Thunderbird keeps asking to specify an SSL client certificate (User Identification Request) if I have an S/MIME certificate
Categories
(MailNews Core :: Networking: SMTP, defect)
Tracking
(Not tracked)
People
(Reporter: 52qtuqm9, Unassigned)
References
Details
Attachments
(1 file)
|
91.34 KB,
image/png
|
Details |
certificate prompt dialog
Recently, Thunderbird daily has started asking me the first time I send a message after starting it up to specify a certificate when sending email.
See the screenshot of the "User Identification Request" dialog attached. It says "This site has requested that you identify yourself with a certificate."
The "site" in question is my own mail server, whose configuration I have not changed in a Very Long Time. I suppose it is possible that the underlying sendmail package from CentOS has been changed to cause it to start requesting certificates when it wasn't doing that before, but I don't think so. I think it's more likely that something in TB has changed that is causing it to ask me to specify a cert now when I wasn't asked before?
I can find no way in the preferences to turn this behavior off.
There is a "Remember this decision" checkbox, but even when I check it I get prompted again the next time I restart Thunderbird and send a message.
This mail server does not actually require a certificate to be sent, so I have no idea why TB has started prompting me for one.
|
Reporter | |
Comment 1•5 years ago
|
||
|
||
Comment 2•5 years ago
|
||
Maybe a change in mozilla-central caused this? Looking in the pushlog of Sep 19, I see bug 1573542 which might cause this.
https://hg.mozilla.org/mozilla-central/pushloghtml?startdate=Sep+18%2C+2019&enddate=Sep+19%2C+2019
|
||
Comment 3•5 years ago
|
||
Jonathan, those C-C ranges that you usually report don't really help us. I always have to get someone else to find the M-C range. You have the executables from the regression test present, can't you just look at the build configuration in the troubleshooting information and give us the M-C changesets?
That said, for a while now, my old Yahoo account prompts me with the same request as you've shown, but no other IMAP account.
Kai, are you aware of any changes in this area?
|
|
Reporter | |
Comment 4•5 years ago
|
||
Jorg,
When I start regressing an issue, I have no way of knowing whether it's a C-C or M-C issue. Even after I'm done regressing, it is clearer, but not always entirely clear, that the issue is a M-C issue.
I don't have "executables from the regression test present" when I'm done, because (as far as I know) mozregression deletes them when the regression is finished. Perhaps it actually saves them somewhere, but if that's the case, I don't know where and I can't find documentation anyplace that explains it. I don't see a command-line option in the usage message to tell it not to delete files.
Because I don't have executables to check after the fact, to do what you are suggesting would require me, for every single step in the regression, to open the troubleshooting information and copy the C-C and M-C commits, so that when I'm done I can match the range that mozregression gives me against that list in order to produce the equivalent M-C range.
Or I would have to run the the whole regression again.
So, you're asking me to spend twice as long every time I regress one of these issues to make up for the fact that the tooling is inadequate.
Perhaps it would make more sense to ask the people who maintain the tooling to figure out how to make it spit out both the M-C and C-C range when someone is done regressing a Thunderbird issue.
If there is a way to acquire the information you're asking for that doesn't make regressing take twice as long, feel free to share it with me and I will happily do it. If I am wrong about any of my assumptions above, e.g., "mozregression deletes them when the regression is finished," then I would be happy to be corrected.
But absent that, I am not really sure it is kind or fair to tell the people who tolerate the disruption of running Daily so that bugs can be identified quickly and who take the time not only to report bugs but to regress them using the Mozilla-provided tools that their bug reports "don't really help [you]."
|
|
||
Comment 5•5 years ago
|
||
C-C dd918656e4d7e4c79ebf44d9cb4e31eec406c1de was built with M-C b3ecb5aef45a8fb74764bb32e54567d57e
C-C 51f6d35de7f4fca23ad24c9c300318935d846897 was built with M-C 3d02a4c69a81b5e64cb05b053975d35554
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b3ecb5aef45a8fb74764bb32e54567d57e&tochange=3d02a4c69a81b5e64cb05b053975d35554
So it does indeed look like:
c37a2bd30156faf5605de0a264972fa2952f61d4 Dana Keeler — bug 1573542 - be more efficient about finding client certificates r=jcj,kjacobs
Dana, would your change have caused those prompts?
|
||
Comment 6•5 years ago
|
||
The platform will only prompt for a client certificate if a server requests one and if it can find one, so presumably your server is requesting one. Bug 1573542 did change how the platform finds client certificates, so perhaps it's finding one now where it couldn't before, but in any case the issue is probably with the server.
|
||
Comment 7•5 years ago
|
||
I agree that the fix should be attempted on the server side. Requesting TLS client auth is an unusual config, I'd expect it to be usually disabled by default.
Even if it's enabled, the server configuration usually defines a whitelist of CAs from which issued certificates can be valid. If the list is empty on the server side, then any of your own certificates would be acceptable, and you get the prompt to confirm. Please check your server config.
In the screenshot, I see the certificate that is considered has already expired several years ago. Do you need that certificate for reading old encrypted email? If not, could you delete it and see what happens?
