Closed Bug 1629416 Opened 1 year ago Closed 8 months ago

Thunderbird : No way to accept IMAP or SMTP SSL or TLS self signed cert - regression

Categories

(MailNews Core :: Networking: IMAP, defect)

x86_64
Linux
defect

Tracking

(thunderbird_esr68 verified, thunderbird68 verified, thunderbird75 verified, thunderbird76 verified, thunderbird77 verified)

RESOLVED DUPLICATE of bug 1590474
Tracking Status
thunderbird_esr68 --- verified
thunderbird68 --- verified
thunderbird75 --- verified
thunderbird76 --- verified
thunderbird77 --- verified

People

(Reporter: hanasaki-mozilla, Unassigned)

References

Details

Attachments

(1 file)

Recently thunderbird and Dovecot IMAPS cannot agree on SSL however Evolution, on the exact same system, is working fine with the same accounts. Tried recreating the Dovecot cert and also the thunderbird accounts from scratch. The OpenSSL raw client works fine as well.

Running on Debian Buster.
aptitude versions dovecot-imapd
i 1:2.3.4.1-5+deb10u1 stable
NOTE: same issue with debian thunderbird 68.4.1-1~deb10u1 creating all new accounts with a new profile.

Thoughts?

syslog below
Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<-->
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004, ret=554: fatal bad certificate
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--->

Which hostname?

(In reply to Magnus Melin [:mkmelin] from comment #1)

Which hostname?

hanasaki ?

Flags: needinfo?(hanasaki-mozilla)

Hanasaki: Are you trying to use authentication to the IMAP server using a SSL/TLS client certificate?

Hanasaki, it seems clear that your experience is related to the use of SSL client certificates, because that's what "alert 42" means.

We're uncertain what might have caused this bug.

Could you please tell us, are you still able to reproduce this bug with the most recent nightly version of Thunderbird (until 2020-05-04) ?

Today, we reverted a change that could potentially have been responsible for your experience.

Would you please be able to test today, and again test tomorrow?

If you can reproduce the failure with a nightly build 2020-05-04, but tomorrow you'll no longer be able to reproduce with build 2020-05-05, that would be important feedback.

The issue / bug still exists with the current Beta 76.0b3 (64-bit)
The imap server is IMAPS with a self signed Cert for SSL. I am not trying to use a client cert for auth; just imapS with id/passwd
I am sorry. I dont not undestand what you are asking for "what hostname?"

Note the image I am uploading. Many thunderbird versions ago, a self signed cert would popup a dialog asking if I want to accept it. There is nolonger a popup (note: evolution client does have pop up and works). Also note the image of a thunderbird dialog box to manually add the server public cert. it asks for an "https" URL for a IMAPS server cert.

Flags: needinfo?(hanasaki-mozilla)

Exact same issue : 78.0a1 (2020-05-05) (64-bit) Linux

Hanasaki, thanks for testing and the additional explanations.

The information that you're using a self signed certificate clarifies the cause. We have a regression in our handling of invalid certificates.

This is probably a duplicate of bug 1590474.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1590474

Could you get a server certificate from the Let's Encrypt (LE) CA and use it instead of a self signed certificate?
It's preferred to use a real certificate, not self-signed, and with LE offering certificates for free, there should be little reason not to use one from them?

I will look into Let's Encrypt (LE) CA free certs. Note: this creates new admin work that was not previously needed and means thunderbird is no longer an option for use in a completely sandboxed lab env.

Can someone prioritize the regression bug issue?

  1. Also, I differ in interpretation of the other bug:

=
The 'regression' is called "Mail window: Implement new handling for bad server certificates on SSL/TLS connections"
= Thunderbird is not having issues with a "bad server cert". A self-signed cert is a good cert, not bad, and the previous thunderbird behavior of "warning and make the user say "yes" to the exception, was a good way to handle it. Please consider as a thunderbird bug.

= 2 =
A dialog box asking for an HTTPS URL for an IMAP over SSL/TLS contextually a) is confusing b) the functionality doesn't all for the exception to be created. Same comment as to SMTP over SSL/TLS. Please consider these as thunderbird bugs.

Flags: needinfo?(kaie)

Bump Please consider reopening based on my previous posting. Issues to resolve:

  1. thunderbird does not prompt to accept self-sgned cert.
  2. manual add of cert prompts for HTTPS URL for SMTP SSL/TLS server
    Thank you,
Flags: needinfo?(kaie)

#1 is clearly bug 1590474 - which we're going to fix.

(In reply to Kai Engert (:KaiE:) from comment #10)

Could you get a server certificate from the Let's Encrypt (LE) CA and use it instead of a self signed certificate?
It's preferred to use a real certificate, not self-signed, and with LE offering certificates for free, there should be little reason not to use one from them?

Obtained from LE - How to import it? See notes about 1. import wants "https" and 2. no dialog popup to accept (there IS in evolution and there WAS a long time ago in TB)

Flags: needinfo?(mkmelin+mozilla)

You can always import it through the certificate manager (in preference).
I don't recall how we handle the https import (or not) - though I do recall it was discussed. I think the case is that you use the https url for it and it works even if not very intuitive. Did you try now 68 works here?

Flags: needinfo?(mkmelin+mozilla)
  • Please provide the process/details for "import it through the cert manager in pref".
  • Still fails in 68
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Version: 75 → 77

certificate import appears to be for "personal" certs; not server certs.

Summary: Dovecot 2.3.4.1 IMAPS : Thunderbird v75, v76Beta : ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 : evolution client works → hunderbird : No way to accept IMAP or SMTP SSL or TLS self signed cert - regression
Summary: hunderbird : No way to accept IMAP or SMTP SSL or TLS self signed cert - regression → Thunderbird : No way to accept IMAP or SMTP SSL or TLS self signed cert - regression

68.7.0 (64-bit) Linux : works with imap server entered as IP address a.b.c.d : does not work with hostname as imap server : using port 993
upgrade the profile to v77 or v78 : error using Dovecot shows up
create a new thunderbird profile with v77,78 and set imap server by IP or hostname : error shows up.

(In reply to hanasaki from comment #17)

certificate import appears to be for "personal" certs; not server certs.

Flags: needinfo?(kaie)
See Also: → 1590474

So in the future we will not have solution besides using signed sertificate by Let's encrypt or something similar? now way to use self signed cert?

Self signed overrides will work after we fix bug 1590474.

Status: REOPENED → RESOLVED
Closed: 1 year ago8 months ago
Flags: needinfo?(kaie)
Resolution: --- → DUPLICATE
Duplicate of bug: 1590474
You need to log in before you can comment on or make changes to this bug.