Die Funktionalität dieser Website ist durch Wartungsarbeiten eingeschränkt, die Ihr Erlebnis verbessern sollen. Wenn ein Artikel Ihr Problem nicht löst und Sie eine Frage stellen möchten, können Sie unsere Gemeinschaft über @FirefoxSupport auf Twitter, /r/firefox oder Reddit fragen.

Hilfe durchsuchen

Vorsicht vor Support-Betrug: Wir fordern Sie niemals auf, eine Telefonnummer anzurufen, eine SMS an eine Telefonnummer zu senden oder persönliche Daten preiszugeben. Bitte melden Sie verdächtige Aktivitäten über die Funktion „Missbrauch melden“.

Weitere Informationen

Digital Signatures are maked as not valid in TB 115.1.0 (64-bit) Windows

  • 7 Antworten
  • 3 haben dieses Problem
  • 136 Aufrufe
  • Letzte Antwort von christ1

more options

In TB 115.1.0 (64-bit) on Windows digital signature are maked as not valid for an unknown reason. This happens at least with emails send from Outlook clients. In TB 102.14.0 (64-bit) on Windows this digital signatures were shown as valid. However, digitsal signatures of emails send from other clients (e.g. Thunderbird, Nine from 9folders) are shown as valid.

In TB 115.1.0 (64-bit) on Windows digital signature are maked as not valid for an unknown reason. This happens at least with emails send from Outlook clients. In TB 102.14.0 (64-bit) on Windows this digital signatures were shown as valid. However, digitsal signatures of emails send from other clients (e.g. Thunderbird, Nine from 9folders) are shown as valid.
Angefügte Screenshots

Ausgewählte Lösung

Slightly more updated info at https://blog.thunderbird.net/2023/10/thunderbird-115-and-signatures-using-the-obsolete-sha-1-algorithm/

Basically can still accept SHA-1 signatures if you have to by setting mail.smime.accept_insecure_sha1_message_signatures to true in the Config Editor.

Would be nice if we could still see the signer's certificate as we can with all other signature errors (e.g. changed content by an intermediate server, sender address mismatch, etc) but that would be a bug report.

Diese Antwort im Kontext lesen 👍 0

Alle Antworten (8)

more options

I have to wonder if it is the email that is not valid as per the discussion here https://thunderbird.topicbox.com/groups/e2ee/T73970314d54cdfdb-Me264daf5de25d4c964ff3462

more options

The send and received emails are exactly the same (despite the additional headers" Received: from ...). My issues is with validating the signature of receiving emails.

more options

It looks like you're having an issue with digital signatures not being recognized as valid in Thunderbird 115.1.0 on Windows, especially with emails sent from Outlook clients. It's great that you've noticed this change from Thunderbird 102.14.0. This could be due to changes in how digital signatures are handled in the newer version. To troubleshoot, try checking Thunderbird's security settings and ensure that any required certificates are installed and up-to-date. Remember, digital signature verification involves a complex process, so a little digging might be needed to pinpoint the issue.

more options

The certificates are installed and up-to-date and the security settings are the same on both versions. In the meantime I tried with an encrypted message which I sent to myself. Decrypting worked, but the error message for the signature now says that "The messge was signed using an encryption strength that this version of your software does not support."

I use an RSA key with key size 2048, signature algorithm SHA-256 with RSA Encryption Version 3.

more options

Is there anything related in the Error Console (CTRL-Shift-J)?

more options

The error console shows only some warnings about ignored declarations like "mso-style-type" etc.

I did some further testing with the hash algorithms in Outlook and I saw that the signatures of emails using SHA-256, SHA-384 and SHA-512 for singing are validated by Thunderbird 115.1.0.

The problem exists only for signatures when Outlook uses the SHA-1 for signing, which unfortunately seems to be the default.

more options
The problem exists only for signatures when Outlook uses the SHA-1 for signing, ...

See https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

... which unfortunately seems to be the default.

I don't know whether SHA-1 signatures are the default for Outlook, but it's certainly configurable. Having said that, I do find Outlooks S/MIME handling very weird to say the least. And it often does not find a recipients certificate for encryption, even though it's clearly there.

more options

Ausgewählte Lösung

Slightly more updated info at https://blog.thunderbird.net/2023/10/thunderbird-115-and-signatures-using-the-obsolete-sha-1-algorithm/

Basically can still accept SHA-1 signatures if you have to by setting mail.smime.accept_insecure_sha1_message_signatures to true in the Config Editor.

Would be nice if we could still see the signer's certificate as we can with all other signature errors (e.g. changed content by an intermediate server, sender address mismatch, etc) but that would be a bug report.

Geändert am von velosol