has to be issued and signed by a trusted certification authority, you cannot generate certificates yourself, that is the key point of certification.
The certificate what we are talking here about is a certificate authority root (CA root) one. Anybody can generate such: http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/ Windows trusts it if it is added to the certmgr.msc snap-in. This is a root of the problem. The Bat!/Thunderbird thinks that SSL connection is not secure because it cannot find an appropriate CA root certificate which is used to sign a SMTP/POP3/IMAP certificate.
-
Hello,
the Mail shield root certificate is in the Windows certificate store only when the Mail shield is running.
Yes, it is unique for each installation.
-
the Mail shield root certificate is in the Windows certificate store only when the Mail shield is running.
Vojtech, the Mail shield is running in my avast 8 but there is not the Mail shield root certificate is in the Windows certificate store.
I updated avast 7 to avast 8 (automatic update, without reinstall) - the problem occured. And the problem remained after I uninstall the avast with aswclear.exe and install avast 8 again.
In all cases the Mail shield root certificat is absent in the Windows certificate store.
-
Is there any error message in the log file C:\ProgramData\AVAST Software\Avast\log\Mail.log ?
-
When I upgraded from Avast Version 7 to Avast Version 8 I let the Avast installation routine install the newer version over the previous one. Afterwards I was receiving error messages from my mail client TheBat! while SSL scanning was activated in Avast 8. I have looked up in the certificates database of windows if the "avast! Mail Scanner Root"-certificate was there, but it wasn't. Then I wiped off the whole Avast installation. After a restart I deleted the programme-folders and registry entries. Then I reinstalled Avast 8. Finally the missing certificate was there in the certificates database. After I have imported the avast certificate into the address book of TheBat! I had no more error messages concerning SSL scanning.
-
@sanders
What does the mail log file in TheBat! say, SSL handshake error or something like that?
That is because TheBat! is missing the avast certicate.
-
Is there any error message in the log file C:\ProgramData\AVAST Software\Avast\log\Mail.log ?
I turned on the "check SSL" option in avast and tried to get new mail from gmail account with TLS (port 995). What I see in the Mail.log:
3/5/2013 1:44:13 PM 00000B04: ScanSSL 1
3/5/2013 1:44:13 PM 00000B04: POPs Start: 1
3/5/2013 1:44:13 PM 00000B04: POPs RedirectPort: 995
3/5/2013 1:44:13 PM 00000B04: SMTPs Start: 1
3/5/2013 1:44:13 PM 00000B04: SMTPs RedirectPort: 465
3/5/2013 1:44:13 PM 00000B04: IMAPs Start: 1
3/5/2013 1:44:13 PM 00000B04: IMAPs RedirectPort: 993
3/5/2013 1:44:13 PM 00000B04: NNTPs Start: 1
3/5/2013 1:44:13 PM 00000B04: NNTPs RedirectPort: 563
And what I see in the TheBat log:
05.03.2013, 13:44:23: FETCH - receiving mail messages
05.03.2013, 13:44:23: FETCH - Connecting to POP3 server pop.googlemail.com on port 995
05.03.2013, 13:44:23: FETCH - Initiating TLS handshake
>05.03.2013, 13:44:23: FETCH - Certificate S/N: 3B76AC5D0000000068AA, algorithm: RSA (2048 bits), issued from 9/12/2012 11:59:40 AM to 6/7/2013 7:43:27 PM, for 1 host(s): pop.googlemail.com.
>05.03.2013, 13:44:23: FETCH - Owner: US, California, Mountain View, Google Inc, pop.googlemail.com.
>05.03.2013, 13:44:23: FETCH - Issuer: generated by avast! antivirus for SSL scanning, avast! Mail Scanner, avast! Mail Scanner Root.
!05.03.2013, 13:44:23: FETCH - TLS handshake failure. Invalid server certificate (The issuer of this certificate chain was not found).
05.03.2013, 13:44:24: FETCH - TLS handshake complete
05.03.2013, 13:44:24: FETCH - connected to POP3 server
05.03.2013, 13:44:24: FETCH - authenticated (plain)
05.03.2013, 13:44:24: FETCH - 0 messages in the mailbox, 0 new
05.03.2013, 13:44:25: FETCH - TLS connection completed successfully
05.03.2013, 13:44:25: FETCH - connection finished - 0 messages received
-
Yes I see I need import the avast certificate into TheBat certificate storage. But the avast certificate is not in the system certificate storage.
