cancel
Showing results for 
Show  only  | would you rather see results for 
Did you mean: 
Need help?

Talk Talk's mail server intermediate certificates have expired

ANSWERED
Reply
16 REPLIES 16
Highlighted
Popular Poster

I'm seeing certificate errors when checking email.  I went to check the certificate and find that, although the actual server certificate for mail.talktalk.net is valid, its two intermediate certificates have expired.  Details copied from:

https://www.sslshopper.com/ssl-checker.html#hostname=mail.talktalk.net:993

 

alexpresland_0-1590885015939.png

 

Highlighted
Highlighted
Community Star

Hi @alexpresland 

 

Are you using a legacy mail domain? For example, onetel.com?

 

I see what you're saying about the expired certificates but they're redundant I believe.

 Gondola - Volunteer 2017-2020

To appreciate my help . . . If I offered a solution Best Answer

Highlighted
First Timer

Could be that the mail client software / operating system is out of date:

calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020

 

Highlighted
Popular Poster
They are far from redundant. Intermediate certificates are essential to proving that a trust path back to a Root CA.
See https://knowledge.digicert.com/solution/SO16297.html for a more full explanation.

The trust path has no relevance as to whether a certificate is for one FQDN or many. This one just happens to include many.
Highlighted
Community Star

Hi alexpresland 

 

I believe the expired certificates are redundant.

 

My reason for mentioning a legacy domain was just to get you to say whether you're using an old domain and perhaps an old computer system that isn't up to date on security.

 

I'm fully expecting to see users with out of date / no security for email connections saying their email isn't working. We'll have to see how many users experience any issues.

 

Most users will see no problem as the redundant certificates are simply ignored.

 Gondola - Volunteer 2017-2020

To appreciate my help . . . If I offered a solution Best Answer

Highlighted
Community Star

Hi @savam 

 

Yes, you're right on the money. There are inevitably users with out of date email client software.

 Gondola - Volunteer 2017-2020

To appreciate my help . . . If I offered a solution Best Answer

Highlighted
Popular Poster

I'm not running any out of date email clients and haven't complained that I'm unable to collect email.  All I stated was that the intermediate certificates on (and being served up by) TalkTalk's email servers have expired. I find it strange that you've incorrectly jumped to the conclusion that my client or openssl version is out of date.

 

For avoidance of doubt:

$ openssl version
OpenSSL 1.1.1g 21 Apr 2020
$

 

There are a few things here:

1) The fact that TalkTalk's mail servers are configured with expired intermediate certificates. My experience of configuring many webservers & email servers (before the days of Let's Encrypt made it significantly easier for all) is that you often need to configure an intermediate certificate or two.  I'm saying that, despite the cross-signing, TalkTalk should update the intermediate certificate(s) that it presents with the valid intermediate certificate downloadable from https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO

2) The fact that a third-party SSL Checker is saying that all is not right... despite confirming that the trust chain correctly validates back to a valid root CA

3) And then if I browse to https://mail.talktalk.net from Google Chrome (83.0.4103.61) on my fully-patched, fully updated Windows 10 PC (updated to "Version 2004 (OS Build 19041.264)" the other night) it also tells me that this certificate is not secure... but that's broken for a different reason... while also needing an updated intermediate certificate.

alexpresland_1-1590924489830.png

 

Here's the full output from TalkTalk's mail server.  I'll let you decode the certificates yourself:

