Open Bug 1062831 Opened 6 years ago Updated 6 years ago

Self-Signed certificates (SHA1) unacceptable to Thunderbird.


(Thunderbird :: Security, defect)

31 Branch
Windows 7
Not set


(Not tracked)



(Reporter: davehowe, Unassigned)



User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Build ID: 20140716183446

Steps to reproduce:

Generated a 4K SSC (RSA/SHA1) with the appropriate permissions

X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment
Netscape Cert Type: SSL Client, S/MIME

as pkcs#12 and imported into thunderbird, selected for use as DS/encryption key on security tab.

Attempted to import pem certificate file to Authorities tab (failed, is not a CA) and People tab (fails, cannot be verified) so cannot set certificate to trusted/Email CA manually (could do this in prior releases of Thunderbird)

Actual results:

PKCS#12 import into "Your Certificates" succeeded, but cert shows as:
"Could not verify this certificate because it is not trusted"
Was able nontheless to select this in the Security tab, but on attempting to send signed message get:
Send Message Error
/!\ Sending of message failed.
You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired

Expected results:

Digitally signed message sent
bug 1036338 might be related
Component: Untriaged → Security
Possibly, although that relates to STARTTLS rather than S/MIME. I could try marking the keyUsage as critical and see if that helps.

Is there a debug log I could activate to gain more information/insight into this issue? 
Error console gives me:

Timestamp: 05/09/2014 11:10:44
Error: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIMsgComposeSecure.finishCryptoEncapsulation]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: file:///M:/Thunderbird/Data/profile/extensions/%7B847b3a00-7ab1-11d4-8f02-006008948af5%7D/components/mimeEncrypt.js :: PgpMimeEncrypt.prototype.finishCryptoEncapsulation :: line 257"  data: no]
Source File: file:///M:/Thunderbird/Data/profile/extensions/%7B847b3a00-7ab1-11d4-8f02-006008948af5%7D/components/mimeEncrypt.js
Line: 257

I have also noted that since upgrading to the latest release, the [Edit Trust] button has been removed from the "servers" tab that I previously used to import and enable self signed target certs, AND it appears that, if you are typing a message to an existing SSC recipient and autosave attempts to save the draft, that fails (with an error) AND subsequent attempts to send will fail. Oddly, if you copy the draft text, cancel the email, then reply->paste->send that succeeds.

Very odd behaviour....
Your problems seem to be about PGP. That's not built into thunderbird, but only an extension (and as such not tracked in bugzilla). Can you reproduce using "thunderbird.exe -safe-mode" ?
That's possible - the enigmail plugin is installed and running, as I use pgp, however, this is an s/mime issue. I will try disabling the enigmail plugin in case it is the cause of the issue.
Ok, disabled enigmail and re-tried; same issue, but no error now logged in error console.
See Also: → 1096911
You need to log in before you can comment on or make changes to this bug.