Closed Bug 1109595 Opened 8 years ago Closed 7 years ago

Unable to add Security Exception for SMTP/IMAP/POP3 servers [regression]

Categories

(SeaMonkey :: MailNews: Backend, defect)

SeaMonkey 2.31 Branch
x86_64
Windows 7
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: Franke, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 SeaMonkey/2.31
Build ID: 20141202220728

Steps to reproduce:

1. Update from SM 2.30 to 2.31.
2. Add configuration for a SMTP, IMAP or POP3 server which uses SSL/TLS or STARTTLS with a self-signed certificate (or: remove the security exception for an already configured server).
3. Try to connect to this server.
4. Examine the "Add Security Exception" dialog which appears.



Actual results:

The "View" and "Confirm Security Exception" buttons of the dialog are disabled (Using "Get Certificate" does not change this).

As a consequence, new security exceptions could not be added. Existing security exceptions are not affected.

Workaround: After downgrading to SM 2.30 it works again.



Expected results:

The "Confirm Security Exception" button should be enabled and work as expected.
According to Bug 1059476 (update certificate exception handling in seamonkey to deal with bug 940506) this was fixed ib 2.30 and 2.31. Perhaps we didn't fix all the callers.
With 2.30, the cert exception dialog does not appear for HTTPS with self-signed certs.
This was apparently fixed in 2.31, but this bug here appears instead.
Does FF 34 work correctly?
Problem could be reproduced also with SM 2.32 (Build ID: 20150112201917).

Note that it affects only the mail protocols SMTP/IMAP/POP3. Security exceptions for HTTPS web pages work as expected.
This seems similar to what I reported in bug 1122239.
Hi, I am also affected by this problem. I am using google certificate, not the self-signed one. It seems to be regression in seamonkey-2.31 and seamonkey-2.32, it works for me in seamonkey-2.30.

Downstream Fedora bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1185478

I am unable to add security exception for google apps IMAP hosted on own domain.

Steps to Reproduce:
1. e.g. configure IMAP SSL access for imap.yarda.eu:993

Actual results:
Security dialog shows "Unable to obtain identification status for the given site." and the security exception cannot be added

The certificate is not self-signed, the chain:
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = imap.gmail.com
verify return:1

I need the exception, because cname of my own domain is imap.yarda.eu, not imap.gmail.com.

Log from console:
Timestamp: 25.1.2015 01:05:10
Error: imap.yarda.eu:993 uses an invalid security certificate.

The certificate is only valid for imap.gmail.com

(Error code: ssl_error_bad_cert_domain)

Timestamp: 25.1.2015 01:05:10
Warning: Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help http://xhr.spec.whatwg.org/
Source File: chrome://pippki/content/exceptionDialog.js
Line: 107

Timestamp: 25.1.2015 01:05:10
Error: Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: [Exception... "Establishing a connection to an unsafe or otherwise banned port was prohibited"  nsresult: "0x804b0013 (NS_ERROR_PORT_ACCESS_NOT_ALLOWED)"  location: "JS frame :: chrome://pippki/content/exceptionDialog.js :: checkCert :: line 109"  data: no]
Source File: chrome://pippki/content/exceptionDialog.js
Line: 115


It seems, it's blocking itself to get the certificate, it is probably related to some change in the port blocking "feature":
http://www-archive.mozilla.org/projects/netlib/PortBanning.html

It's probably too smart security mechanism :)

Workaround:
Add the following to your prefs.js:
 user_pref("network.security.ports.banned.override", "993");

And the exception dialog is no more grayed out, and I am able to add the exception as in seamonkey-2.30.

So with this workaround I am able to finally add the exception, but I still don't know why it is asking for the exception time to time (e.g. once per month) if the exception is already there and the certificate doesn't seem to change.
(In reply to Jaroslav Škarvada from comment #6)
> Workaround:
> Add the following to your prefs.js:
>  user_pref("network.security.ports.banned.override", "993");

Thanks for the info. Works for me with SMTP+SSL (465), but not with SMTP+STARTTLS (587).
I confirm the regression, and the work around (using Seamonkey 2.30 to setup the secure SMTP server).
I also can't "Get Certificate" with seamonkey-2.33.1.en-US.linux-x86_64.tar.bz2. I have the issue with mail-protocol imaps on default port 993. Fortunately the Workaround helps:
prefs.js
user_pref("network.security.ports.banned.override", "993");

Thanks
(In reply to Christian Franke from comment #4)
> Note that it affects only the mail protocols SMTP/IMAP/POP3. Security
> exceptions for HTTPS web pages work as expected.

This behaviour is a duplicate of bug 966689 [(Can't get Certificate from blocked ports (NNTPS, IMAPS, POPS)]

What exactly is the regression from 2.30 to 2.31?
(In reply to :Hb from comment #10)
> (In reply to Christian Franke from comment #4)
> > Note that it affects only the mail protocols SMTP/IMAP/POP3. Security
> > exceptions for HTTPS web pages work as expected.
> 
> This behaviour is a duplicate of bug 966689 [(Can't get Certificate from
> blocked ports (NNTPS, IMAPS, POPS)]
> 
> What exactly is the regression from 2.30 to 2.31?