(You didn't recently import that certificate into your profile, did you?)
|
|
Reporter | |
Comment 8•5 years ago
|
||
I've had this cert in my profile for many years (since before it expired).
I would love to delete it but can't because of bug 1583067.
I wouldn't mind so much that it's now asking me for a certificate that it wasn't asking me for before, if the "Remember" checkbox worked or there were a way for me to configure this SMTP connection not to use a certificate even if prompted by the server. As noted above, neither of those is an option.
So if the behavior is correct from the point of view of M-C, then it's still incorrect per C-C, because the "Remember" checkbox doesn't work and there are no config settings anywhere I can set to disable the use of a certificate for this SMTP server.
|
|
||
Comment 9•5 years ago
|
||
(In reply to Jonathan Kamens from comment #8)
I've had this cert in my profile for many years (since before it expired).
I would love to delete it but can't because of bug 1583067.
The fix for that is on autoland and should be in an upcoming Daily: https://hg.mozilla.org/integration/autoland/rev/bff9cf5d7a6d
I wouldn't mind so much that it's now asking me for a certificate that it wasn't asking me for before, if the "Remember" checkbox worked or there were a way for me to configure this SMTP connection not to use a certificate even if prompted by the server. As noted above, neither of those is an option.
The "remember" checkbox doesn't persist data across sessions. That's bug 1569159.
So if the behavior is correct from the point of view of M-C, then it's still incorrect per C-C, because the "Remember" checkbox doesn't work and there are no config settings anywhere I can set to disable the use of a certificate for this SMTP server.
This is your SMTP server, right? It seems like there's some configuration option in its configuration that's making it request a client certificate. If you change that, it should stop asking.
|
|
||
Comment 10•5 years ago
|
||
This is your SMTP server, right?
For me it's Yahoo's IMAP server.
|
||
Updated•5 years ago
|
|
||
Comment 11•5 years ago
|
||
I am expecting something similar that might be relevant.
I am a smart card user and the card works as expected. However, it seems that for some time now, the card has started to confuse Thunderbird (68.8.1) in some cases, prompting me for certificates it shouldn't really care about.
How to reproduce:
- Insert a smart card (obviously I also have pcscd running)
- Try to send an email using smtp.office365.com
TB attempts to use the certs on my card & hence asks me for the PINs (which is the next step after the cert choosing process described by the OP). So my situation seems similar but in my case the cert is chosen for me.
After cancelling the PIN prompts multiple times, the email gets sent but it is very annoying. In addition, despite the email being sent, it is possible there are additional complications, such as those described here. I have not been able to test the 365 recipient & spam theory myself though.
The TB certificate manager shows the certificates on the card as my personal certificates (none listed besides those), which is not wrong, the question is why it is trying to use them. Yes, it may be that they have misconfigured their server. Or perhaps I have just misconfigured something myself. Either way, ideas are welcome :)
Just to be clear, other outgoing servers work just fine regardless of whether the card is there or not and office 365 does not complain if the card is not present & the certificates cannot be found.
|
||
Comment 13•5 years ago
|
||
I don't think so.
I think presence of an S/MIME certificate in one's profile triggers this for cases it shouldn't, but probably server misconfiguration many times.
|
|
||
Updated•4 years ago
|
|
|
||
Comment 15•4 years ago
|
||
Something seems to have changed. True, I haven't had the chance to test with the latest TB, but at least since 78.4.3 I only get prompted twice (once for each cert). It used to be more than that (perhaps four times, i.e 2x per cert but I'm not sure of the exact number).
Has anyone else noticed a change?
I hope that the new version will hit the repos soon & will provide an update when it does.
|
||
Comment 16•4 years ago
|
||
(In reply to Jorg K (CEST = GMT+2) from comment #10)
This is your SMTP server, right?
For me it's Yahoo's IMAP server.
I seem to have the same issue with Thunderbird 78.8.1 (64-bit) on macOS.
Everything was working fine before. Then I successfully installed a S/MIME certificate for another (non-Yahoo) email account configured in Thunderbird. Starting with this change, I get the "This site has requested that you identify yourself with a certificate" popup for my IMAP Yahoo account whenever (i) I start Thunderbird, (ii) I refresh emails for the Yahoo account or (iii) sporadically when Thunderbird is running in the background (probably refreshing Yahoo emails in the background). I tried to uninstall the S/MIME certificate again but I was not successful so far.
|
||
Comment 17•4 years ago
|
||
This bug seems to persist even into 78.13.0.
As in the other mentions, the problem occures for me when combining a Yahoo IMAP account without matching S/MIME-certificate with another IMAP account (in my case Exchange 2019). The "remember this"-checkbox does nothing and I'm prompted with the request at every start.
So it would be very useful for this checkbox to be persistent. I'm not sure, if it is a bug or something else is overriding the setting.
Alternatively: Maybe you could add some kind of blacklist for Yahoo? Or specify a setting for the account to always use a specific (or none) cert?
|
||
Updated•2 years ago
|
Description
•