Author Topic: New AIS 8 and scanning SSL scanning  (Read 16573 times)

0 Members and 1 Guest are viewing this topic.

Offline sanders

  • Newbie
  • *
  • Posts: 9
Re: New AIS 8 and scanning SSL scanning
« Reply #15 on: March 05, 2013, 09:11:22 AM »
Hi Serge,

It is necessary to have the certificate that was not installed into my system for some reason (and for the worst case it will never be installed by the installer).

Do you mean you have installed "invalid" avast certificate in your system before?

Please could you describe step by step what you did to fix the issue?
Thanks.
« Last Edit: March 05, 2013, 09:17:14 AM by sanders »

Offline BaluBig

  • Newbie
  • *
  • Posts: 12
Re: New AIS 8 and scanning SSL scanning
« Reply #16 on: March 05, 2013, 09:54:46 AM »
Hi sanders,

Do you mean you have installed "invalid" avast certificate in your system before?

Not sure. I used to use 7.x and have upgraded to 8 using it's own program update facility, not the exe installer. I don't know if 7.x uses an installed certificate to handle SSL, just had no problems with it and never looked into the certificate store.

Please could you describe step by step what you did to fix the issue?

Unfortunately it is not fixed yet as this currently is not a real security issue for me. I'm going to try installing it cleanly.

Btw, I don't think the certificate is unique for each installation. To be trusted by Windows by default it has to be issued and signed by a trusted certification authority, you cannot generate certificates yourself, that is the key point of certification.

Best regards - Serge.
« Last Edit: March 05, 2013, 09:57:03 AM by BaluBig »

Offline dansoftware

  • Newbie
  • *
  • Posts: 8
Re: New AIS 8 and scanning SSL scanning
« Reply #17 on: March 05, 2013, 10:13:03 AM »
To be trusted by Windows by default it has to be issued and signed by a trusted certification authority, you cannot generate certificates yourself, that is the key point of certification.

The certificate what we are talking here about is a certificate authority root (CA root) one. Anybody can generate such: http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/ Windows trusts it if it is added to the certmgr.msc snap-in. This is a root of the problem. The Bat!/Thunderbird thinks that SSL connection is not secure because it cannot find an appropriate CA root certificate which is used to sign a SMTP/POP3/IMAP certificate.

Offline vojtech

  • Avast team
  • Advanced Poster
  • *
  • Posts: 939
    • ALWIL Software
Re: New AIS 8 and scanning SSL scanning
« Reply #18 on: March 05, 2013, 10:39:03 AM »
Hello,
the Mail shield root certificate is in the Windows certificate store only when the Mail shield is running.

Yes, it is unique for each installation.

Offline sanders

  • Newbie
  • *
  • Posts: 9
Re: New AIS 8 and scanning SSL scanning
« Reply #19 on: March 05, 2013, 11:08:34 AM »
the Mail shield root certificate is in the Windows certificate store only when the Mail shield is running.
Vojtech, the Mail shield is running in my avast 8 but there is not the Mail shield root certificate is in the Windows certificate store.
I updated avast 7 to avast 8 (automatic update, without reinstall) - the problem occured. And the problem remained after I uninstall the avast with aswclear.exe and install avast 8 again.
In all cases the Mail shield root certificat is absent in the Windows certificate store.

Offline vojtech

  • Avast team
  • Advanced Poster
  • *
  • Posts: 939
    • ALWIL Software
Re: New AIS 8 and scanning SSL scanning
« Reply #20 on: March 05, 2013, 11:28:30 AM »
Is there any error message in the log file C:\ProgramData\AVAST Software\Avast\log\Mail.log ?

Offline CCCP99

  • Newbie
  • *
  • Posts: 5
Re: New AIS 8 and scanning SSL scanning
« Reply #21 on: March 05, 2013, 11:34:40 AM »
When I upgraded from Avast Version 7 to Avast Version 8 I let the Avast installation routine install the newer version over the previous one. Afterwards I was receiving error messages from my mail client TheBat! while SSL scanning was activated in Avast 8. I have looked up in the certificates database of windows if the "avast! Mail Scanner Root"-certificate was there, but it wasn't. Then I wiped off the whole Avast installation. After a restart I deleted the programme-folders and registry entries. Then I reinstalled Avast 8. Finally the missing certificate was there in the certificates database. After I have imported the avast certificate into the address book of TheBat! I had no more error messages concerning SSL scanning.

Offline CCCP99

  • Newbie
  • *
  • Posts: 5
Re: New AIS 8 and scanning SSL scanning
« Reply #22 on: March 05, 2013, 11:40:35 AM »
@sanders

What does the mail log file in TheBat! say, SSL handshake error or something like that?
That is because TheBat! is missing the avast certicate.
« Last Edit: March 05, 2013, 11:45:13 AM by CCCP99 »

Offline sanders

  • Newbie
  • *
  • Posts: 9
Re: New AIS 8 and scanning SSL scanning
« Reply #23 on: March 05, 2013, 12:46:24 PM »
Is there any error message in the log file C:\ProgramData\AVAST Software\Avast\log\Mail.log ?