alex@server:~$ openssl s_client -showcerts -connect mail.talktalk.net:993 -servername mail.talktalk.net
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = GB, postalCode = WA3 7BH, ST = Cheshire, L = Warrington, street = Birchwood, street = Garrett Field, street = Stanford House, O = TalkTalk Communications Limited, OU = Hosted by TalkTalk Communications Limited, OU = Unified Communications, CN = mail.talktalk.net
verify return:1
---
Certificate chain
 0 s:C = GB, postalCode = WA3 7BH, ST = Cheshire, L = Warrington, street = Birchwood, street = Garrett Field, street = Stanford House, O = TalkTalk Communications Limited, OU = Hosted by TalkTalk Communications Limited, OU = Unified Communications, CN = mail.talktalk.net
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIN0zCCDLugAwIBAgIRAMuDvwWTjBLwZxSvc2non+EwDQYJKoZIhvcNAQELBQAw
gZUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE9MDsGA1UE
AxM0U2VjdGlnbyBSU0EgT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gU2VjdXJlIFNl
cnZlciBDQTAeFw0xOTA1MTQwMDAwMDBaFw0yMTA1MTMyMzU5NTlaMIIBJzELMAkG
A1UEBhMCR0IxEDAOBgNVBBETB1dBMyA3QkgxETAPBgNVBAgTCENoZXNoaXJlMRMw
EQYDVQQHEwpXYXJyaW5ndG9uMRIwEAYDVQQJEwlCaXJjaHdvb2QxFjAUBgNVBAkT
DUdhcnJldHQgRmllbGQxFzAVBgNVBAkTDlN0YW5mb3JkIEhvdXNlMSgwJgYDVQQK
Ex9UYWxrVGFsayBDb21tdW5pY2F0aW9ucyBMaW1pdGVkMTIwMAYDVQQLEylIb3N0
ZWQgYnkgVGFsa1RhbGsgQ29tbXVuaWNhdGlvbnMgTGltaXRlZDEfMB0GA1UECxMW
VW5pZmllZCBDb21tdW5pY2F0aW9uczEaMBgGA1UEAxMRbWFpbC50YWxrdGFsay5u
ZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCo6JKJtCoQaLNTw+Ke
I6AKAtvscdK3r0+zzuszQKuXN5y8bwCQ0DhaVXZp91awdw0sAKEXdQO8WU7N+U+u
mZbF+NRidyXofGmxEhhQ/LowGcS3+af8dxkc5yfr/WHsKNZxwOtln+Y5tfJmWyzH
phr9LopdFxI3/XhJhhw7FhP1CDffI7M7F0e5uMQK/ciXizmNdxfETENGNcjWlZ5l
idYN39vEufoIBgLpSS3K8fcKQtnic29OrirnZvQ4AI+INggXjDxH+leTZgkxhzzJ
hZJY1de194kUT4Sfwecljyu+xy4eSdlT2quRlYuaPG/dctrJjle1CKq/BMhdDLdj
kL/DiH8z31jiCxVZhsT0RzZUk32KHhksCWxC+yN4Z0wnIYiLDr+y35Nudda7qeDE
Bjl9u/Q4Mp4ASVjiFhBNpCfe52MUAfhqqz5pY4qGJAHHi5rIQ3WxFC9qQ46O7iZv
3CTpPATLaJYX5ZieqOaIgPencap5CZcexOM3RLgcWv7pjNunBBhCNXLHawGO1/Gr
FMe4SdSvWxobBXOKJ5LhFE1bXh8/CWOd4QrNo/sLdBL3kiRp5UBi0crPZOr6pjRN
Wi0bISzcFJ2x11rkmEOD1QHFisg7ufwzDg/jIUtae/Ap5DHEx2aVjbMHIu7AOmXu
zxAbfXS1fFzHmK/7klP/LCYcuwIDAQABo4IIhzCCCIMwHwYDVR0jBBgwFoAUF9nW
JSdn+THCSUPZMDZEjGypT+swHQYDVR0OBBYEFGyRz5dyF0DrDLgc18VnsrzEn3So
MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjBKBgNVHSAEQzBBMDUGDCsGAQQBsjEBAgEDBDAlMCMGCCsG
AQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgIwWgYDVR0f
BFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBT3Jn
