Closed Bug 456593 Opened 16 years ago Closed 5 years ago

Yahoo and AT&T POP SSL change causes bad behavior with Thunderbird

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: jm-mitre, Unassigned)

References

(Depends on 1 open bug)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: 2.0.0.16 (20080708)   (also 2.0.0.9 and 3.0.1) 

Last week AT&T (or Yahoo!) rolled out a change to their mail servers.  Now Thunderbird users using this ISP can't send mail.  There is also a necessary song and dance before Thunderbird users can receive mail. There are several symptoms.

Picking up mail:

1. An occassional Thunderbird request, User Identification Request: The site has requested that you identify yourself with a certificate: pop.att.yahoo.com; Org: Yahoo! Inc.; Issued Under Equifax

This can be dismissed, or a certificate can be supplied.  (I provide the certificate, which I must have installed in Thunderbird, because I must read encrypted mail sent to me using my public key.)

2. Subsequent Thunderbird alert, Alert: Error establishing an encrypted connection to pop,att,yahoo.com. Error Code: -12195. 

This can be dismissed with OK.  Clicking the Get Mail icon again then successfully checks for mail and downloads any mail.

AT&T (or branded Yahoo!) support management is well aware of this problem.  Their position is that there is a design flaw in Thunderbird.  Support staff freely agrees that Thunderbird did work for months with their servers.  They agree that it was a recent change to their servers that resulted in this problem.  By being nice, you can get them to agree that it was their change that led to the "design flaw," which led to the problem.

There is no doubt that my settings [i][b]are[/b][/i] correct.

Others with the same settings have the same problem.  Both XP and Vista.  Both Thunderbird 2.0 and 3.0.

Reproducible: Always

Steps to Reproduce:
1. Click Get Mail icon
 or
1. Automatic mail check
Actual Results:  
Clicking through Thunderbird alerts and errors required before mail is checked (and downloaded if any).

Expected Results:  
Mail checked and downloaded if any.

I wrote the summary as "Yahoo and AT&T POP SSL change fails with Thunderbird," because I don't have enough information to be sure where the problem is.

This is the way AT&T+Yahoo! support management would have titled the thread: 

    Yahoo and AT&T POP SSL change uncovers design flaw in Thunderbird.

....

Last spring AT&T (and, maybe, all Yahoo! e-mail) switched to using an SSL session to transmit and to pick up mail. That required a change to the Thunderbird account settings.  Easily made and no problem.

Last week AT&T (or Yahoo!) rolled out a change to their mail servers.  Now Thunderbird users using this ISP can't send mail.  There is also a necessary song and dance before Thunderbird users can receive mail. There are several symptoms.

Picking up mail:

1. An occassional Thunderbird request, User Identification Request: The site has requested that you identify yourself with a certificate: pop.att.yahoo.com; Org: Yahoo! Inc.; Issued Under Equifax

This can be dismissed, or a certificate can be supplied.  (I provide the certificate, which I must have installed in Thunderbird, because I must read encrypted mail sent to me using my public key.)

2. Subsequent Thunderbird alert, Alert: Error establishing an encrypted connection to pop,att,yahoo.com. Error Code: -12195. 

This can be dismissed with OK.  Clicking the Get Mail icon again then successfully checks for mail and downloads any mail.

Sending mail:

3. When clicking Send icon on any message, sometimes the request of symptom 1 above.

This may be due to automatic checking for mail, and not related to the clicking of Send.

4. Thunderbird error, Send Message Error: Sending of message failed. The message could not be sent because connecting to SMTP server smtp.att.yahoo.com failed.  The server may be ... Please verify ... or contact your network adminsitrator. 

This can be dismissed with OK.

But the message   is  n o t   sent.

.......

AT&T (or branded Yahoo!) support management is well aware of this problem.  Their position is that there is a design flaw in Thunderbird.  Support staff freely agrees that Thunderbird did work for months with their servers.  They agree that it was a recent change to their servers that resulted in this problem.  By being nice, you can get them to agree that it was their change that led to the "design flaw," which led to the problem.

