Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

BUG: Thunderbird Does Not Properly Handle Adding Exceptions

  • 10 个回答
  • 1 人有此问题
  • 16 次查看
  • 最后回复者为 christ1

more options

I'm configuring Thunderbird on a new laptop (Windows 10 x64). Thunderbird is fresh (52.1.1) but I'm finding I can't add my e-mail accounts with SSL/TLS turned on. There seems to be a bug.

I run my own e-mail server with self signed SSL certificates.

When I use the "Add Security Exception" dialog, when I click on "get Certificate" (the field has "imap.myserver.net:993" (I've changed the domain name) instead of it retrieving the certficiate, it seems to fail to connect. (I know it's working, I can access my e-mail on my desktop, literally right next to it.)

If I exit Thunderbird and re-launch it so it automatically comes up with the Add Security Exception, it has the certificate and I can add it, if I click "Get Certficiate" it goes back into the failure state. (If it gets into the failed state, you need to exit Thunderbird entirely for it to 'reset'.)

Attached is a screenshot of what happens when it's in the 'fail state'.

I'm configuring Thunderbird on a new laptop (Windows 10 x64). Thunderbird is fresh (52.1.1) but I'm finding I can't add my e-mail accounts with SSL/TLS turned on. There seems to be a bug. I run my own e-mail server with self signed SSL certificates. When I use the "Add Security Exception" dialog, when I click on "get Certificate" (the field has "imap.myserver.net:993" (I've changed the domain name) instead of it retrieving the certficiate, it seems to fail to connect. (I know it's working, I can access my e-mail on my desktop, literally right next to it.) If I exit Thunderbird and re-launch it so it automatically comes up with the Add Security Exception, it has the certificate and I can add it, if I click "Get Certficiate" it goes back into the failure state. (If it gets into the failed state, you need to exit Thunderbird entirely for it to 'reset'.) Attached is a screenshot of what happens when it's in the 'fail state'.
已附加屏幕截图

所有回复 (10)

more options

Can you post a screenshot of the certificate viewer window with the problematic cert visible? What's particularly important is the issuer of the cert.

more options

christ1 said

Can you post a screenshot of the certificate viewer window with the problematic cert visible? What's particularly important is the issuer of the cert.

I'd love to but even after confirming the exception, Thunderbird won't let me view it.

It's a self-signed certificate on my mail server (hMailServer). OpenSSL was used to generate it, with this batch file.

openssl genrsa -des3 -out %1.key 1024 openssl req -new -key %1.key -out %1.csr copy %1.key %1.key.org openssl rsa -in %1.key.org -out %1.key openssl rsa -in %1.key.org -out %1.key openssl x509 -req -days 3000 -in %1.csr -signkey %1.key -out %1.crt openssl x509 -outform der -in %1.crt -out %1.der

The copy used was OpenSSL 1.0.1g. It's valid from 4/10/2014 to 6/27/2022.

more options

So you're using a cert based on a 1024 3DES key. That isn't exactly state of the art any more, and it wasn't back in 2014 either.

Check the error console (Ctrl-Shift-J) whether there's anything related.

What hashing algorithm is used for your cert?

more options

"So you're using a cert based on a 1024 3DES key. That isn't exactly state of the art any more, and it wasn't back in 2014 either."

No, but it doesn't really need to be either and really isn't the point. The point is if you click "Get Certificate" it bugs out.

"What hashing algorithm is used for your cert?"

sha1RSA


"Check the error console (Ctrl-Shift-J) whether there's anything related."

I'll need to set up a test. I got it working on my laptop (as long as you don't click "Get Certificate" it adds fine although it still won't let you view it.).

more options
more options

Ok I've completed testing with the information you wanted.

I'm redacting specific information if the dev team should need full details please contact me privately.


Error Console: Use of Mutation Events is deprecated. Use MutationObserver instead. calendar-widgets.xml:506:18

Warning: Using guessed timezone

 America/Los_Angeles (UTC-0800/-0700).

This ZoneInfo timezone seems to match the operating system timezone this year.

