Open Bug 1048282 Opened 10 years ago Updated 1 month ago

tlsv1 alert unknown ca in SSL_accept imaps TLS negotiation failed

Categories

(Thunderbird :: Security, defect)

31 Branch
x86_64
Linux
defect

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: mozilla, Unassigned)

Details

(Keywords: regression)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 2014072000

Steps to reproduce:

Upgraded Thunderbird on openSuSe 13.1 from 24.7.0 to 31.0
Tried to see mails in imap folder



Actual results:

Endless loop, no mails shown

Cyrus Imap server logfile shows:
tlsv1 alert unknown ca in SSL_accept() -> fail
imaps TLS negotiation failed
Fatal error: tls_start_servertls() failed

I use a custom certificate.
I tried to delete the custom certificates in Thunderbird and added them again, but that did not help. CA certificate is there.

Tried to create new account, but wasn't able to do so since I could not safe settings. Can't remember error message, something like: Account settings not found.
Same error in log file.


Expected results:

connect via SSL, show mails in imap folder
Version 24 was ok. 

Workaround: Rollback to version 24
Does setting security.use_mozillapkix_verification to false make it work? (Use Config Editor... under advanced preferences)
Component: Untriaged → Security
Keywords: regression
Yes, setting security.use_mozillapkix_verification to false make it work.
Thanks for the quick response.
Can you tell us which server it is, and/or provide details about the certificate?
I checked the certificates and found that the embedded crl url is unreachable and the IMAP certificate has expired, though the ca certificate is still valid.
TB24 accepted the certificates after showing a security dialog.

I'll fix that and try again but it will take some days till I have time for that.
Severity: normal → S3

(In reply to Magnus Melin [:mkmelin] from comment #1)

Does setting security.use_mozillapkix_verification to false make it work?

The setting does not even exist in modern Thunderbird (I'm struggling with 115.9.0), but the problem is here (again?)...

Our private little IMAP-server has its own CA and uses its own certificate. This worked for some years until the server certificate had to be replaced. After the replacement other clients -- iPhones -- continue working fine with the same server, but TB is quietly failing. There are no error messages presented through any GUI on the client-side, but on the server side I see:

imaps TLS negotiation failed: client.example.com [ip.add.res.s]

As the original reporter 10 years ago, I tried importing the private CA's certificate into Thunderbird, but that didn't help. We also tried deleting the account on the client -- and creating it again. Same results:

  1. no obvious errors, but no e-mails either on the client.
  2. imaps TLS negotiation failed logged by Cyrus IMAP on the server.

Just for kicks, I tried adding the security.use_mozillapkix_verification to Thunderbird, and it didn't help.

We tried deleting the server's entry from "Certificate Manager" -> Servers, and the entry did not reappear. Testing the server with OpenSSL's s_client works fine:

% openssl s_client -crlf -connect server.example.com:993
CONNECTED(00000003)
depth=1 C = US, ST = Some-State, O = United Marsupials, OU = Wombats, CN = Narawntapu
verify return:1
depth=0 C = US, O = United Marsupials, CN = ..., emailAddress = "mi+cert@...."
verify return:1
---
Certificate chain
 0 s:C = US, O = United Marsupials, CN = ..., emailAddress = "mi+cert@..."
   i:C = US, ST = Some-State, O = United Marsupials, OU = Wombats, CN = Narawntapu
 1 s:C = US, ST = Some-State, O = United Marsupials, OU = Wombats, CN = Narawntapu
   i:C = US, ST = Some-State, O = United Marsupials, OU = Wombats, CN = Narawntapu
---
...
read R BLOCK
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE] imap.example.net Cyrus IMAP 2.5.17 server ready

Again, the same TB-installation had no problem for a long time -- until the certificate had to be regenerated...

You may suspect, that I messed up the regeneration somehow, but:
a) the iOS devices continue to access the same server without a problem;
b) Thunderbird presents no errors to the user -- which would be a bug, even if something truly was wrong with the service-side.

TB is 115.9.0, linked with nss-3.99 and nspr-4.35 -- using FreeBSD port.

Tried connecting to the same server from another computer, using the slightly older TB 115.6.0:

  1. Initially was facing the same symptoms:
    a) quiet failure on the client (a bug in its own right);
    b) imaps TLS negotiation failed message logged on the server.
  2. After importing the private CA's certificate into Thunderbird, all problems went away and the client connected properly.

Seems like a recent regression :(

Seems like a recent regression :(

Ok, I was able to overcome this by:

  1. Opening the cert9.db under the Thunderbird's profile:
sqlite3 ~/.thunderbird/...../cert9.db
  1. Finding the CA's certificate in the database's sole table and deleting it:
select id from nssPublic where a101 like '%MyCA%';
delete from nssPublic where a101 like '%MyCA%';

For this to work, your SQLite3 has to be compiled with the option allowing the application of like to blobs -- -USQLITE_LIKE_DOESNT_MATCH_BLOBS -- because the a101-column, which is supposed to hold the certificates' subjects (great naming, Mozilla!), is a blob. You may be able to do this deletion through the GUI, $username, but I could not.

  1. Re-importing the CA's certificate again through the Certificate Manager.

After this, Thunderbird finally connected -- and prompted me for password.

So, the bugs are two:

  1. The error, whatever it is, is not communicated to the user -- if I didn't have access to the logs of the server, I'd have never known, what's wrong.
  2. The adding of a new CA -- for those, who guessed, that that's, what the problem is, may leave things in such a state, where the cert has to be removed and then re-added.
You need to log in before you can comment on or make changes to this bug.