Re: TLS Handshake and Certificate problems

[Thomas Fernandez]

Hello Thomas,

On Mon, 13 Apr 2020 23:08:09 +0700 GMT (13-Apr-20, 23:08 +0700 GMT),
Thomas Fernandez wrote:

TF>>> Anyway, I have never used command line parameters. I just added that
TF>>> parameter in the shortcut (with and without blank after ...exe) but
TF>>> Windows complains. What should I do?

>> This one worked for me:

>> "C:\Program Files\The Bat!\thebat64.exe" /tls_disable_ecdhe

>> Hope it helps.

> Yes it did, and guess what: I just downloaded the mails from my Gmail
> account! Thanks.

> Note (FWIW): It works when using the gmail.com servers. On the other
> account, which I set to googlemail.com, TB asked me for the password.
> Of course, I hadn't changed it, but I changed the servers to gmail.com
> and it worked.

When sending, TB sends me a pop-up dialog each and every single time.
I have to click OK, but there is no way that I can say "accept this
cert for good".

Update: I just switched from "Internal Implementation" back to
"Microsoft CryptoAPI", and now the dialog does not appear any more.

--


Cheers,
Thomas.

Message reply created with The Bat! Version 9.1.14 (64-bit)
under Windows 10.0 Build 18362

Current version is 8.0.18 | 'Using TBUDL' information:
http://www.silverstones.com/thebat/TBUDLInfo.html

Re: TLS Handshake and Certificate problems

[Thomas Fernandez]

Hello David,

On Mon, 13 Apr 2020 09:57:44 -0600 GMT (13-Apr-20, 22:57 +0700 GMT),
David Shepherd wrote:

> Monday, April 13, 2020, 9:39:36 AM, you wrote:

TF>> Anyway, I have never used command line parameters. I just added that
TF>> parameter in the shortcut (with and without blank after ...exe) but
TF>> Windows complains. What should I do?

> This one worked for me:

> "C:\Program Files\The Bat!\thebat64.exe" /tls_disable_ecdhe

> Hope it helps.

Yes it did, and guess what: I just downloaded the mails from my Gmail
account! Thanks.

Note (FWIW): It works when using the gmail.com servers. On the other
account, which I set to googlemail.com, TB asked me for the password.
Of course, I hadn't changed it, but I changed the servers to gmail.com
and it worked.

--


Cheers,
Thomas.

Message reply created with The Bat! Version 9.1.12.1 (BETA) (64-bit)
under Windows 10.0 Build 18362



Current version is 8.0.18 | 'Using TBUDL' information:
http://www.silverstones.com/thebat/TBUDLInfo.html

Re: TLS Handshake and Certificate problems

[David Shepherd]

Monday, April 13, 2020, 9:39:36 AM, you wrote:


TF> Anyway, I have never used command line parameters. I just added that
TF> parameter in the shortcut (with and without blank after ...exe) but
TF> Windows complains. What should I do?

Hello Thomas,

This one worked for me:


"C:\Program Files\The Bat!\thebat64.exe" /tls_disable_ecdhe

Hope it helps.

Current version is 8.0.18 | 'Using TBUDL' information:
http://www.silverstones.com/thebat/TBUDLInfo.html

Re: TLS Handshake and Certificate problems

[Thomas Fernandez]

Hello MFPA,

On Mon, 13 Apr 2020 14:41:35 +0100 GMT (13-Apr-20, 20:41 +0700 GMT),
MFPA wrote:

> On Sunday 12 April 2020 at 3:39:44 AM, in
> , Thomas Fernandez wrote:-

>> Interesting, because my error message mentions avast:

>>>[...]
>>>12-Apr-20, 09:31:04: FETCH - Issuer: generated by
>>>avast! antivirus for SSL/TLS scanning, avast! Web/Mail
>>>Shield, avast! Web/Mail Shield Root.

> Avast inserts itself as a proxy or "man in the middle" to be able to
> scan the traffic on SSL/TLS/HTTPS connections. That's why the
> certificate says "generated by avast! antivirus for SSL/TLS scanning".
> That certificate is only used to encrypt the connection from Avast to
> The Bat!. A quick web search on "antivirus tls scanning" suggests that
> AVG and Kapersky do it this way as well

So it is not an avast problem but a TB problem. I think we already
established that.

