Closed Bug 1670569 Opened 3 years ago Closed 3 years ago

No "wrong site" warning on new Thunderbird (version > 78) when tunnelling to localhost.


(Thunderbird :: Security, defect)



(Not tracked)



(Reporter: shs7307, Unassigned)




(Keywords: regression)


(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0

Steps to reproduce:

Sometimes I need use SSH for tunnelling connection to mailserver (I have no direct access to the Internet). I tunnel for example port 993 to locahost port 10993 (so I have IMAP server configured to localhost:10993). In previous versions (68.12.1 and older) when I press "Get Messages" button in this case I see warning dialog box "Wrong Site, the certificate belongs to different site...." and I can confirm exception. And this is expected behavior.

In newer (I've tested 78.3.2 64-bit and some new beta versions) there is no any warning! Thunderbird displays "... connecting to localhost" on status bar forever and desn't receive mails.

Of course I can add exception in "Option -> Private & security -> Manage Certificates -> Servers, Add Exception " but it works for a few days. After some time (days, or if something changes in certificate) Thunderbird locks on this connection again without any warning. Could you bring back this previous behavior? The same problem is with SMTP outgoing connections.

How to reproduce:

  1. Install 78 version (32 or 64 bit for Windows)

  2. Make tunnell to imap server, for example: ssh -L -vvvv username@somehost

  3. Enter localhost, port 10993 as incoming IMAP server (see attached image)

  4. Try to download emails. You will not see any warning, it "hangs". Even if you add manually certificate exception if something changes in certificate (or after a free days) this exception will be invalid. The warning message box is much better than silent hang...

Actual results:

Nothing. Silent. See attached image. There should be "Wrong site" dialog box, but in new version of Thunderbird nothing happens.

Expected results:

Could you bring back this previous behaviour ("Wrong site" message box)

I can confirm that in TB68 you get a pop-up for a certificate and in TB78 the status bar keeps showing the connecting message.
There are no messages in the error console in TB78. I haven't tried getting a logfile using MOZ_LOG/MOZ_LOG_FILE:
export MOZ_LOG=IMAP:5,timestamp
export MOZ_LOG_FILE=/tmp/imap.log

Blocks: tb78found
Component: Untriaged → Security
Ever confirmed: true

I restarted TB78 with the environment variables set, but the file imap.log stays empty...

Last known good: 2019-10-25
First known bad: 2019-10-26
Probably regressed by bug 1547096

I think duplicate of bug 1590474. (In a build with that, hit the get messages button.)

Yep, this is indeed fixed as of 2020-10-01 after pushing bug 1590474...

Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.