YW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBigYIKwYBBQUH
AQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3Rp
Z29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCMG
CCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTCCBUwGA1UdEQSCBUMw
ggU/ghFtYWlsLnRhbGt0YWxrLm5ldIIVaW1hcC5kaWFsLnBpcGV4LmNvLnVrghNp
bWFwLmRpYWwucGlwZXguY29tghNpbWFwLmRpYWwucGlwZXgubmV0ghRpbWFwLmRz
bC5waXBleC5jby51a4ISaW1hcC5kc2wucGlwZXguY29tghppbWFwLmV6ZS10YWxr
YW5kc3VyZi5jby51a4ITaW1hcC5ob21lY2FsbC5jby51a4IVaW1hcC5ob21lY2hv
aWNlLmNvLnVrgg5pbWFwLmxsdTR1LmNvbYIPaW1hcC5teW9wYWwubmV0ghRpbWFw
Lm5leHQtYWRzbC5jby51a4IPaW1hcC5vbmV0ZWwuY29tgg9pbWFwLm9uZXRlbC5u
ZXSCEmltYXAub25ldGVsLm5ldC51a4ISaW1hcC5vbmV0ZWxkc2wubmV0ghdpbWFw
LnNjbGJyb2FkYmFuZC5jby51a4ITaW1hcC5zb2xvLnBpcGV4LmNvbYIRaW1hcC50
YWxrdGFsay5uZXSCGWltYXAudGFsa3RhbGtidXNpbmVzcy5uZXSCEGltYXAudGVs
Y280dS5uZXSCG2ltYXAudGlzY2FsaS1idXNpbmVzcy5jby51a4ISaW1hcC50aXNj
YWxpLmNvLnVrghNpbWFwLnRvdWNhbnN1cmYuY29tghptYWlsLmV6ZS10YWxrYW5k
c3VyZi5jby51a4IObWFpbC5sbHU0dS5jb22CD21haWwubXlvcGFsLm5ldIIUbWFp
bC5uZXh0LWFkc2wuY28udWuCD21haWwub25ldGVsLmNvbYIPbWFpbC5vbmV0ZWwu
bmV0ghJtYWlsLm9uZXRlbC5uZXQudWuCEm1haWwub25ldGVsZHNsLm5ldIIXbWFp
bC5zY2xicm9hZGJhbmQuY28udWuCGW1haWwudGFsa3RhbGtidXNpbmVzcy5uZXSC
EG1haWwudGVsY280dS5uZXSCEm1haWwudGlzY2FsaS5jby51a4IUcG9wLmRpYWwu
cGlwZXguY28udWuCEnBvcC5kaWFsLnBpcGV4LmNvbYIScG9wLmRpYWwucGlwZXgu
bmV0ghNwb3AuZHNsLnBpcGV4LmNvLnVrghFwb3AuZHNsLnBpcGV4LmNvbYIZcG9w
LmV6ZS10YWxrYW5kc3VyZi5jby51a4IScG9wLmhvbWVjYWxsLmNvLnVrghRwb3Au
aG9tZWNob2ljZS5jby51a4INcG9wLmxsdTR1LmNvbYIOcG9wLm15b3BhbC5uZXSC
E3BvcC5uZXh0LWFkc2wuY28udWuCDnBvcC5vbmV0ZWwuY29tgg5wb3Aub25ldGVs
Lm5ldIIRcG9wLm9uZXRlbC5uZXQudWuCEXBvcC5vbmV0ZWxkc2wubmV0ghZwb3Au
c2NsYnJvYWRiYW5kLmNvLnVrghJwb3Auc29sby5waXBleC5jb22CEHBvcC50YWxr
dGFsay5uZXSCGHBvcC50YWxrdGFsa2J1c2luZXNzLm5ldIIPcG9wLnRlbGNvNHUu
bmV0ghpwb3AudGlzY2FsaS1idXNpbmVzcy5jby51a4IRcG9wLnRpc2NhbGkuY28u
dWuCEnBvcC50b3VjYW5zdXJmLmNvbYITcG9wMy5ob21lY2FsbC5jby51a4IbcG9w
My50aXNjYWxpLWJ1c2luZXNzLmNvLnVrghNwb3AzLnRvdWNhbnN1cmYuY29tghly
c2xyLXBvcDMuY3B3bmV0d29ya3MuY29tghhyc2xyaW1hcC5jcHduZXR3b3Jrcy5j
b20wggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB1ALvZ37wfinG1k5Qjl6qSe0c4
V5UKq1LoGpCWZDaOHtGFAAABarbLsqsAAAQDAEYwRAIgBHcg5/Cq8a0I0H7RuX39
m6grNVyYtY7szWKiyEBAZ0ECIEkF2K2HrZk+TVfGQrInB6CLat4Z0VAQhj+39fY+
Q8hoAHcARJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAFqtsuywQAA
BAMASDBGAiEAzuPsATeP6CDHNyJRpWHmfNZ21I5/hTACxanpG09rGl4CIQDYeMj6
UnCgFixb/gzIr4LWrvbVKNOfdm2eyzKrDdEVGAB1AG9Tdqwx8DEZ2JkApFEV/3cV
HBHZAsEAKQaNsgiaN9kTAAABarbLsxAAAAQDAEYwRAIgWzaWptmWstKpirj9RmtB
