Cannot connect to an IMAP server with self-signed certificate
Categories
(MailNews Core :: Security, defect)
Tracking
(firefox42 affected, thunderbird38 affected, thunderbird39 affected, thunderbird40 affected, thunderbird41 affected, thunderbird42 affected, thunderbird_esr38 affected, seamonkey2.35 affected, seamonkey2.36 affected, seamonkey2.37 affected, seamonkey2.38 affected, seamonkey2.39 affected)
| Tracking | Status | |
|---|---|---|
| firefox42 | --- | affected |
| thunderbird38 | --- | affected |
| thunderbird39 | --- | affected |
| thunderbird40 | --- | affected |
| thunderbird41 | --- | affected |
| thunderbird42 | --- | affected |
| thunderbird_esr38 | --- | affected |
| seamonkey2.35 | --- | affected |
| seamonkey2.36 | --- | affected |
| seamonkey2.37 | --- | affected |
| seamonkey2.38 | --- | affected |
| seamonkey2.39 | --- | affected |
People
(Reporter: iannbugzilla, Unassigned)
References
Details
Trying to connect to an IMAP server which has a self-signed certificate fails. Testing on trunk build from 23rd June but also on SM 2.33.1 build. STR 1/ Configure an IMAP server with SSL enabled on port 993. 2/ Configure the client (SM or TB) to connect using SSL/TLS 3/ Attempt to retrieve messages Expected result 1/ Prompted to Add Security Exception, allowed to store certificate and confirm security exception. Actual result 1/ Prompted to Add Security Exception but certificate is never retrieved and only Cancel button is available. Messages in error console are: Timestamp: 29/06/15 22:33:33 Error: mailserver:993 uses an invalid security certificate. The certificate is not trusted because it is self-signed. (Error code: sec_error_unknown_issuer) Timestamp: 29/06/15 22:33:33 Error: Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: [Exception... "Establishing a connection to an unsafe or otherwise banned port was prohibited" nsresult: "0x804b0013 (NS_ERROR_PORT_ACCESS_NOT_ALLOWED)" location: "JS frame :: chrome://pippki/content/exceptionDialog.js :: checkCert :: line 109" data: no] Source File: chrome://pippki/content/exceptionDialog.js Line: 115
|
||
Comment 1•9 years ago
|
||
Dupe of a bug regarding not allowing to fetch certs from non-standard (well, 443) port if lower than 1024, I think.
(In reply to Magnus Melin from comment #1) > Dupe of a bug regarding not allowing to fetch certs from non-standard (well, > 443) port if lower than 1024, I think. Would that be bug 966689? I presume that SM would need the first part of the fix to bug 1046328, but isn't there still the need to allow access to get certificates via SSL on the various mailnews SSL ports?
|
|
||
Comment 3•9 years ago
|
||
Yes that's the one I meant. As I understand it, you need to have the cert available on port 443 too for things to work.
|
||
Comment 4•4 years ago
|
||
Have the same problem with Thunderbird-68.9.0-1.el8_2.x86_64 (CentOS 8): it cannot fetch emails from IMAP server with a self-signed certificate (imap.cern.ch), showing infinitely long "Connected to imap cern.ch". No chance to add an exception, as "Manage certificates" tells that everything is OK.
|
|
||
Comment 5•4 years ago
|
||
In addition: Thunderbird (68.9.0 32-bit) on Windows, configured in exactly the same way (server:imap.cern.ch, port 993, SSL/TLS) doesn't have this bug.
I also had this problem today (v78.2.1, macOS). I have a local instance of Dovecot that I use to store messages in a client-independent way. The stock Dovecot in Macports sets up a self-signed SSL certificate, and Thunderbird would not accept it. Here is a snippet from the IMAP server log:
Aug 31 16:27:28 imap-login: Info: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<D7ovOzKu3cp/AAAB>
The Certificate Manager would not allow me to import the certificate from the server, but I could not tell why. I could connect to the server using openssl s_client just fine.
However, I found that if I used minica (https://github.com/jsha/minica) to create my own certificate authority, and imported that authority cert into Thunderbird, then Thunderbird would accept a certificate signed by that CA.
It seems to me that if Firefox can allow me to accept a self-signed cert, then Thunderbird should as well.
|
||
Comment 7•4 years ago
|
||
I was updated to TB 78.4.0 from TB 68.12.1 (win-64) on 11/5/2020 according to Update History however, I wasn't prompted to install it until 11/10/2020. I have four IMAP mail accounts; all work fine except the one I have to my personal mail server which has a self-signed SSL certificate that I assume this is the problem, though I cannot confirm it. I upgraded to TB 78.4.3 and problem remains.
Symptoms are that all IMAP folders are accessible except INBOX in which the cursor always shows a rotating circle (never finishing) and no new incoming mail shown after 11/10/2020 installation. Existing (pre-install) mail messages are viewable. Wish I could shed more light on this but I'm not an SSL expert. I plan to roll-back to TB 68.12.1 for now.
|
|
||
Comment 8•4 years ago
•
|
||
That's likely quite unrelated to this bug. Press the Get Messages button, and you should get a dialog allowing accepting the self-signed certificate.
|
|
||
Comment 9•4 years ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #8)
That's likely quote unrelated to this bug. Press the Get Messages button, and you should get a dialog allowing accepting the self-signed certificate.
I don't recall if I was prompted for the self-signed cert when I first brought up v78, but if I was, I accepted. v78 is now removed, so I can't retry but if that was the problem, I believe it would prompt again (which it didn't).
|
||
Comment 11•3 years ago
|
||
Should this block tb-enterprise (bug 564148)?
|
|
||
Comment 12•3 years ago
|
||
I'm going to close this, not to confuse things. This bug as originally filed, is dupe of bug 966689.
For Thunderbird 78, it's certainly now again possible to use self-signed certificated. Clicking the Get Messages button will trigger a flow that allows adding the exception for the self signed certificate.
I don't think this would have anything to do with enterprise either. That's one group of users who pay the few bucks to actually get real certificate.
|
||
Comment 13•3 years ago
|
||
I am running 78.5.1, and trying to use a cert from a self-signed CA (minica), and it does not work, even though the CA chain is imported. There is no feedback in the interface, but I can see that the connection to Dovecot fails with I-dont-like-that-cert.
|
|
||
Comment 14•3 years ago
|
||
Filed bug 1681960 for self-signed CA and some more.
Description
•