BUG: Thunderbird Does Not Properly Handle Adding Exceptions
I'm configuring Thunderbird on a new laptop (Windows 10 x64). Thunderbird is fresh (52.1.1) but I'm finding I can't add my e-mail accounts with SSL/TLS turned on. There seems to be a bug.
I run my own e-mail server with self signed SSL certificates.
When I use the "Add Security Exception" dialog, when I click on "get Certificate" (the field has "imap.myserver.net:993" (I've changed the domain name) instead of it retrieving the certficiate, it seems to fail to connect. (I know it's working, I can access my e-mail on my desktop, literally right next to it.)
If I exit Thunderbird and re-launch it so it automatically comes up with the Add Security Exception, it has the certificate and I can add it, if I click "Get Certficiate" it goes back into the failure state. (If it gets into the failed state, you need to exit Thunderbird entirely for it to 'reset'.)
Attached is a screenshot of what happens when it's in the 'fail state'.
All Replies (10)
Can you post a screenshot of the certificate viewer window with the problematic cert visible? What's particularly important is the issuer of the cert.
christ1 said
Can you post a screenshot of the certificate viewer window with the problematic cert visible? What's particularly important is the issuer of the cert.
I'd love to but even after confirming the exception, Thunderbird won't let me view it.
It's a self-signed certificate on my mail server (hMailServer). OpenSSL was used to generate it, with this batch file.
openssl genrsa -des3 -out %1.key 1024 openssl req -new -key %1.key -out %1.csr copy %1.key %1.key.org openssl rsa -in %1.key.org -out %1.key openssl rsa -in %1.key.org -out %1.key openssl x509 -req -days 3000 -in %1.csr -signkey %1.key -out %1.crt openssl x509 -outform der -in %1.crt -out %1.der
The copy used was OpenSSL 1.0.1g. It's valid from 4/10/2014 to 6/27/2022.
So you're using a cert based on a 1024 3DES key. That isn't exactly state of the art any more, and it wasn't back in 2014 either.
Check the error console (Ctrl-Shift-J) whether there's anything related.
What hashing algorithm is used for your cert?
"So you're using a cert based on a 1024 3DES key. That isn't exactly state of the art any more, and it wasn't back in 2014 either."
No, but it doesn't really need to be either and really isn't the point. The point is if you click "Get Certificate" it bugs out.
"What hashing algorithm is used for your cert?"
sha1RSA
"Check the error console (Ctrl-Shift-J) whether there's anything related."
I'll need to set up a test. I got it working on my laptop (as long as you don't click "Get Certificate" it adds fine although it still won't let you view it.).
Ok I've completed testing with the information you wanted.
I'm redacting specific information if the dev team should need full details please contact me privately.
Error Console:
Use of Mutation Events is deprecated. Use MutationObserver instead. calendar-widgets.xml:506:18
Warning: Using guessed timezone
America/Los_Angeles (UTC-0800/-0700).
This ZoneInfo timezone seems to match the operating system timezone this year.
This ZoneInfo timezone was chosen based on the operating system timezone
identifier "Pacific Standard Time". calTimezoneService.js:805:17
errUtils.js:35
logException resource:///modules/errUtils.js:35:3 EmailConfigWizard.prototype.findConfig/this._abortable</self._abortable< chrome://messenger/content/accountcreation/emailWizard.js:589:13 fetchConfigFromISP/fetch1</fetch2< chrome://messenger/content/accountcreation/fetchConfig.js:105:11 FetchHTTP.prototype._error chrome://messenger/content/accountcreation/fetchhttp.js:210:7 FetchHTTP.prototype._response chrome://messenger/content/accountcreation/fetchhttp.js:189:7 FetchHTTP.prototype.start/request.onload chrome://messenger/content/accountcreation/fetchhttp.js:116:35 </p>
Not Found errUtils.js:35 logException resource:///modules/errUtils.js:35:3 EmailConfigWizard.prototype.findConfig/this._abortable</self._abortable</self._abortable< chrome://messenger/content/accountcreation/emailWizard.js:603:17 FetchHTTP.prototype._error chrome://messenger/content/accountcreation/fetchhttp.js:210:7 FetchHTTP.prototype._response chrome://messenger/content/accountcreation/fetchhttp.js:189:7 FetchHTTP.prototype.start/request.onload chrome://messenger/content/accountcreation/fetchhttp.js:116:35 </p>
MX lookup would be no different from domain errUtils.js:35
smtp.[REDACTED].net:465 uses an invalid security certificate.
The certificate is not trusted because it is self-signed. The certificate is not valid for the name smtp.[REDACTED].net.
Error code: <a id="errorCode" title="SEC_ERROR_UNKNOWN_ISSUER">SEC_ERROR_UNKNOWN_ISSUER</a>
(unknown)
imap.[REDACTED].net:993 uses an invalid security certificate.
The certificate is not trusted because it is self-signed. The certificate is not valid for the name imap.[REDACTED].net.
Error code: <a id="errorCode" title="SEC_ERROR_UNKNOWN_ISSUER">SEC_ERROR_UNKNOWN_ISSUER</a>
(unknown)
1496260921276 addons.update-checker WARN Update manifest for {972ce4c6-7e08-4474-a285-3208198ce6fd} did not contain an updates property
1496260921383 addons.update-checker WARN Update manifest for thunderbird-hotfix@mozilla.org did not contain an updates property
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user’s experience. For more help http://xhr.spec.whatwg.org/ exceptionDialog.js:109:6
Error: 2147500034 exceptionDialog.js:32:11
Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: NetworkError: A network error occurred. exceptionDialog.js:117
christ1 said
sha1RSA
That's fine but it should give a more meaningful error message then. (Moreoever, why does it let me accept it if I don't click "Get Certificate"?)
You can try the following: Close Thunderbird. Delete the cert_override.txt file in the Thunderbird profile folder to remove intermediate certificates and exceptions that Thunderbird has stored.
Just did another test using a new certificate that is SHA-256, same behavior. (Also raised the key size to 4096)
To reiterate, this isn't a support rqeuest. I have it working (through the don't click "Get Certificate" and add as permanent exception technique.)
This is a bug report because Thunderbird isn't behaving properly.
1. If SHA-1 is now not accepted; it should be saying that on the certficate screen.
2. If you click "Get Certificate" it should not gray out confirm permanent exception and view. (It initially gets it just fine.)
3. If you've added one of these as a permanent exception, you can't view it in the certificate manager.
Edeziri
Before declaring this a bug you should follow what has already been suggested. https://support.mozilla.org/en-US/questions/1161649#answer-973943
If that doesn't fix the problem, try with a new profile.
If the problem still exists with a new profile you may want to raise a bug in Bugzilla. https://bugzilla.mozilla.org/