wiu/OZsTKMh3NttrmOO6uUkCIBeDULr899oPlbwq4UW8VvAy+66CRo7dCWY7ukmJ
tc0YMA0GCSqGSIb3DQEBCwUAA4IBAQCOdGCfNp89TsXhkNQoUleyxvOhuuyR5R/L
Q62xmi64dHt5J0moUf9sacVer7cyy2bTuIdtARMskkum0g+hIxn4PdUY7zFTsYrq
mlQSUpY1zCaUK/ZfCh8GaKwIO0Rmo114Y2t8fuagkwrllrT2h9lpPxO95Z7b99f1
oTD2ZG9zzTQWQgzZkreMUjbib6tcfJuQWbsZJ5346UcjMXXfR28Ie9F7yroZY22/
QF7Lh+x+3x4zAP83+LFFlSoDwNZ1nuY/gw5DAIObOzced8E/2QD93FE5vedV4UVQ
clf/0vmtW1xlyVZgsG5YGc8eOOWlhc+iRmiQFVHDlbtzll/aWSDj
-----END CERTIFICATE-----
 1 s:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----
 3 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBlTELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQDEzRTZWN0aWdvIFJTQSBPcmdhbml6
YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAnJMCRkVKUkiS/FeN+S3qU76zLNXYqKXsW2kDwB0Q
9lkz3v4HSKjojHpnSvH1jcM3ZtAykffEnQRgxLVK4oOLp64m1F06XvjRFnG7ir1x
on3IzqJgJLBSoDpFUd54k2xiYPHkVpy3O/c8Vdjf1XoxfDV/ElFw4Sy+BKzL+k/h
fGVqwECn2XylY4QZ4ffK76q06Fha2ZnjJt+OErK43DOyNtoUHZZYQkBuCyKFHFEi
rsTIBkVtkuZntxkj5Ng2a4XQf8dS48+wdQHgibSov4o2TqPgbOuEQc6lL0giE5dQ
YkUeCaXMn2xXcEAG2yDoG9bzk4unMp63RBUJ16/9fAEc2wIDAQABo4IBbjCCAWow
HwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFBfZ1iUn
Z/kxwklD2TA2RIxsqU/rMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYG
BFUdIAAwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl
cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy
bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy
dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ
aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAThNA
lsnD5m5bwOO69Bfhrgkfyb/LDCUW8nNTs3Yat6tIBtbNAHwgRUNFbBZaGxNh10m6
pAKkrOjOzi3JKnSj3N6uq9BoNviRrzwB93fVC8+Xq+uH5xWo+jBaYXEgscBDxLmP
bYox6xU2JPti1Qucj+lmveZhUZeTth2HvbC1bP6mESkGYTQxMD0gJ3NR0N6Fg9N3
OSBGltqnxloWJ4Wyz04PToxcvr44APhL+XJ71PJ616IphdAEutNCLFGIUi7RPSRn
R+xVzBv0yjTqJsHe3cQhifa6ezIejpZehEU4z4CqN2mLYBd0FUiRnG3wTqN3yhsc
SPr5z0noX0+FCuKPkBurcEya67emP7SsXaRfz+bYipaQ908mgWB2XQ8kd5GzKjGf
FlqyXYwcKapInI5v03hAcNt37N3j0VcFcC3mSZiIBYRiBXBWdoY5TtMibx3+bfEO
s2LEPMvAhblhHrrhFYBZlAyuBbuMf1a+HNJav5fyakywxnB2sJCNwQs2uRHY1ihc
6k/+JLcYCpsM0MF8XPtpvcyiTcaQvKZN8rG61ppnW5YCUtCC+cQKXA0o4D/I+pWV
idWkvklsQLI+qGu41SWyxP7x09fn1txDAXYw+zuLXfdKiXyaNb78yvBXAfCNP6CH
MntHWpdLgtJmwsQt6j8k9Kf5qLnjatkYYaA7jBU=
-----END CERTIFICATE-----
---
Server certificate
subject=C = GB, postalCode = WA3 7BH, ST = Cheshire, L = Warrington, street = Birchwood, street = Garrett Field, street = Stanford House, O = TalkTalk Communications Limited, OU = Hosted by TalkTalk Communications Limited, OU = Unified Communications, CN = mail.talktalk.net

issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 8564 bytes and written 477 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 3959B167A39DB01CAE3874788E2C1DBC21DDAF49E87F5DBEBD93515F94F0F38B
    Session-ID-ctx:
    Master-Key: 04128CAD9967B2F8F56ACDE0E92B846A416B493E9664F6D05DEE380EAD62B03792181669B6ED8813D96A7EAD1E7DCFA1
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 42 fa 2f 73 c2 bb 11 ca-93 0c 05 d9 05 fd e4 de   B./s............
    0010 - ea ad 6b 14 7d d9 66 62-53 26 78 bc a7 bd d4 c7   ..k.}.fbS&x.....
    0020 - ac cf ca 83 1f f5 3e 50-52 3d 55 a7 c8 91 c7 0e   ......>PR=U.....
    0030 - cf 59 91 d5 51 24 77 ac-eb 95 bb 7f fc 52 25 09   .Y..Q$w......R%.
    0040 - e3 bd 0e c7 67 8e de cd-d1 b0 29 2b 13 0d c9 30   ....g.....)+...0
    0050 - 2f ec 28 8f 7c 4e 60 55-09 40 76 d9 d4 db 97 d0   /.(.|N`U.@v.....
    0060 - 1b f2 ee b3 f7 1a 47 2a-ce 0a 2e 19 16 af 74 7f   ......G*......t.
    0070 - 0b 9b 8a 9d 39 9c fa fb-c6 e3 b1 46 6f 25 46 d9   ....9......Fo%F.
    0080 - 2a c6 f2 8a b5 4d 02 75-0c 99 9c 0d 37 be ae df   *....M.u....7...
    0090 - 7a 87 26 e0 03 a9 e0 98-20 6a d3 dd b9 84 71 84   z.&..... j....q.
    00a0 - e4 56 3c 35 d9 5c d0 40-f8 0c 9c 1a 7a 16 bf b0   .V<5.\.@....z...

