This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

TLS handshake: Bad certificate - how to solve?

  • 7 replies
  • 1 has this problem
  • 1 view
  • Last reply by Warren

more options

Hi, I try to access my email on IMAP mail server running Dovecot v2.3.7.2. It works just fine with any other email client I have tried such as Outlook, Bluemail, Claws, ...

However, when accessing the my email through Thunderbird, it just says "Connecting to... " in the bottom status bar and nothing ever happens - I do not get an error message or any other kind of status update.

In dovecot's mail.log I get these error messages though:

Nov 21 07:55:21 hostxyz dovecot: master: Dovecot v2.3.7.2 (3c910f64b) starting up for imap (core dumps disabled) Nov 21 08:03:46 hostxyz dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.0.0.2, lip=192.168.0.120, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<Kt6V8kfRD4EKAAAC>

Note that there is a valid non-self-signed server side certificate installed on the mail server. As I don't have a problem accessing email through other clients I assume that something is wrong with my configuration of Thunderbird. Could you please highlight how to configure Thunderbird to make it work again?

Hi, I try to access my email on IMAP mail server running Dovecot v2.3.7.2. It works just fine with any other email client I have tried such as Outlook, Bluemail, Claws, ... However, when accessing the my email through Thunderbird, it just says "Connecting to... " in the bottom status bar and nothing ever happens - I do not get an error message or any other kind of status update. In dovecot's mail.log I get these error messages though: Nov 21 07:55:21 hostxyz dovecot: master: Dovecot v2.3.7.2 (3c910f64b) starting up for imap (core dumps disabled) Nov 21 08:03:46 hostxyz dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.0.0.2, lip=192.168.0.120, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<Kt6V8kfRD4EKAAAC> Note that there is a valid non-self-signed server side certificate installed on the mail server. As I don't have a problem accessing email through other clients I assume that something is wrong with my configuration of Thunderbird. Could you please highlight how to configure Thunderbird to make it work again?

All Replies (7)

more options

Hallo, may be you have to import the servers certificate into your Thunderbird or you have to declare an exception. Options -> Safety -> Certificates

more options

I also have this problem with a CA, server cert, client cert and Dovecot I have generated them using xca and can post the certs and keys if required.

I'm happy to try anything - even nightlys :)

You can't import a certificate into server certificate tab without calling a server.

For the client to fail like this without a word is frustrating - because you have to debug the server to find out what was wrong with Thunderbird.

I tried imap:server:993 in the location box - but it won't load it. and you can't upload one manually into that dialog box.

You can only import your own certificates/keys and CA certificates.


Seamonkey seem worked and Fairmail(Android) works.

ii dovecot-core 1:2.3.4.1-5+deb10u6 amd64 secure POP3/IMAP server - core files

Thunderbird 91.6.0 (64-bit

Using dovecot ssl_min_protocol = TLSv1.2 and all other default.

Debug: SSL: where=0x10, ret=1: before SSL initialization Debug: SSL: where=0x2001, ret=1: before SSL initialization Debug: SSL: where=0x2002, ret=-1: before SSL initialization Debug: SSL: where=0x2001, ret=1: before SSL initialization Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate request Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Debug: SSL: where=0x10, ret=1: before SSL initialization Debug: SSL: where=0x2001, ret=1: before SSL initialization Debug: SSL: where=0x2002, ret=-1: before SSL initialization Debug: SSL: where=0x2001, ret=1: before SSL initialization Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate request Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Debug: SSL alert: where=0x4004, ret=554: fatal bad certificate Debug: SSL: where=0x2002, ret=-1: error Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Disconnected (no auth attempts in 1 secs): user=<>, rip=10.8.0.10, lip=10.8.0.1, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<Bbx/lCzYvIYKCAAK>

more options

Is there anything related in the TB error console (Ctrl-Shift-J)?

more options

Ok - I finnally found a log mechanism - https://searchfox.org/comm-central/search?q=LazyLogModule

export MOZ_LOG_FILE=/tmp/imap.log export MOZ_LOG=pipnss:5

And snarfed the log - but I can't upload it so I'll just paste it in here.

