525068 - Expired certificates conflicts prevent message encryption

Status: NEW

(MailNews Core :: Security: S/MIME, defect)

Description

[Huu Da]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Build Identifier: version 2.0.0.23 (20090812)

When importing a new certificate from one person, it is not possible to encrypt any message to that person unless we delete all expired certificates from that person. I can delete those expired certificates, restart TB, open a message with the latest unexpired certificate and I can encrypt emails to that person.

This is ok, but it becomes a problem if that person is myself, or one of the other email address I have.

I cannot send an encrypted email to another of my emails if I have expired certificates. I cannot delete those expired certificates since I need them to decrypt old crypted emails.


Reproducible: Always

Steps to Reproduce:
1. Have an expired certificatte for your email.
2. Import a new certificate with the same email.
3. Compose
4. Type your email
5. Click on "Security" -> "View Security Info".
Actual Results:  
Recipient shows "your email".
Status: Not found

Expected Results:  
Show "Found", Issued date and expires date.

Comment 1

[Kai Engert (:KaiE:)]

Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody.
Search for kaie-20100607-unconfirmed-nobody

Comment 2

[Kai Engert (:KaiE:)]

This problem may be related to the "hidden S/Mime profile".

Each time you display and read a signed S/Mime message from the same sender email address, the NSS database will remember the preferred encryption certificate which has been listed inside the signed message.

Simply importing a certificate into cert manager will not update that hidden profile.

Try to send a signed email to yourself, using the new preferred cert, this might enable you to send an encrypted message afterwards. Does this work for you?

Comment 3

[Huu Da]

I am not sure what you are asking me to do...

I can:
 - send signed email from A@B.C to X@Y.Z
 - send signed and encrypted email from A@B.C to X@Y.Z
 - read signed email on X@Y.Z from A@B.C
 - read signed and encrypted on X@Y.Z from A@B.C
 - send signed email from X@Y.Z to A@B.C

I cannot (even if I can read signed email from A@B.C to X@Y.Z):
 - send signed and encrypted email from X@Y.Z to A@B.C
 - send encrypted email from X@Y.Z to A@B.C
 - send signed and encrypted email from X@Y.Z to X@Y.Z

If not any of these combination, can you specify to me what order you want me to test?

I have tested with TB 3.0.5, and just downloaded and tested with 3.1. Same results.

Also, funny thing, I just noticed that this also prevent me from saving to draft if I've checked Encrypt

Comment 4

[PietDerRote]

I can confirm this bug also exists in TB 3.0.6. (Linux)

It does not help,
Send a signed (with the new, valid certificate) eMail to force the sender to use the new certifcate.

Comment 5

[Eddy Nigg (StartCom)]

Confirmed here too.

Comment 6

[Jan Tomasek]

I have exactly same problem here. We are migrating from one CA to another. 

Users have certs from the old one and from new one CA. But Thunderbird always choose the first known certificate. Even if this certificate is expired (the one from old CA).  

Only known workaround is to delete expired certificates from certificate store. This is very painfull because users are exchanging certificates as they expires... 

I belive this is duplicate of #495655 and #531073

I tested this with Thunderbird 3.1.6 on Linux.

Comment 7

[JK]

I can confirm that behaviour for Thunderbird 3.1.4 to 3.1.6 on Windows as well. Seems to be platform independent.