    Start Time: 1590924366
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS NAMESPACE QUOTA AUTH=PLAIN] Ready
QUIT
DONE
alex@server:~$ openssl version
OpenSSL 1.1.1g  21 Apr 2020
alex@server:~$

 

 

 

 

Highlighted
Philosopher

@alexpresland 

This is StephenF,s reply to me when I reported Expired Certificate messages I was getting.

 

``our certificate is and always has been valid and for some time, the community domain one was actually renewed on the 1st May. The alerts your saw from your own 3rd party software on the 13th were clearly false. ``

 

 

https://community.talktalk.co.uk/t5/Broadband/This-sites-expired-certificate/m-p/2542279#M773078

If case you have forgotten the Do’s and Don’ts. There are members that have. Remember:-Be yourself and tell it like it is,. Be courteous to other customers. Give others the benefit of the doubt. Update your community profile. The Forum Guidelines apply to ALL members there are/should be, NO exceptions.
Highlighted
Popular Poster

@l8this Thanks for that.  I've run that one through the same checks and it looks good now.  Sorry that I didn't see the post at the time that you were having the issue.

https://www.sslshopper.com/ssl-checker.html#hostname=community.talktalk.co.uk

Highlighted
Community Star

Hi alexpresland 

 

Allow me to thank you for the heads up.

 

Strange that you conclude I think you're running out of date clients et. al. If you actually read you'll see I asked you to respond with what you were using and said "Most users will see no problem as the redundant certificates are simply ignored."

 

So I'm pleased you have no problem.

 

Read what Sectigo say.

 Gondola - Volunteer 2017-2020

To appreciate my help . . . If I offered a solution Best Answer

Highlighted
Popular Poster

@Gondola wrote:

Strange that you conclude I think you're running out of date clients et. al. If you actually read you'll see I asked you to respond with what you were using and said "Most users will see no problem as the redundant certificates are simply ignored."

My comment "I'm not running any out of date email clients and haven't complained that I'm unable to collect email." was in response to your "There are inevitably users with out of date email client software."

 

I had indeed read what Sectigo said on the page that you linked.  The page says, under FAQs and the question "Do I need to reissue or reinstall my certificate?", that "You can choose to stop installing the cross-certificate on your servers if you wish. Should you need legacy compatibility after the AddTrust expiry we have a replacement cross-certificate that you can install on your servers in place of the AddTrust cross-certificate".  This confirms to me that when the certificate was updated in May 2019 that either the old intermediate certificate should have been removed and (optionally) the replacement intermediate certificate installed.

 

I find the tone of your reply "If you actually read"... in breach of the community guidelines (the ones which appear every time we reply) because it is not respectful.  I did read and understand what you wrote.

 

 

Highlighted
Philosopher

@alexpresland  thanks for your reply, had TT reacted within the first couple of days of my reports then the result could well be different, in that there was an expired certificate. I have bookmarked that link to sslshopper for future use.

 

Cheers

If case you have forgotten the Do’s and Don’ts. There are members that have. Remember:-Be yourself and tell it like it is,. Be courteous to other customers. Give others the benefit of the doubt. Update your community profile. The Forum Guidelines apply to ALL members there are/should be, NO exceptions.
Highlighted
Community Star

Hi @alexpresland and @I8this 

 

Thank you for your further contributions to Community.

 

@StephenF please review.

 Gondola - Volunteer 2017-2020

To appreciate my help . . . If I offered a solution Best Answer

Highlighted
Philosopher

@alexpresland 

Have you see these topics.

 

https://community.talktalk.co.uk/t5/Email-Webmail/Mail-can-t-verify-the-identity-of-the-server-quot-...

 

https://community.talktalk.co.uk/t5/Email-Webmail/Tiscali-email-account-problems-with-access-on-Mail...

 

https://community.talktalk.co.uk/t5/Email-Webmail/mail-talktalk-net-certificate-has-invalid-issuer/m...

 

 

If case you have forgotten the Do’s and Don’ts. There are members that have. Remember:-Be yourself and tell it like it is,. Be courteous to other customers. Give others the benefit of the doubt. Update your community profile. The Forum Guidelines apply to ALL members there are/should be, NO exceptions.
Highlighted
Popular Poster

@I8this 

Looks like the same issue to me.  @StephenF do you have any update on your and your colleagues' investigations into this please?
 
Highlighted
Popular Poster
Solution

Despite no update on this post, I've just had a look at https://www.sslshopper.com/ssl-checker.html#hostname=mail.talktalk.net:993 again.  It looks like the certificate was fixed on 1 June 2020, and now has a completely valid certification chain.

 

@StephenF  / @Gondola this message thread can now be closed, if you are able to please.