Open Bug 1121302 Opened 11 years ago Updated 2 years ago

thunderbird' fails without descriptive error message when accessing server with a personal CA-signed certificate

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
31 Branch
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: torriem, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.1) Gecko/20141127 Firefox/31.9 PaleMoon/25.1.0 Build ID: 20141127152705 Steps to reproduce: Simply trying to send email or access IMAP on my personal server, which uses a certificate signed my own personal CA. I've tried importing my CA (which worked in the older versions), and not. Actual results: When sending mail, thunderbird connects to my server, then says sending failed due to an "unknown error." Nothing goes to the error log, and though it's highly likely the problem is because of libpkix not liking my cert, I get no message about that, no dialog to allow an exception to a bad certificate, nothing. Trying to read email just sits there saying "checking mail server capabilities..." Downgrading to the older thunderbird without libpkix works fine. Expected results: At the very least Thunderbird should have given an error message explaining that it was a cert failure. And if it is a cert failure, I should have the option to allow it anyway. The whole reason I did a self-made CA is so that I could not have to except every one of my own certificates if I could import the CA cert. This is a really a step backwards for me. Even worse, I can't find any utility to use libpkix to examine my certificate and tell me why libpkix doesn't like it. And since it's just a private CA that I'm adding myself, why does libpkix have to be so strict with it? I should be able to override it somehow!
For 31, you can try setting security.use_mozillapkix_verification false Also, can you provide the server address and port?
Component: Untriaged → Security
Yes it works fine with the pkix stuff disabled. Sending mail via submission port and incoming via IMAP with TLS. A server address and port that has my cert is mail.torriefamily.org:587 (STARTTLS only, requires authentication), and port 993 for imaps. The imaps port may not be accessible outside of the private part of my network. Just to be clear here, the primary purpose of this bug report is to report the fact that thunderbird reports no clear error message to tell me it's a certificate error.
Hi Michael, I agree there's a lot more we could do around communicating to the user specifically what the problem is. However, that's a difficult problem, and we've had a hard enough time just implementing the new certificate verification library. My hope is we will continue to improve the user experience, but in the meantime, I had a look at the certificates sent by the server at mail.torriefamily.org:993. Here's what openssl says about the root certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha512WithRSAEncryption Issuer: C=CA, ST=Alberta, O=torriem, OU=torriem, CN=torriemca/emailAddress=torriem@gmail.com Validity Not Before: Apr 26 21:41:00 2014 GMT Not After : Apr 26 21:41:00 2024 GMT Subject: C=CA, ST=Alberta, O=torriem, OU=torriem, CN=torriemca/emailAddress=torriem@gmail.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: <omitted for length> Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: F8:25:AF:08:0A:FF:19:13:75:9E:15:D7:86:89:7A:61:E7:DF:69:1A X509v3 Key Usage: Certificate Sign, CRL Sign X509v3 CRL Distribution Points: Full Name: URI:http://www.torriefamily.org/crl.der Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA Netscape Comment: xca certificate Signature Algorithm: sha512WithRSAEncryption <omitted for length> This certificate looks good. However, the 'Netscape Cert Type' and 'Netscape Comment' extensions are at best useless, so you can remove them. Here's the end-entity certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: sha512WithRSAEncryption Issuer: C=CA, ST=Alberta, O=torriem, OU=torriem, CN=torriemca/emailAddress=torriem@gmail.com Validity Not Before: May 10 23:49:00 2014 GMT Not After : May 10 23:49:00 2019 GMT Subject: CN=mail.torriefamily.org, C=CA, ST=Alberta/emailAddress=torriem@gmail.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: <omitted for length> Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:mail.torriefamily.org, DNS:torriefamily.org, DNS:smtp.torriefamily.org, DNS:imap.torriefamily.org, DNS:pop3.torriefamily.org, DNS:yorktown.torriefamily.org, IP Address:192.168.9.1, IP Address:192.168.9.30 Netscape Cert Type: SSL Server Netscape Comment: xca certificate X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 60:2B:CB:3B:D4:5A:7A:AC:99:8F:FC:5A:58:B0:8E:B7:8F:6D:AC:F4 X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Netscape Cert Type: SSL Server Netscape Comment: xca certificate Signature Algorithm: sha512WithRSAEncryption The main problem with this certificate is that there are duplicate extensions. This violates RFC 5280 section 4.2: "A certificate MUST NOT include more than one instance of a particular extension." If you remove the duplicated extensions (as well as the problematic Netscape extensions), you should be good to go.
David: is there some kind of logging one can turn on in mozilla that can tell that is the issue? Or does it need someone in the know to look at the cert?
Thank you David. That is easy for me to fix. Consider this a feature request then for firefox and thunderbird to present more information instead of failing nearly silently. I had this originally happen a month ago when thunderbird updated while I was traveling. For several weeks I just figured it as a misconfiguration on my server that wouldn't allow me to use it from outside my private network. It was only when I returned home and updated another machine that I started to suspect the certificate, and found all the bug reports here regarding libpkix growing pains. Perhaps we need an add-on that can fetch a certificate and tell us exactly which parts of the libpkix verification process is failing. That would be super useful. I'm all for making my certificates correct, but I don't know enough to just look at the certificate and know what's wrong. I don't want to waste developer time by coming here with a bug report to get free SSL certificate support! Appreciate the feedback and help from the devs here. Very impressed.
Severity: normal → S3

This is still a problem in Thunderbird-110.

I just spend an hour to find out that Thunderbird X.509 was still using my old X.509 client certificate. Although my new X.509 client certificate was already in the Thunderbird certificate manager, but not selected.
I just got a short live popup (Linux, KDE) saying:
Non-overridable TLS error occurred. Handshake error or probably the TLS version or certificate used by server example.net is incompatible.

Via
"Tools" -> "Activity Manager"
I could read the message with enough time and copy the text.

 

Problems:

  1. First I didn't notices the pop up, because it was so short lived. Maybe this is due to KDE. And surely users don't want a hard message box dialog every time a bad wireless network breaks their connection. But not getting mails for hours is an irritating problem!
    Maybe a better solution would be something like a red error bar at the top of the Thunderbird main window, if the connection to the mailserver fails and mails can't be received.

  2. Second the error message is not helpful at all. In Firefox you can get much more descriptive errors like "SSL_ERROR_RX_CERTIFICATE_REQUIRED_ALERT" or "SSL peer rejected your certificate as
    expired. Error code: SSL_ERROR_EXPIRED_CERT_ALERT "    .

 

Related:

  • #1817170 Firefox and Thunderbird should ask if last choosen client certificate is not accepted (anymore)
  • #1817164Secure Connection Failed is missing details after Firefox > 102 (regression, Client Certificate)
You need to log in before you can comment on or make changes to this bug.