There is no doubt that my settings [i][b]are[/b][/i] correct.

Others with the same settings have the same problem.  Both XP and Vista.  Both Thunderbird 2.0 and 3.0.

Posted as two bugs, one for POP and one for SMTP.

Probably related to 381287, which was recently assigned.

Possibly related 447960, 437683, 

Cordially, Joaquin
Please let me know if I can help by gathering more info.  Please give specific instructions.  I'm a software architect, so kinda ignorant.
Posted at Bug 456590 for SMTP connection problem.
Please provide the host name and port number that you use to reach the 
Yahoo/AT&T POP server.  You can send it to me in private email, if you'd
prefer.
What version of Thunderbird are you using?  
Please provide as precise an answer as possible, e.g. a number like 1.2.3.4
When you get that prompt that says:

> The site has requested that you identify yourself with a certificate

Do you see a "cancel" button?  
If so, please click it, and report back here if that works for you.

Don't worry.  That won't have any detrimental effect on your ability to 
send and receive encrypted email, and it also won't have any detrimental 
effect on the SSL encryption between TB and Yahoo.

You can also try this when you see that same prompt for IMAP or SMTP, and
report your results in the appropriate bug(s) for those protocols.
Nelson:

Thunderbird 2.0.0.16.  I reproduce the same problem on another XP machine with 2.0.0.9.  My co-worker has the same problem with 3.0.1 on Vista.

I get three messages:
  User Identification Request. The first time, I checked Remember this decision and then clicked OK
      after that the check mark stays and I click either OK or cancel
   Alert  Could not establish... certificate rejected... Error Code -12271.  I click OK.
   Alert Error establishing encrypted  Error Code -12195

When I set the config to automatically select a certificate, I got one time:
    Account Wizard  Identity    Your Name:  Email Address  

Since config change I have not gotten User Identification request.

I can receive mail, if I try again after dismissing the Alert.
I can not sent mail, whether (end to end) encrypted or unencrypted.  

I use a VeriSign Class 1 Individual certificate for encryption.
I'm sorry to see that Thunderbird is STILL outputting negative error numbers
instead of error strings, a DECADE after those strings were created. :(
Unfortunately, I cannot force the folks responsible to change that, so I 
have created a web page that lists the error numbers and their meanings at
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html
Yahoo's server is rejecting your certificate.

I'm sure that Yahoo does not recognize your Verisign Class 1 email cert as 
a valid SSL client authentication certificate, so the solution will involve
not sending that certificate any more.  I believe that clicking cancel 
when you are asked to choose a cert will cause no cert to be sent.

You aren't getting user identification requests because you asked TB to 
remember one you chose before.  But that cert is being rejected by the server.  
Unfortunately, it will not remember the decision to send no certificate.  
It will help you to undo the "remember this decision" preference, if you can 
figure out how to do that.  I believe that the "remember decision" feature 
will be removed in the next update. See bug 454406.
(In reply to comment #7)
> I'm sorry to see that Thunderbird is STILL outputting negative error numbers
> instead of error strings, a DECADE after those strings were created. :(

I presume  you mean error messages like the reporter's "Could not establish... certificate rejected... Error Code -12271"? Could you go into more detail about how we could change from "certificate rejected..." to a string that says, um, "certificate rejected..."?
Yahoo's SMTP server is requesting client authentication in a way that says:
"If you have a certificate from ANY issuer whatsoever, send it to me."
It does this by sending any empty list of names of CAs that it will trust
to issue client certificates. 

This is a classic indication of a misconfigured server.  No server really
trusts certs from ALL CAs indiscriminately, and the fact that it is rejecting
your cert is evidence that it does not actually accept certs from your issuer.