I turned on the "check SSL" option in avast and tried to get new mail from gmail account with TLS (port 995). What I see in the Mail.log:

3/5/2013        1:44:13 PM      00000B04:   ScanSSL 1
3/5/2013        1:44:13 PM      00000B04:   POPs Start: 1
3/5/2013        1:44:13 PM      00000B04:   POPs RedirectPort: 995
3/5/2013        1:44:13 PM      00000B04:   SMTPs Start: 1
3/5/2013        1:44:13 PM      00000B04:   SMTPs RedirectPort: 465
3/5/2013        1:44:13 PM      00000B04:   IMAPs Start: 1
3/5/2013        1:44:13 PM      00000B04:   IMAPs RedirectPort: 993
3/5/2013        1:44:13 PM      00000B04:   NNTPs Start: 1
3/5/2013        1:44:13 PM      00000B04:   NNTPs RedirectPort: 563


And what I see in the TheBat log:


 05.03.2013, 13:44:23: FETCH - receiving mail messages
 05.03.2013, 13:44:23: FETCH - Connecting to POP3 server pop.googlemail.com on port 995
 05.03.2013, 13:44:23: FETCH - Initiating TLS handshake
>05.03.2013, 13:44:23: FETCH - Certificate S/N: 3B76AC5D0000000068AA, algorithm: RSA (2048 bits), issued from 9/12/2012 11:59:40 AM to 6/7/2013 7:43:27 PM, for 1 host(s): pop.googlemail.com.
>05.03.2013, 13:44:23: FETCH - Owner: US, California, Mountain View, Google Inc, pop.googlemail.com.
>05.03.2013, 13:44:23: FETCH - Issuer: generated by avast! antivirus for SSL scanning, avast! Mail Scanner, avast! Mail Scanner Root.
!05.03.2013, 13:44:23: FETCH - TLS handshake failure. Invalid server certificate (The issuer of this certificate chain was not found).
 05.03.2013, 13:44:24: FETCH - TLS handshake complete
 05.03.2013, 13:44:24: FETCH - connected to POP3 server
 05.03.2013, 13:44:24: FETCH - authenticated (plain)
 05.03.2013, 13:44:24: FETCH - 0 messages in the mailbox, 0 new
 05.03.2013, 13:44:25: FETCH - TLS connection completed successfully
 05.03.2013, 13:44:25: FETCH - connection finished - 0 messages received

Offline sanders

  • Newbie
  • *
  • Posts: 9
Re: New AIS 8 and scanning SSL scanning
« Reply #24 on: March 05, 2013, 12:49:53 PM »
Yes I see I need import the avast certificate into TheBat certificate storage. But the avast certificate is not in the system certificate storage.

Offline CCCP99

  • Newbie
  • *
  • Posts: 5
Re: New AIS 8 and scanning SSL scanning
« Reply #25 on: March 05, 2013, 12:59:04 PM »
Yes I see I need import the avast certificate into TheBat certificate storage. But the avast certificate is not in the system certificate storage.

YES, TheBat! is complaining about the missing certificate!
I could send you mine, but I am not sure if this particular certificate will work for you.
As you can see in TheBat! mail log file, you can still send and receive gmail messages, however with the error messages.

« Last Edit: March 05, 2013, 01:07:39 PM by CCCP99 »

Offline vojtech

  • Avast team
  • Advanced Poster
  • *
  • Posts: 939
    • ALWIL Software
Re: New AIS 8 and scanning SSL scanning
« Reply #26 on: March 05, 2013, 01:58:02 PM »
the Mail shield root certificate is in the Windows certificate store only when the Mail shield is running.

Sorry, I fogot to add that SSL scanning must be enabled too.

Offline sanders

  • Newbie
  • *
  • Posts: 9
Re: New AIS 8 and scanning SSL scanning
« Reply #27 on: March 05, 2013, 02:33:04 PM »
Sorry, I fogot to add that SSL scanning must be enabled too.

As you see in my avast Mail.log
3/5/2013        1:44:13 PM      00000B04:   ScanSSL 1

the SSL scanning is enabled.

Offline vojtech

  • Avast team
  • Advanced Poster
  • *
  • Posts: 939
    • ALWIL Software
Re: New AIS 8 and scanning SSL scanning
« Reply #28 on: March 05, 2013, 02:48:34 PM »
Did you try to refresh/restart the certmgr after you enabled SSL scanning?

Offline sanders

  • Newbie
  • *
  • Posts: 9
Re: New AIS 8 and scanning SSL scanning
« Reply #29 on: March 05, 2013, 02:53:32 PM »
Did you try to refresh/restart the certmgr after you enabled SSL scanning?

Nope :-[

I guess I opened certmgr.msc when SSL scanning was disabled. Now I see the cert! :)


Thank you Vojtech!
Now I imported that cert to the TheBat! storage. So I had no more error messages concerning SSL scanning.

Best regards.
« Last Edit: March 05, 2013, 03:09:17 PM by sanders »