Arrrh -- Ensure this value has at most 10000 characters (it has 10081). :)

more options

[Parent 1229825: Main Thread]: D/pipnss nsNSSComponent::ctor [Parent 1229825: Main Thread]: D/pipnss Beginning NSS initialization [Parent 1229825: Main Thread]: D/pipnss nsNSSComponent::InitializeNSS [Parent 1229825: Main Thread]: D/pipnss NSS Initialization beginning [Parent 1229825: Main Thread]: D/pipnss NSS profile at '/home/wozza/.thunderbird/uqeiznj0.default' [Parent 1229825: Main Thread]: D/pipnss not setting NSS_SDB_USE_CACHE [Parent 1229825: Main Thread]: D/pipnss inSafeMode: 0 [Parent 1229825: Main Thread]: D/pipnss initialized NSS in r/w mode [Parent 1229825: Main Thread]: D/pipnss NSS Initialization done [Parent 1229825: Main Thread]: D/pipnss nsNSSComponent: adding observers [Parent 1229825: Main Thread]: D/pipnss nsNSSComponent::MaybeEnableIntermediatePreloadingHealer [Parent 1229825: StreamTrans #1]: D/pipnss loaded CKBI from /usr/lib/x86_64-linux-gnu [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfb910] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304) [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfb910] Socket set up [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfb910] connecting SSL socket [Parent 1229825: Socket Thread]: E/pipnss [7fb8b9bfb910] Lower layer connect error: -5934 [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfbdf0] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304) [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfbdf0] Socket set up [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfbdf0] connecting SSL socket [Parent 1229825: Socket Thread]: E/pipnss [7fb8b9bfbdf0] Lower layer connect error: -5934 [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89550] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304) [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89550] Socket set up [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89550] connecting SSL socket [Parent 1229825: Socket Thread]: E/pipnss [7fb8ccb89550] Lower layer connect error: -5934 [Parent 1229825: Socket Thread]: V/pipnss [7fb8b9bfbdf0] read -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8b9bfb910] read -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] read -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] wrote -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] wrote -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] read -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] wrote -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] read -1 bytes [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89400] starting AuthCertificateHook [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89400] starting AuthCertificateHookInternal [Parent 1229825: SSL Cert #1]: D/pipnss [7fb8ccb89400] SSLServerCertVerificationJob::Run [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] wrote -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] read -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] polling SSL socket during certificate verification using lower 5 [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] polling SSL socket during certificate verification using lower 6 [Parent 1229825: Socket Thread]: D/pipnss AuthCertificate setting NEW cert 7fb8b28e6e20 [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89400] HandshakeCallback: succeeded using TLS version range (0x0301,0x0304) [Parent 1229825: Socket Thread]: D/pipnss HandshakeCallback KEEPING existing cert [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89550] nsNSSSocketInfo::NoteTimeUntilReady [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89550] nsNSSSocketInfo::SetHandshakeCompleted [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] wrote 137 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8b9bfb910] read -1 bytes [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfbc10] starting AuthCertificateHook [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfbc10] starting