This ZoneInfo timezone was chosen based on the operating system timezone

identifier "Pacific Standard Time". calTimezoneService.js:805:17

 errUtils.js:35

logException resource:///modules/errUtils.js:35:3 EmailConfigWizard.prototype.findConfig/this._abortable</self._abortable< chrome://messenger/content/accountcreation/emailWizard.js:589:13 fetchConfigFromISP/fetch1</fetch2< chrome://messenger/content/accountcreation/fetchConfig.js:105:11 FetchHTTP.prototype._error chrome://messenger/content/accountcreation/fetchhttp.js:210:7 FetchHTTP.prototype._response chrome://messenger/content/accountcreation/fetchhttp.js:189:7 FetchHTTP.prototype.start/request.onload chrome://messenger/content/accountcreation/fetchhttp.js:116:35 </p>

Not Found errUtils.js:35 logException resource:///modules/errUtils.js:35:3 EmailConfigWizard.prototype.findConfig/this._abortable</self._abortable</self._abortable< chrome://messenger/content/accountcreation/emailWizard.js:603:17 FetchHTTP.prototype._error chrome://messenger/content/accountcreation/fetchhttp.js:210:7 FetchHTTP.prototype._response chrome://messenger/content/accountcreation/fetchhttp.js:189:7 FetchHTTP.prototype.start/request.onload chrome://messenger/content/accountcreation/fetchhttp.js:116:35 </p>

MX lookup would be no different from domain errUtils.js:35

smtp.[REDACTED].net:465 uses an invalid security certificate.

The certificate is not trusted because it is self-signed. The certificate is not valid for the name smtp.[REDACTED].net.

Error code: <a id="errorCode" title="SEC_ERROR_UNKNOWN_ISSUER">SEC_ERROR_UNKNOWN_ISSUER</a>

 (unknown)

imap.[REDACTED].net:993 uses an invalid security certificate.

The certificate is not trusted because it is self-signed. The certificate is not valid for the name imap.[REDACTED].net.

Error code: <a id="errorCode" title="SEC_ERROR_UNKNOWN_ISSUER">SEC_ERROR_UNKNOWN_ISSUER</a>

 (unknown)

1496260921276 addons.update-checker WARN Update manifest for {972ce4c6-7e08-4474-a285-3208198ce6fd} did not contain an updates property

1496260921383 addons.update-checker WARN Update manifest for thunderbird-hotfix@mozilla.org did not contain an updates property

Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user’s experience. For more help http://xhr.spec.whatwg.org/ exceptionDialog.js:109:6

Error: 2147500034 exceptionDialog.js:32:11

Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: NetworkError: A network error occurred. exceptionDialog.js:117

more options

christ1 said

sha1RSA

https://www.fxsitecompat.com/en-CA/docs/2016/sha-1-certificates-issued-by-public-ca-will-no-longer-be-accepted/

That's fine but it should give a more meaningful error message then. (Moreoever, why does it let me accept it if I don't click "Get Certificate"?)

more options

You can try the following: Close Thunderbird. Delete the cert_override.txt file in the Thunderbird profile folder to remove intermediate certificates and exceptions that Thunderbird has stored.

more options

Just did another test using a new certificate that is SHA-256, same behavior. (Also raised the key size to 4096)

To reiterate, this isn't a support rqeuest. I have it working (through the don't click "Get Certificate" and add as permanent exception technique.)

This is a bug report because Thunderbird isn't behaving properly.

1. If SHA-1 is now not accepted; it should be saying that on the certficate screen.

2. If you click "Get Certificate" it should not gray out confirm permanent exception and view. (It initially gets it just fine.)

3. If you've added one of these as a permanent exception, you can't view it in the certificate manager.

由lee_thompson于修改

more options

Before declaring this a bug you should follow what has already been suggested. https://support.mozilla.org/en-US/questions/1161649#answer-973943

If that doesn't fix the problem, try with a new profile.

If the problem still exists with a new profile you may want to raise a bug in Bugzilla. https://bugzilla.mozilla.org/