SSLRecord { 
   0: 16 03 01 00  0d
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 13 (0xd)
   handshake {
   0: 0d 00 00 05
      type = 13 (certificate_request)
      length = 5 (0x000005)
         CertificateRequest {
            certificate types[2] = { 01 02 }
            certificate_authorities[0] = {        <--- empty list
            }
         }
I connected to the smtp server, and when it asked me to authenticate myself
with a cert, I clicked cancel.  Of course, since I didn't have a valid user
name and password, I didn't get much farther, but I at least got to the point
where I could have logged in.
OK. i wasted half an hour or so investigating this.

nelson: please don't talk to users using tb2

bug 107491 fixed this on cvs trunk ages ago.

sadly you're talking to a user who stated clearly in comment 0 that the build id was 2.0.0.16.

for people who really want to understand where the string was, it was here:
http://mxr.mozilla.org/mozilla1.8/search?string=establishing+an+encrypted

And if you spend a bit of time w/ bonsai you'd learn what i've already written above.

reporter: please grab a build from http://ftp.mozilla.org/pub/mozilla.org/thunderbird/nightly/latest-comm-central/ and see what happens. also, when filing, if you're filing w/ 2.x, please fill in the version as 2.0, if you're using the builds from the url i listed, please fill in 'trunk'.
Version: unspecified → 2.0
The workaround for this, to receive mail from AT&T+Yahoo! is simply to click through the error messages.

For the workaround for sending mail via AT&T+Yahoo!, see Bug 456590.  Thanks, Nelson.


Timeless: I will find time to test a recent build, but I can't do that right away.  I will test the workaround on 2.0.0.9, for what that might be worth.  And I will have a colleague test it on 3.0.1.
(In reply to comment #12)
> The workaround for this [...] is simply to click through the error messages.

To be clear, you "click through" by clicking cancel, not by clicking OK.
confirming...
Status: UNCONFIRMED → NEW
Ever confirmed: true
timeless:

Here are the shredded results:

Shredder 3.0b1pre
thunderbird-3.0b1pre.en-US.win32.installer.exe 27-Sep-2008 04:28 7.8M
Downloaded 27 Sep 8  2:10 PM PDT
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) 
Gecko/20080927031346 Shredder/3.0b1pre
security.default_personal_cert : Ask Every Time

The behavior is the same, with one interesting difference: Immediately after install I send an unencrypted message: Sent without error.

I composed an encrypted message:
Clicked Send
Up pops User Identification Request
Clicked Cancel

After some time of Sending Message  Status, the error:

Send Message Error

Sending of message failed.
The message could not ... SMTP server smtp.att.yahoo.com failed.

OK

After this, the behavior was the same as three versions of 2.0: 
    .9, .16. and .17.  
To wit:

I composed an encrypted message:
Clicked Send
Up pops User Identification Request
Clicked Cancel

works

Likewise with Get Mail
Joaquin, 
I think you're saying, in comment 15, that when you test with shredder, 
the first attempt to connect fails, even though you clicked cancel in 
the cert selection dialog, but the second and subsequent attempts 
succeed.  Is that correct?
Sorry, Nelson.  I was not clear.

The very first time, right after installing Shredder, I sent the first message with no error message or user identification request.

I   t h e n   composed an encrypted message and got the request. The behavior from then on was the same as versions of 2.0, but the first message went out silently.  

I suppose mail was also checked (without error) as soon as Shredder started, but I did not notice that.

.......

I mentioned the fluke first message only in the spirit of complete info.
Question:

Why is this bug marked Depends on: 437683?

Please see comments #48 and #49 of 437683.  This bug, 456593, can be resolved with a config change, adding an option to an existing config item:

set
   security.default_personal_cert 
to 
   Send no certificate
(not a per account configuration) 

This bug is not assigned, will someone take it?

Thanks everyone. Please forgive my ignorance of how Depends on: is used.
Are there any updates on this issue?

Thunderbird 3.0 is approaching and I cannot see any improvement on this side. 

I either have to not use any certificate or always hit cancel if not willing to authenticate ssl with my own certificate. 

This is indeed annoying, especially given that along with "select automatically" and "ask every time" developers could easily add "never use certificates" into options (even hidden into the about:config would still be really appreciated!) Thanks!

It sounds like this email provider has fixed their configuration, and they no longer request client auth certificates from any CA. No reports in many years. Resolving as worksforme.

Remaining suggestions for improvement are tracked in other bugs.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.