为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Self-signed certificate problem after upgrade to TB 68.4.1

  • 5 个回答
  • 2 人有此问题
  • 18 次查看
  • 最后回复者为 dominik

more options

After upgrading to TB 68.4.1 I could not read/write e-mails anymore. The error message is "The IMAP server does not support the selected authentication method". The log file shows

[(null) 18264: Unnamed thread 23287970]: D/IMAP try to log in [(null) 18264: Unnamed thread 23287970]: D/IMAP IMAP auth: server caps 0x4484421, pref 0x1006, failed 0x0, avail caps 0x0 [(null) 18264: Unnamed thread 23287970]: D/IMAP (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, MSN = 0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style IMAP login = 0x4, auth external IMAP login = 0x20000000, OAUTH2 = 0x800000000) [(null) 18264: Unnamed thread 23287970]: D/IMAP no remaining auth method [(null) 18264: Unnamed thread 23287970]: E/IMAP login failed entirely

So, no authentication method was even selected.

I have created a new appdata Thunderbird folder. Now I can define an exception for my certificate in the settings - without specifying the port. The downloaded certificate has the wrong port number however (should be 143 but is 443). When reading e-mails another certificate with the correct port is downloaded which I can confirm, and the e-mails are read correctly. However when restarting Thunderbird the above error message comes again and I have to repeat the procedure by first deleting the certificate and then defining an exception for it.

My questions: - How can I tell Thunderbird to accept my certificate without defining an exception in the settings? This was not required before the update. - How can I define the certificate exception in a way to get the correct port that persists after restarting Thunderbird?

After upgrading to TB 68.4.1 I could not read/write e-mails anymore. The error message is "The IMAP server does not support the selected authentication method". The log file shows [(null) 18264: Unnamed thread 23287970]: D/IMAP try to log in [(null) 18264: Unnamed thread 23287970]: D/IMAP IMAP auth: server caps 0x4484421, pref 0x1006, failed 0x0, avail caps 0x0 [(null) 18264: Unnamed thread 23287970]: D/IMAP (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, MSN = 0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style IMAP login = 0x4, auth external IMAP login = 0x20000000, OAUTH2 = 0x800000000) [(null) 18264: Unnamed thread 23287970]: D/IMAP no remaining auth method [(null) 18264: Unnamed thread 23287970]: E/IMAP login failed entirely So, no authentication method was even selected. I have created a new appdata Thunderbird folder. Now I can define an exception for my certificate in the settings - without specifying the port. The downloaded certificate has the wrong port number however (should be 143 but is 443). When reading e-mails another certificate with the correct port is downloaded which I can confirm, and the e-mails are read correctly. However when restarting Thunderbird the above error message comes again and I have to repeat the procedure by first deleting the certificate and then defining an exception for it. My questions: - How can I tell Thunderbird to accept my certificate without defining an exception in the settings? This was not required before the update. - How can I define the certificate exception in a way to get the correct port that persists after restarting Thunderbird?

被采纳的解决方案

Has you certificate store been changed by an anti virus? security.enterprise_roots.enabled in the config editor set to true.

Does your server support TLS V 1.0 and 1.1 only?

I got an email today advising it is disabled in the 73 beta, I would expect that to show up is Thunderbird 68.5 so it should not yet be an issue.

If you are talking about the distrusting of the Symantec certificates in the V68 release notes (your link is broken) they have been phased out over a long time. and as your certificate is self signed not relevant

定位到答案原位置 👍 0

所有回复 (5)

more options

How about just using a real certificate? We are going away from self signed certificates if I read the last changes to actually mean anything.

But no remaining auth methods usually means that the server is not running a new enough version of TLS, or the key size is not large enough, not that the certificate is invalid. (that should get an error in the user interface of it's own)

more options

Thank you for the quick reply!

It seems to be a specific problem of the Thunderbird instance on my Windows computer. I have tried to repeat the same steps in a virtual machine on my computer, and everything works as expected: 1. Created a new account with my account settings (STARTTLS, ingoing port 143, outgoing port 587) in the Thunderbird instance of my virtual machine 2. After confirmation Thunderbird comes up with the expected certificate warning (with the correct port 143) and lets me accept the certificate permanently 3. E-Mails are downloaded

In my local Thunderbird however I do not get the certificate warning in step 2 but the error message "The IMAP server does not support the selected authentication method" mentioned in my previous post. My impression is that the download request is done with the wrong port number (should be 143 for STARTTLS but is 443 for HTTPS).

What I have tried but did not help: - Reinstalled Thunderbird - Deleted appdata Thunderbird folder to let Thunderbird recreate all data including profiles - Temporarily deactivated Symantec Endpoint Protection to avoid some magic port forwarding

Any ideas? Are there any registry settings that might cause the problem? Any chance to increase debugging level to get more detailed information?

more options

I went back to TB 60.9.1 (using the existing profile) and - tata... - everything works fine again! So the problem must have to do with TB 68.4.1.

In the release notes I read that TB 68 has stricter certificate checks: https://www.thunderbird.net/en-US/thund ... easenotes/

Maybe the problem has to do with it. For now I will have to stay with TB 60...

more options

选择的解决方案

Has you certificate store been changed by an anti virus? security.enterprise_roots.enabled in the config editor set to true.

Does your server support TLS V 1.0 and 1.1 only?

I got an email today advising it is disabled in the 73 beta, I would expect that to show up is Thunderbird 68.5 so it should not yet be an issue.

If you are talking about the distrusting of the Symantec certificates in the V68 release notes (your link is broken) they have been phased out over a long time. and as your certificate is self signed not relevant

由Matt于修改

more options

That was it! In TB 60 security.enterprise_roots.enabled was set to false. I updated to TB 68.4.2. and security.enterprise_roots.enabled was modified to true. I changed it back to false, and now e-mails are working as before.

I would not have found this solution. Thank you so much for your help!