Closed Bug 1178497 Opened 10 years ago Closed 5 years ago

Cannot connect to an IMAP server with self-signed certificate

Categories

(MailNews Core :: Security, defect)

Product:
MailNews Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox42 affected, thunderbird38 affected, thunderbird39 affected, thunderbird40 affected, thunderbird41 affected, thunderbird42 affected, thunderbird_esr38 affected, seamonkey2.35 affected, seamonkey2.36 affected, seamonkey2.37 affected, seamonkey2.38 affected, seamonkey2.39 affected)

Status:
RESOLVED DUPLICATE of bug 966689
Tracking Flags:
Tracking Status
firefox42 --- affected
thunderbird38 --- affected
thunderbird39 --- affected
thunderbird40 --- affected
thunderbird41 --- affected
thunderbird42 --- affected
thunderbird_esr38 --- affected
seamonkey2.35 --- affected
seamonkey2.36 --- affected
seamonkey2.37 --- affected
seamonkey2.38 --- affected
seamonkey2.39 --- affected

People

(Reporter: iannbugzilla, Unassigned)

References

Details

Trying to connect to an IMAP server which has a self-signed certificate fails. Testing on trunk build from 23rd June but also on SM 2.33.1 build. STR 1/ Configure an IMAP server with SSL enabled on port 993. 2/ Configure the client (SM or TB) to connect using SSL/TLS 3/ Attempt to retrieve messages Expected result 1/ Prompted to Add Security Exception, allowed to store certificate and confirm security exception. Actual result 1/ Prompted to Add Security Exception but certificate is never retrieved and only Cancel button is available. Messages in error console are: Timestamp: 29/06/15 22:33:33 Error: mailserver:993 uses an invalid security certificate. The certificate is not trusted because it is self-signed. (Error code: sec_error_unknown_issuer) Timestamp: 29/06/15 22:33:33 Error: Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: [Exception... "Establishing a connection to an unsafe or otherwise banned port was prohibited" nsresult: "0x804b0013 (NS_ERROR_PORT_ACCESS_NOT_ALLOWED)" location: "JS frame :: chrome://pippki/content/exceptionDialog.js :: checkCert :: line 109" data: no] Source File: chrome://pippki/content/exceptionDialog.js Line: 115
Dupe of a bug regarding not allowing to fetch certs from non-standard (well, 443) port if lower than 1024, I think.
(In reply to Magnus Melin from comment #1) > Dupe of a bug regarding not allowing to fetch certs from non-standard (well, > 443) port if lower than 1024, I think. Would that be bug 966689? I presume that SM would need the first part of the fix to bug 1046328, but isn't there still the need to allow access to get certificates via SSL on the various mailnews SSL ports?
Flags: needinfo?(mkmelin+mozilla)
Yes that's the one I meant. As I understand it, you need to have the cert available on port 443 too for things to work.
Flags: needinfo?(mkmelin+mozilla)
Depends on: 966689

Have the same problem with Thunderbird-68.9.0-1.el8_2.x86_64 (CentOS 8): it cannot fetch emails from IMAP server with a self-signed certificate (imap.cern.ch), showing infinitely long "Connected to imap cern.ch". No chance to add an exception, as "Manage certificates" tells that everything is OK.

In addition: Thunderbird (68.9.0 32-bit) on Windows, configured in exactly the same way (server:imap.cern.ch, port 993, SSL/TLS) doesn't have this bug.

I also had this problem today (v78.2.1, macOS). I have a local instance of Dovecot that I use to store messages in a client-independent way. The stock Dovecot in Macports sets up a self-signed SSL certificate, and Thunderbird would not accept it. Here is a snippet from the IMAP server log:

Aug 31 16:27:28 imap-login: Info: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<D7ovOzKu3cp/AAAB>

The Certificate Manager would not allow me to import the certificate from the server, but I could not tell why. I could connect to the server using openssl s_client just fine.

However, I found that if I used minica (https://github.com/jsha/minica) to create my own certificate authority, and imported that authority cert into Thunderbird, then Thunderbird would accept a certificate signed by that CA.

It seems to me that if Firefox can allow me to accept a self-signed cert, then Thunderbird should as well.

I was updated to TB 78.4.0 from TB 68.12.1 (win-64) on 11/5/2020 according to Update History however, I wasn't prompted to install it until 11/10/2020. I have four IMAP mail accounts; all work fine except the one I have to my personal mail server which has a self-signed SSL certificate that I assume this is the problem, though I cannot confirm it. I upgraded to TB 78.4.3 and problem remains.

Symptoms are that all IMAP folders are accessible except INBOX in which the cursor always shows a rotating circle (never finishing) and no new incoming mail shown after 11/10/2020 installation. Existing (pre-install) mail messages are viewable. Wish I could shed more light on this but I'm not an SSL expert. I plan to roll-back to TB 68.12.1 for now.

That's likely quite unrelated to this bug. Press the Get Messages button, and you should get a dialog allowing accepting the self-signed certificate.

(In reply to Magnus Melin [:mkmelin] from comment #8)

That's likely quote unrelated to this bug. Press the Get Messages button, and you should get a dialog allowing accepting the self-signed certificate.

I don't recall if I was prompted for the self-signed cert when I first brought up v78, but if I was, I accepted. v78 is now removed, so I can't retry but if that was the problem, I believe it would prompt again (which it didn't).

Should this block tb-enterprise (bug 564148)?

Flags: needinfo?(vseerror)
See Also: → 487498

I'm going to close this, not to confuse things. This bug as originally filed, is dupe of bug 966689.
For Thunderbird 78, it's certainly now again possible to use self-signed certificated. Clicking the Get Messages button will trigger a flow that allows adding the exception for the self signed certificate.

I don't think this would have anything to do with enterprise either. That's one group of users who pay the few bucks to actually get real certificate.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(vseerror)
Resolution: --- → DUPLICATE

I am running 78.5.1, and trying to use a cert from a self-signed CA (minica), and it does not work, even though the CA chain is imported. There is no feedback in the interface, but I can see that the connection to Dovecot fails with I-dont-like-that-cert.

Filed bug 1681960 for self-signed CA and some more.

You need to log in before you can comment on or make changes to this bug.