Open Bug 1151264 Opened 9 years ago Updated 2 years ago

OCSP validation failure results in very misleading error message

Categories

(MailNews Core :: Networking: IMAP, defect)

Product:
MailNews Core
Component:
Networking: IMAP
Platform:
x86_64
Windows 8.1
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: oskar, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Build ID: 20150326190726

Steps to reproduce:

Thunderbird gave me the following error when trying to fetch mail:

"The IMAP server XYZ does not support the selected authentication method. Please change the 'Authentication method' in the 'Account Settings | Server settings'."

In my IMAP server (dovecot) I could see the following being logged:

dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=<ip>, lip=<ip>, TLS, session=<...>

I use a StartCom SSL free certificate, and it turns out they have issues with their OCSP server. Firefox gave me this error when browsing to a site with the same certificate: "The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert)"

It would be useful if Thunderbird could give the same kind of error message.


Actual results:

(see above)


Expected results:

(see above)
I should also add, disabling OCSP fixes the issue, so this bug is only about the actual error message being (somewhat) misleading.
The message seems to be produced at http://mxr.mozilla.org/comm-central/source/mailnews/imap/src/nsImapProtocol.cpp#8368 . I am not sure we have enough information what exactly failed at that spot.
Component: Untriaged → Networking: IMAP
Product: Thunderbird → MailNews Core
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.