-
Yes I see I need import the avast certificate into TheBat certificate storage. But the avast certificate is not in the system certificate storage.
YES, TheBat! is complaining about the missing certificate!
I could send you mine, but I am not sure if this particular certificate will work for you.
As you can see in TheBat! mail log file, you can still send and receive gmail messages, however with the error messages.
-
the Mail shield root certificate is in the Windows certificate store only when the Mail shield is running.
Sorry, I fogot to add that SSL scanning must be enabled too.
-
Sorry, I fogot to add that SSL scanning must be enabled too.
As you see in my avast Mail.log
3/5/2013 1:44:13 PM 00000B04: ScanSSL 1
the SSL scanning is enabled.
-
Did you try to refresh/restart the certmgr after you enabled SSL scanning?
-
Did you try to refresh/restart the certmgr after you enabled SSL scanning?
Nope :-[
I guess I opened certmgr.msc when SSL scanning was disabled. Now I see the cert! :)
Thank you Vojtech!
Now I imported that cert to the TheBat! storage. So I had no more error messages concerning SSL scanning.
Best regards.
-
the Mail shield root certificate is in the Windows certificate store only when the Mail shield is running.
Sorry, I fogot to add that SSL scanning must be enabled too.
TADAM!
It works now. Thanks vojtech!
So the step by step guide for TheBat! users - assuming both Mail Shield and SSL scanning are on:
- Open certmgr.msc from command prompt
- Expand the tree down to Trusted Root Certification Authorities\Certificates, locate the avast! Mail Scanner Root certificate in the list
- Right-click the certificate and execute All Tasks\Export...
- Go through the export wizard and export the ceryificate to any X509 (.CER) format with any file name
- Open TheBat's address book
- Make sure the View\Certificate Address Books menu item is checked
- Select the Trusted Root CA item in the left list
- Create a new contact in the selected address book, the Edit Address Entry window will appear
- Fill in First Name, Middle Name, Last Name fields with any data to identify the new record in the list
- Switch to the Certificates tab and click the Import button
- Import the previously exported certificate. After successful import the imported certificate will appear in the new contact's list
- Close the Edit Address Entry window with the OK button
That's all, now check how TheBat! works with SSL-enabled mail servers.
Best regards - Serge.
-
- Open TheBat's address book
- Make sure the View\Certificate Address Books menu item is checked
- Select the Trusted Root CA item in the left list
- Create a new contact in the selected address book, the Edit Address Entry window will appear
- Fill in First Name, Middle Name, Last Name fields with any data to identify the new record in the list
- Switch to the Certificates tab and click the Import button
- Import the previously exported certificate. After successful import the imported certificate will appear in the new contact's list
- Close the Edit Address Entry window with the OK button
There is no need to create a new contact manually. Use "File -> Import" in the main menu of The Bat!'s address book.
-
There is no need to create a new contact manually. Use "File -> Import" in the main menu of The Bat!'s address book.
Have tried this first. But it says "No addresses were imported" for me. TheBat ver. 5.2.2
Best regards - Serge.
-
Hi!
I had the same problem (also using The Bat! as my email client) and want to suggest a possible alternative solution.
The suggested solution in this message chain is to export the avast! certificate from the Windows certificate store (where the "internal TLS" implementation cannot find it) and import it into the The Bat! address book where it can be found. This will certainly fix the problem, as has been indicated.
Please notice that WITHOUT UNDERSTANDING all the possible implications of this, I simply switched the selection in the The Bat! Options | S/MIME and TLS... dialog from "Internal Implementation (The Bat! Address Book)" to "Microsoft CryptoAPI (Windows Certificate Store)".
I kept all the additional selections in their default values.
With this, the error message and the related error message dialog disappeared:
Account Log Before the change described above:
>3/27/2013, 16:50:49: IMAP - Issuer: generated by avast! antivirus for SSL scanning, avast! Mail Scanner, avast! Mail Scanner Root.
!3/27/2013, 16:50:49: IMAP - TLS handshake failure. Invalid server certificate (The issuer of this certificate chain was not found).
3/27/2013, 16:50:55: IMAP - TLS handshake complete
Account Log After the change described above:
>3/27/2013, 17:15:48: IMAP - Issuer: generated by avast! antivirus for SSL scanning, avast! Mail Scanner, avast! Mail Scanner Root.
3/27/2013, 17:15:48: IMAP - TLS handshake complete
If anyone has any remark about possible negative effects of the selection switch, I would very much like to know!
Jouni