OCSP validation failure results in very misleading error message



MailNews Core
Networking: IMAP
3 years ago
3 years ago


(Reporter: Oskar Liljeblad, Unassigned)


Windows 8.1

Firefox Tracking Flags

(Not tracked)




3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Build ID: 20150326190726

Steps to reproduce:

Thunderbird gave me the following error when trying to fetch mail:

"The IMAP server XYZ does not support the selected authentication method. Please change the 'Authentication method' in the 'Account Settings | Server settings'."

In my IMAP server (dovecot) I could see the following being logged:

dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=<ip>, lip=<ip>, TLS, session=<...>

I use a StartCom SSL free certificate, and it turns out they have issues with their OCSP server. Firefox gave me this error when browsing to a site with the same certificate: "The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert)"

It would be useful if Thunderbird could give the same kind of error message.

Actual results:

(see above)

Expected results:

(see above)

Comment 1

3 years ago
I should also add, disabling OCSP fixes the issue, so this bug is only about the actual error message being (somewhat) misleading.

Comment 2

3 years ago
The message seems to be produced at http://mxr.mozilla.org/comm-central/source/mailnews/imap/src/nsImapProtocol.cpp#8368 . I am not sure we have enough information what exactly failed at that spot.
Component: Untriaged → Networking: IMAP
Product: Thunderbird → MailNews Core
You need to log in before you can comment on or make changes to this bug.