Thunderbird : No way to accept IMAP or SMTP SSL or TLS self signed cert - regression
Categories
(MailNews Core :: Networking: IMAP, defect)
Tracking
(thunderbird_esr68 verified, thunderbird68 verified, thunderbird75 verified, thunderbird76 verified, thunderbird77 verified)
People
(Reporter: hanasaki-mozilla, Unassigned)
References
Details
Attachments
(1 file)
44.19 KB,
image/png
|
Details |
Recently thunderbird and Dovecot IMAPS cannot agree on SSL however Evolution, on the exact same system, is working fine with the same accounts. Tried recreating the Dovecot cert and also the thunderbird accounts from scratch. The OpenSSL raw client works fine as well.
Running on Debian Buster.
aptitude versions dovecot-imapd
i 1:2.3.4.1-5+deb10u1 stable
NOTE: same issue with debian thunderbird 68.4.1-1~deb10u1 creating all new accounts with a new profile.
Thoughts?
syslog below
Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<-->
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004, ret=554: fatal bad certificate
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--->
Comment 1•4 years ago
|
||
Which hostname?
Comment 2•4 years ago
|
||
Comment 3•4 years ago
•
|
||
Hanasaki: Are you trying to use authentication to the IMAP server using a SSL/TLS client certificate?
Comment 4•4 years ago
|
||
Hanasaki, it seems clear that your experience is related to the use of SSL client certificates, because that's what "alert 42" means.
We're uncertain what might have caused this bug.
Could you please tell us, are you still able to reproduce this bug with the most recent nightly version of Thunderbird (until 2020-05-04) ?
Today, we reverted a change that could potentially have been responsible for your experience.
Would you please be able to test today, and again test tomorrow?
If you can reproduce the failure with a nightly build 2020-05-04, but tomorrow you'll no longer be able to reproduce with build 2020-05-05, that would be important feedback.
The issue / bug still exists with the current Beta 76.0b3 (64-bit)
The imap server is IMAPS with a self signed Cert for SSL. I am not trying to use a client cert for auth; just imapS with id/passwd
I am sorry. I dont not undestand what you are asking for "what hostname?"
Note the image I am uploading. Many thunderbird versions ago, a self signed cert would popup a dialog asking if I want to accept it. There is nolonger a popup (note: evolution client does have pop up and works). Also note the image of a thunderbird dialog box to manually add the server public cert. it asks for an "https" URL for a IMAPS server cert.
https://stackoverflow.com/questions/61077885/add-thunderbird-security-exception-for-self-signed-ssl-certificate
** Above link may have some relevance ... thoughts?
Comment 9•4 years ago
|
||
Hanasaki, thanks for testing and the additional explanations.
The information that you're using a self signed certificate clarifies the cause. We have a regression in our handling of invalid certificates.
This is probably a duplicate of bug 1590474.
Comment 10•4 years ago
|
||
Could you get a server certificate from the Let's Encrypt (LE) CA and use it instead of a self signed certificate?
It's preferred to use a real certificate, not self-signed, and with LE offering certificates for free, there should be little reason not to use one from them?
Reporter | ||
Comment 11•4 years ago
|
||
I will look into Let's Encrypt (LE) CA free certs. Note: this creates new admin work that was not previously needed and means thunderbird is no longer an option for use in a completely sandboxed lab env.
Can someone prioritize the regression bug issue?
- Also, I differ in interpretation of the other bug:
=
The 'regression' is called "Mail window: Implement new handling for bad server certificates on SSL/TLS connections"
= Thunderbird is not having issues with a "bad server cert". A self-signed cert is a good cert, not bad, and the previous thunderbird behavior of "warning and make the user say "yes" to the exception, was a good way to handle it. Please consider as a thunderbird bug.
= 2 =
A dialog box asking for an HTTPS URL for an IMAP over SSL/TLS contextually a) is confusing b) the functionality doesn't all for the exception to be created. Same comment as to SMTP over SSL/TLS. Please consider these as thunderbird bugs.
Reporter | ||
Comment 12•4 years ago
|
||
Bump Please consider reopening based on my previous posting. Issues to resolve:
- thunderbird does not prompt to accept self-sgned cert.
- manual add of cert prompts for HTTPS URL for SMTP SSL/TLS server
Thank you,
Comment 13•4 years ago
|
||
#1 is clearly bug 1590474 - which we're going to fix.
Reporter | ||
Comment 14•4 years ago
|
||
(In reply to Kai Engert (:KaiE:) from comment #10)
Could you get a server certificate from the Let's Encrypt (LE) CA and use it instead of a self signed certificate?
It's preferred to use a real certificate, not self-signed, and with LE offering certificates for free, there should be little reason not to use one from them?
Obtained from LE - How to import it? See notes about 1. import wants "https" and 2. no dialog popup to accept (there IS in evolution and there WAS a long time ago in TB)
Comment 15•4 years ago
|
||
You can always import it through the certificate manager (in preference).
I don't recall how we handle the https import (or not) - though I do recall it was discussed. I think the case is that you use the https url for it and it works even if not very intuitive. Did you try now 68 works here?
Reporter | ||
Comment 16•4 years ago
|
||
- Please provide the process/details for "import it through the cert manager in pref".
- Still fails in 68
Reporter | ||
Comment 17•4 years ago
|
||
certificate import appears to be for "personal" certs; not server certs.
Reporter | ||
Comment 18•4 years ago
|
||
68.7.0 (64-bit) Linux : works with imap server entered as IP address a.b.c.d : does not work with hostname as imap server : using port 993
upgrade the profile to v77 or v78 : error using Dovecot shows up
create a new thunderbird profile with v77,78 and set imap server by IP or hostname : error shows up.
Comment 19•4 years ago
|
||
(In reply to hanasaki from comment #17)
certificate import appears to be for "personal" certs; not server certs.
Comment 20•4 years ago
|
||
So in the future we will not have solution besides using signed sertificate by Let's encrypt or something similar? now way to use self signed cert?
Comment 21•4 years ago
|
||
Self signed overrides will work after we fix bug 1590474.
Description
•