> Do you get the same if, under Options | S/MIME and TLS..., you tell
> The Bat! to use Microsoft CryptoAPI (Windows Certificate Store)
> instead of Internal Implementation (The Bat! Address Book)?

Yes. I did that some time ago, I forgot the reason. I have now
switched it back to Internal Implementation, but to no avail. Even
after restart of TB, I still get the same error message.

--


Cheers,
Thomas.

Message reply created with The Bat! Version 9.1.12.1 (BETA) (64-bit)
under Windows 10.0 Build 18362



Current version is 8.0.18 | 'Using TBUDL' information:
http://www.silverstones.com/thebat/TBUDLInfo.html

Re: TLS Handshake and Certificate problems

[Thomas Fernandez]

Hello MFPA,

On Mon, 13 Apr 2020 15:48:02 +0100 GMT (13-Apr-20, 21:48 +0700 GMT),
MFPA wrote:

> On Monday 13 April 2020 at 2:41:35 PM, in
> , MFPA wrote:-

> Never mind what else I wrote. I have a gmail account I rarely use. I
> checked incoming mail and got the "certificate cannot be used for this
> purpose" error message.

I had this error in the beginning. Now it is "TLS protocol error:
Internal error BuildClientKeyExchange."

> The solution that has worked for me for the last ten minutes is to use
> the command line parameter /tls_disable_ecdhe as suggested at
> https://support.google.com/mail/thread/38537691?hl=en#recommended-answers.
> I'll just have to remember to remove the command line parameter when I
> migrate to a TB! version 9.1910 or higher.

In that thread, Max says that the problem is solved in 9.1.10. That is
not the case.

Anyway, I have never used command line parameters. I just added that
parameter in the shortcut (with and without blank after ...exe) but
Windows complains. What should I do?

--


Cheers,
Thomas.

Message reply created with The Bat! Version 9.1.12.1 (BETA) (64-bit)
under Windows 10.0 Build 18362



Current version is 8.0.18 | 'Using TBUDL' information:
http://www.silverstones.com/thebat/TBUDLInfo.html

Re: TLS Handshake and Certificate problems

[MFPA]

Hi


On Monday 13 April 2020 at 2:41:35 PM, in
, MFPA wrote:-


> Hi

Never mind what else I wrote. I have a gmail account I rarely use. I 
checked incoming mail and got the "certificate cannot be used for this 
purpose" error message.

The solution that has worked for me for the last ten minutes is to use 
the command line parameter /tls_disable_ecdhe as suggested at 
https://support.google.com/mail/thread/38537691?hl=en#recommended-answers. 
I'll just have to remember to remove the command line parameter when I 
migrate to a TB! version 9.1910 or higher.


-- 
Best regards

MFPA  

I'd give my right arm to be ambidextrous.

Using The Bat! Version 8.8.2.5 (BETA) (64-bit) on Windows 10.0 Build 18362  



Current version is 8.0.18 | 'Using TBUDL' information:
http://www.silverstones.com/thebat/TBUDLInfo.html

Re: TLS Handshake and Certificate problems

[MFPA]

Hi


On Sunday 12 April 2020 at 3:39:44 AM, in
, Thomas Fernandez wrote:-



> Interesting, because my error message mentions avast:

>>[...]
>>12-Apr-20, 09:31:04: FETCH - Issuer: generated by
>>avast! antivirus for SSL/TLS scanning, avast! Web/Mail
>>Shield, avast! Web/Mail Shield Root.

Avast inserts itself as a proxy or "man in the middle" to be able to
scan the traffic on SSL/TLS/HTTPS connections. That's why the
certificate says "generated by avast! antivirus for SSL/TLS scanning".
That certificate is only used to encrypt the connection from Avast to
The Bat!. A quick web search on "antivirus tls scanning" suggests that
AVG and Kapersky do it this way as well

Do you get the same if, under Options | S/MIME and TLS..., you tell
The Bat! to use Microsoft CryptoAPI (Windows Certificate Store)
instead of Internal Implementation (The Bat! Address Book)?

-- 
Best regards

MFPA  

Never interrupt me when I'm trying to interrupt you.

Using The Bat! Version 8.8.2.5 (BETA) (64-bit) on Windows 10.0 Build 18362  



Current version is 8.0.18 | 'Using TBUDL' information:
http://www.silverstones.com/thebat/TBUDLInfo.html