I don't know, in which version it appears, but getting a new certificate, when an old expired, worked with linux-x86_64 seamonkey 2.25 and is impossible now on 2.33.1. I refer to mail protocol IMAPS on port 993.

Getting a new certificate and setting an exception with HTTPS is possible on both (2.25 and 2.33.1)

SMTP with STARTTLS on port 25 seems to be affected too, because I can get a new certificate with icedove 31.5.0, but not with seamonkey 2.33.1 (again no reaction from Get Certificate, greyed exception button). The only workaround for sending mails I found for seamonkey 2.33.1 so far, is to use "None connection security", which is a real showstopper.
(In reply to :Hb from comment #10)
> What exactly is the regression from 2.30 to 2.31?

Christian's description seems clear to me:

[With SM 2.31] The "View" and "Confirm Security Exception" buttons of the dialog are disabled
(Using "Get Certificate" does not change this). As a consequence, new security exceptions could
not be added. Existing security exceptions are not affected.

[With SM 2.30, the button are NOT disabled, so the security exception CAN be added.]

I can confirm that this is the case. Something broke in the 2.31 release.
Have just hit this bug on a Win7 x64 machine. Have downgraded from 2.33.1 to 2.30.

This is a dealbreaker. It would be good if this could be fixed at some point.
I have just confirmed that this issue is also broken in SeaMonkey 2.33.1 in Mac OS X.

By downgrading to 2.30, it was possible to accept the certificate for the mail server.  2.33.1 would NOT allow a certificate presented by an IMAP server on port 993 to be accepted.

This has bug was introduced with 2.31 and is being carried forward.  The bug affects all platforms, Windows, Mac, and Linux.

At present, the work around is to downgrade to 2.30 to allow acceptance of the certificate.

Please change the status of this bug from UNCONFIRMED to allow work to proceed on the bug.
(In reply to V Cordrey from comment #15)

> By downgrading to 2.30, it was possible to accept the certificate for the
> mail server.  2.33.1 would NOT allow a certificate presented by an IMAP
> server on port 993 to be accepted.

After the certificate has been accepted using 2.30, it is possible to upgrade back to 2.33.1 and have the certificate continue to operate correctly.
> Workaround:
> Add the following to your prefs.js:
>  user_pref("network.security.ports.banned.override", "993");


Thanks heaps for this. 

Works for me with SMTP+SSL (465), but not with SMTP+STARTTLS (587).
Hi,

the certificate-problem is gone for me with the just released seamonkey-2.35!

Big thanks from a long-time seamonkey user!
User agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 SeaMonkey/2.38

With 2.38, adding security exceptions works again without "network.security.ports.banned.override" workaround. Tested with IMAP+STARTTLS (143), IMAP+SSL (993), POP3+STARTTLS (110), POP3+SSL (995), SMTP+STARTTLS (587), SMTP+SSL (465).

Thanks to the unknown author of this unknown patch from a very-long-time SeaMonkey user:-)
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
The problem is present when trying to contact a SMTP server for SSL/TLS authentication to send mail (my account is configured as POP3) in 2.33.1 for Mac.  (SeaMonkey says " No Information Available Unable to obtain identification status for given site. " As a result, the Confirm Security Exception button is dimmed, and nothing can be done to connect to the server.  This happened after changing web / mail hosts. To solve it, I loaded an old copy of 2.26  It worked normally, and allowed the security exception to be added. Then we went back to 2.33.1 for normal use and all is good. I have not tried updating to the most recent 2.39... perhaps the problem has been solved there.
Baxter,

It is always a good idea to read the existing comments before adding one more.

1) The regression occurred between 2.30 and 2.31
2) The problem is fixed in 2.35 onward

Note that the SM project cannot support obsolete and insecure versions.
It is always a good idea to set the status according to the current situation.
Resolution: WORKSFORME → FIXED
(In reply to Mason from comment #21)
I did read all of the comments.  I added my comment in order to add keywords to this thread so that it is easier for someone experiencing the same problem as we did today to find the bug discussion and solution.

Thank you for clarifying that the bug causing the dimmed Confirm Security Exception button is fixed in all versions of SeaMonkey from 2.35 onward for all platforms.
(In reply to :Hb from comment #22)
> It is always a good idea to set the status according to the current
> situation.
I intentionally set resolution to WORKSFORME because it is unclear which specific change fixed this regression. IIRC that was (is?) the policy in this bugzilla.
> It is always a good idea to ...
Note to myself: It is always a good idea to not flame around on Bugzilla.

WORKSFORME indicates that the faulty behaviour can't be reproduced under the same circumstances. If a new version of the program is not affected any more something must have been fixed.
I am experiencing this same issue with Thunderbird 45.3.0.
Setting network.security.ports.banned.override does modify the behaviour of the add exception dialog: when I click "get certificate", all buttons are disabled (presumably it is busy trying to fetch something), but they never get enabled again, and the only way to close the application is to kill it.

Also, I want to add an exception for STARTTLS, so I'm not sure that fetching the certificate in that way will even work.

I do have a local copy of the certificate. Is there a way to add an exception in that way?
(In reply to Ruud van Asseldonk from comment #27)
> I do have a local copy of the certificate. Is there a way to add an
> exception in that way?

You can import the certificate. See bug 966689 comment 1 for this.
You need to log in before you can comment on or make changes to this bug.