Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: vianello_85 on October 13, 2016, 08:59:53 PM

Title: Security certificate revoked but currently valid
Post by: vianello_85 on October 13, 2016, 08:59:53 PM

Although the certificate of OVH provider is valid, it expires in 2018, avast warns me that the certificate is revoked and blocked access to the page.
Both the official website, ovh.com, ovh.it and their support forum is locked because of the revoked certificate.

Attach image with a warning that I will appear in the bottom right.

Avast version: 12.3.2280
Virus definition:  161013-1

Vianello_85

Title: Re: Security certificate revoked but currently valid
Post by: Eddy on October 13, 2016, 09:26:32 PM

There seems to be a problem in the detection of the certificate.
Multiple people have reported it with various sites.

You can test things here > https://www.ssllabs.com/ssltest/

Title: Re: Security certificate revoked but currently valid
Post by: REDACTED on October 13, 2016, 10:02:47 PM

There WAS a problem with GlobalSign certificates, wrongfully revoked:
(But Avast didn't update this information yet !!!)

Read this: https://www.globalsign.com/en/customer-revocation-error/ (https://www.globalsign.com/en/customer-revocation-error/)

Also at their Facebook page: https://www.facebook.com/GlobalSignSSL/posts/1385175904850597 (https://www.facebook.com/GlobalSignSSL/posts/1385175904850597)

Title: Re: Security certificate revoked but currently valid
Post by: Eddy on October 13, 2016, 10:24:34 PM

avast hasn't got to do any updates at all as it isn't avast that is issuing those certificates or install them on the troubled servers.

Quote

However, in the meantime, GlobalSign will be providing an alternative issuing CA for customers to use instead, issued by a different root which was not affected by the cross that was revoked

Quote

We are currently working on the detailed instructions to help you resolve the issue and will communicate those instruction to you shortly

Title: Re: Security certificate revoked but currently valid
Post by: jvidal on October 13, 2016, 10:49:18 PM

I'm having trouble with certificates accessing my hotmail account using POP3, avast claims the cert. is revoked. Could it be related?

Title: Re: Security certificate revoked but currently valid
Post by: Eddy on October 13, 2016, 10:55:01 PM

If they are using a certificate from Globalsign it is almost certain it is.

You can check who the issuer is with https://www.ssllabs.com/ssltest/

Title: Re: Security certificate revoked but currently valid
Post by: jvidal on October 13, 2016, 11:06:18 PM

thx!

Edit: I got "assessment failed: Unable to connect to the server", for pop3.live.com , same result for pop-mail.outlook.com.
(no surprise there, since pop3.live.com is an alias)

I believe there's nothing the users can do to fix this, except wait, right?

BTW, If I uninstall avast, then I can access the server normally, no errors and mails go in and out as usual.

Finally, If I click on the "view" button on the window that pops up when I try to access my hotmail account using Thunderbird, I can see the certificate, is -in fact- issued by Globalsign.

Edit: Clearing the certificate cache doesn't fix it.

Title: Re: Security certificate revoked but currently valid
Post by: Eddy on October 13, 2016, 11:51:20 PM

Indeed, users that are visiting https websites that are using one of the affected certificates from Globalsign can't do anything to prevent the message from showing up.

Only the owners of the servers that are using those certificates can do something about it.

Removing avast will (ofcourse) prevent the message being showed, but that means sites that are using a certificate that really is revoked are not being blocked and that is a security risk.
Within 4-7 days everything should be fine again.

Title: Re: Security certificate revoked but currently valid
Post by: vojtech on October 14, 2016, 10:22:11 AM

Avast Web and Mail Shields use Windows API for verifying certificates, so this description should solve the issue with blocking by avast:
https://support.globalsign.com/customer/portal/articles/1353318

Title: Re: Security certificate revoked but currently valid
Post by: vianello_85 on October 14, 2016, 12:08:06 PM

Quote from: vojtech on October 14, 2016, 10:22:11 AM

Avast Web and Mail Shields use Windows API for verifying certificates, so this description should solve the issue with blocking by avast:
https://support.globalsign.com/customer/portal/articles/1353318

OVH has opened a ticket about the problem with certificates, suggesting the procedure that you have already indicated
http://travaux.ovh.net/?do=details&id=20791&PHPSESSID=cd39ce7f150566f4e1eeee0afedf8061

Title: Re: Security certificate revoked but currently valid
Post by: jvidal on October 14, 2016, 05:17:59 PM

Like I said, clearing the certificate cache, as described in that globalsign article didn't solve anything.
Luckily, Hotmail is working fine again as of today.

Title: Re: Security certificate revoked but currently valid
Post by: vianello_85 on October 14, 2016, 06:13:52 PM

I gave the following commands as an administrator in the dos prompt

Code: [Select]

certutil -urlcache * delete
certutil -urlcache crl delete
but he not totally solved my problem, now ovh.com opens, but not ovh.it

Vianello_85

Title: Re: Security certificate revoked but currently valid
Post by: Eddy on October 14, 2016, 06:17:43 PM

As stated on the Globalsign website, it can take a couple of days before all affected sites are working without a problem again.

Title: Re: Security certificate revoked but currently valid
Post by: vianello_85 on October 15, 2016, 10:01:16 AM

As regards the problem with OVH, the problem is solved

Ciao!

Vianello_85