tlsv1 alert unknown ca in SSL_accept imaps TLS negotiation failed

UNCONFIRMED
Unassigned

Status

UNCONFIRMED
4 years ago
4 years ago

People

(Reporter: mozilla, Unassigned)

Tracking

({regression})

31 Branch
x86_64
Linux
regression

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 2014072000

Steps to reproduce:

Upgraded Thunderbird on openSuSe 13.1 from 24.7.0 to 31.0
Tried to see mails in imap folder



Actual results:

Endless loop, no mails shown

Cyrus Imap server logfile shows:
tlsv1 alert unknown ca in SSL_accept() -> fail
imaps TLS negotiation failed
Fatal error: tls_start_servertls() failed

I use a custom certificate.
I tried to delete the custom certificates in Thunderbird and added them again, but that did not help. CA certificate is there.

Tried to create new account, but wasn't able to do so since I could not safe settings. Can't remember error message, something like: Account settings not found.
Same error in log file.


Expected results:

connect via SSL, show mails in imap folder
Version 24 was ok. 

Workaround: Rollback to version 24
Does setting security.use_mozillapkix_verification to false make it work? (Use Config Editor... under advanced preferences)
Component: Untriaged → Security
Keywords: regression
(Reporter)

Comment 2

4 years ago
Yes, setting security.use_mozillapkix_verification to false make it work.
Thanks for the quick response.
Can you tell us which server it is, and/or provide details about the certificate?
(Reporter)

Comment 4

4 years ago
I checked the certificates and found that the embedded crl url is unreachable and the IMAP certificate has expired, though the ca certificate is still valid.
TB24 accepted the certificates after showing a security dialog.

I'll fix that and try again but it will take some days till I have time for that.
You need to log in before you can comment on or make changes to this bug.