Closed Bug 1665526 Opened 5 years ago Closed 5 years ago

TB 78.2.2 Sending of the message failed. Peer’s Certificate issuer is not recognized

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1590474

People

(Reporter: owen, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36

Steps to reproduce:

Upgraded to TB 78.2.2. Afterwards, cannot send or receive mail to Godaddy hosted IMAP / SMTP.

Actual results:

Sending of the message failed.
Peer’s Certificate issuer is not recognized.
The configuration related to owenduffy.net must be corrected

Expected results:

Mail should have been sent.

I have tested access to the mail server with openssl s_client -showcerts -connect owenduffy.net:993 -servername owenduffy.net and I cannot see any problems with the certificate chain. The CA certificate is visible in TB.

Further info:

This failed on TB 64bit, but I note that access to a different user on the same mailserver works ok on TB 32bit v 78.2.2.

I confirm this behavior. Windows, TB 64bit 78.2.2

Component: Untriaged → Security

I regard the loss of TLS as a serious security failure.

So, I tried the latest beta in the hope that the problem might be fixed... but it is not.

So, knowing that 32bit works fine on another computer... I tried to revert to that but the genius design of the profile is not backwards compatible.

So much for security!

To downgrade, it's preferable to use a backup (all data is not backwards compatible). It's possible to ignore that fact and use the old profile with --allow-downgrade.

However, casual check of the server looks like TLS is ok, and what you've told would indicate that you're being blocked by Antivirus/Firewall software.

You raise an interesting point as I did the SSL test from another (Linux) system.

When I do the test from the problem system (W10), I get:

C:\Users\owen>openssl s_client -showcerts -connect owenduffy.net:993 -servername owenduffy.net
CONNECTED(00000240)
depth=1 OU = generated by Avast Antivirus for SSL/TLS scanning, O = Avast Web/Mail Shield, CN = Avast Web/Mail Shield Root
verify error:num=19:self signed certificate in certificate chain

Certificate chain
0 s:/OU=Domain Control Validated/CN=owenduffy.net
i:/OU=generated by Avast Antivirus for SSL/TLS scanning/O=Avast Web/Mail Shield/CN=Avast Web/Mail Shield Root
-----BEGIN CERTIFICATE-----

So, Avast sits in the middle and seems to create a self signed cert which might not be accepted by TB.

Owen

After a lot of testing... I am less clear on the problem.

I recall that in the past, if there was something irregular about a certificate, I was prompted to enter an exception for the certificate, and I could view the certificate to help make that decision.

At present, it seems to find problems with the certificate, but not give the option to store an exception.

I did go into options ... certificate management and tried to create an exception for owenduffy.net. Get Certificate results in certificate ok, no need for an exception. Viewing the certificate looks ok. Yet, I cannot send a message without getting "Sending of the message failed.
Unable to communicate securely with peer: requested domain name does not match the server's certificate. The configuration related to owenduffy.net must be corrected" and I don't appear to be able to view the certificate or to store an exception.

Disabling the virus software doesn't solve the problem. Swithing off TLS does allow it to work... but with unprotected traffic and password.

Antivirus software are not very keen to be turned off, so something may still be running or restarted itself.

Looks like you're MITM attacked by the Avast antivirus scan (basically). And can't add an exception - adding exception for self signed certs is broken atm - bug 1590474.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

I can see a different certificate set with AVAST on, and yes, it is a self signed cert from AVAST.

BTW, I just configured the same account in Win10 Mail by hand (ie not auto configure) so I know it is configured for TLS, and it works... so I am suspicious that the update from TB68 to TB78 delivered the defect.

Yes, if the handling for a bad certificate has been messed up, that might well be the cause.

Cheers
Owen

You need to log in before you can comment on or make changes to this bug.