AuthCertificateHookInternal [Parent 1229825: SSL Cert #1]: D/pipnss [7fb8b9bfbc10] SSLServerCertVerificationJob::Run [Parent 1229825: SSL Cert #1]: D/pipnss [0x7fb8b9bfbc10] Certificate error was not overridden [Parent 1229825: Main Thread]: D/pipnss FindClientCertificatesWithPrivateKeys [Parent 1229825: Main Thread]: D/pipnss module 'NSS Internal PKCS #11 Module' [Parent 1229825: Main Thread]: D/pipnss slot 'NSS Internal Cryptographic Services' [Parent 1229825: Main Thread]: D/pipnss (looking at non-internal slot) [Parent 1229825: Main Thread]: D/pipnss slot 'NSS User Private Key and Certificate Services' [Parent 1229825: Main Thread]: D/pipnss (looking at internal slot) [Parent 1229825: Main Thread]: D/pipnss provisionally adding 'E=warren@itcl.com.au,CN=warrenc5' [Parent 1229825: Main Thread]: D/pipnss module 'Builtin Roots Module' [Parent 1229825: Main Thread]: D/pipnss slot 'NSS Builtin Objects' [Parent 1229825: Main Thread]: D/pipnss (looking at non-internal slot) [Parent 1229825: Main Thread]: D/pipnss returning: [Parent 1229825: Main Thread]: D/pipnss E=warren@itcl.com.au,CN=warrenc5 [Parent 1229825: Main Thread]: D/pipnss keeping cert 'E=warren@itcl.com.au,CN=warrenc5' [Parent 1229825: Socket Thread]: V/pipnss [7fb8b9bfb910] read -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8b9bfb910] polling SSL socket during certificate verification using lower 5 [Parent 1229825: Socket Thread]: V/pipnss [7fb8b9bfb910] polling SSL socket during certificate verification using lower 5 [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfbe20] starting AuthCertificateHook [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfbe20] starting AuthCertificateHookInternal [Parent 1229825: SSL Cert #1]: D/pipnss [7fb8b9bfbe20] SSLServerCertVerificationJob::Run [Parent 1229825: SSL Cert #1]: D/pipnss [0x7fb8b9bfbe20] Certificate error was not overridden [Parent 1229825: Main Thread]: D/pipnss FindClientCertificatesWithPrivateKeys [Parent 1229825: Main Thread]: D/pipnss module 'NSS Internal PKCS #11 Module' [Parent 1229825: Main Thread]: D/pipnss slot 'NSS Internal Cryptographic Services' [Parent 1229825: Main Thread]: D/pipnss (looking at non-internal slot) [Parent 1229825: Main Thread]: D/pipnss slot 'NSS User Private Key and Certificate Services' [Parent 1229825: Main Thread]: D/pipnss (looking at internal slot) [Parent 1229825: Main Thread]: D/pipnss provisionally adding 'E=warren@itcl.com.au,CN=warrenc5' [Parent 1229825: Main Thread]: D/pipnss module 'Builtin Roots Module' [Parent 1229825: Main Thread]: D/pipnss slot 'NSS Builtin Objects' [Parent 1229825: Main Thread]: D/pipnss (looking at non-internal slot) [Parent 1229825: Main Thread]: D/pipnss returning: [Parent 1229825: Main Thread]: D/pipnss E=warren@itcl.com.au,CN=warrenc5 [Parent 1229825: Main Thread]: D/pipnss keeping cert 'E=warren@itcl.com.au,CN=warrenc5' [Parent 1229825: Socket Thread]: V/pipnss [7fb8b9bfbdf0] read -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] read 140 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] read 197 bytes [Parent 1229825: Socket Thread

more options

Digging a little deeper to try and get the CertificateVerify result from TB but cant.

is 42 error that dovecot reports this error code here?

https://searchfox.org/mozilla-central/source/security/nss/lib/mozpkix/include/pkix/Result.h#88

MOZILLA_PKIX_MAP(ERROR_BAD_CERT_DOMAIN, 42, SSL_ERROR_BAD_CERT_DOMAIN)

more options

So to follow up - I got it working by getting the certificate in the certificate manager through the https server I set up (apache - default ssl)

Then manually editing the overrides file ~/.thunderbird/uqeiznj0.default/cert_override.txt and changing the first field from www.itcl.com.au:443 to mail.itcl.com.au:993

It would just be a lot easier to add an exception with the certificate file in the user interface.

I will further investigate how to manually construct this file from the raw certificate details ...

Then you can just write your own exceptions.