Stuck at checking server capabilities - need better certificate exception feedback
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: per, Unassigned, NeedInfo)
Details
(Whiteboard: [dupme])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Steps to reproduce:
Opened program
Actual results:
All IMAP accounts stuck at "checking server capabilities".
Tried rebooting - no change.
Currently downgraded to version 68.10 where things work normally. All 78.x versions seems affected.
Expected results:
Mail being received.
|
||
Comment 1•5 years ago
|
||
We've raised the bar for the required version of TLS protocol in TB 78, which might cause this. You could try this:
|
||
Updated•5 years ago
|
|
||
Comment 2•5 years ago
|
||
I am getting this on one imap account but not all.
The problematic imap server is old with a valid-but-self-signed cert, so I lowered tls.min to see if it helped but it did not.
Still, there surely must be a far better way for TB to communicate "I would not get the required TLS level" than getting stuck on
(IMAP 143 + STARTTLS) Checking server capabilities
(IMAPS 993 SSL/TLS) Connected to server x.y.z
and not moving onward from there?
I have had the Activity window open (a good place to mention ssl issues I think?) and the Developer Tools -> Error Console.
The activity window only shows what works (ie, the other accounts) and the Error log seems mostly concerned with telling me which gfx hw and GL engine it found.
Could someone not make a per-account status window you could pop up, hidden behind the required amount of "Advanced" -> "Extra special" -> "Very secret" so it doesn't scare new users but gives us long-timers a slight hint about what it actually going on? Not on the atomic level, but just the main connection-network stuff like:
resolved the name to this ip, connected with TCP to the specified port X, got TLS cert, liked/disliked the validity of date,CN,root-chain Y/n, sending credentials with success true/false, getting capabilities of imap server, listing folders (X folders found)
This would just be SO immensely more useful for diagnosing bad hostnames (both dns and cert), weird firewall stuff (no tcp connection made), bad/expired username-or-login or whatever. This hiding of info for basic research is not working for us users and email admins.
I got auto-updated a some days ago from 6x to 78.4 (MacOS) and have had to move mail reading of the old account to another platform for the time being, because it has taken me upto now to probably realize TLS1.2 requirements (which is good!) is what prevents me. But for some reason, TELLING me that the 10+ year old account is not up to speed and hanging on "half-connected, you can just wait" is beyond the abilities of TB. 8-(
Redid the account, the pre-tests pass, actually getting mail or listing folders then get stuck like before, so no help there.
Googled like crazy and found the MOZ_LOG env, set it to: "IMAP:5,timestamp"
and this is all it says about the not-working account while spewing tons of info and mail contents from my working accounts:
020-11-05 07:58:14.973587 UTC - [(null) 73417: Main Thread]: I/IMAP 0x137b11800:mail.example.com:NA:SetupWithUrlCallback: clearing IMAP_CONNECTION_IS_OPEN
2020-11-05 07:58:14.973681 UTC - [(null) 73417: IMAP]: I/IMAP 0x137b11800:mail.example.com:NA:ProcessCurrentURL: entering
2020-11-05 07:58:14.973685 UTC - [(null) 73417: IMAP]: I/IMAP 0x137b11800:mail.example.com:NA:ProcessCurrentURL:imap://user@mail.example.com:993/select%3E%5EINBOX: = currentUrl
2020-11-05 07:58:14.988743 UTC - [(null) 73417: IMAP]: D/IMAP ReadNextLine [rv=0x805a1ff3 stream=0x1377f9160 nb=0 needmore=1]
2020-11-05 07:58:14.988755 UTC - [(null) 73417: IMAP]: I/IMAP 0x137b11800:mail.example.com:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 805a1ff3
2020-11-05 07:58:14.988861 UTC - [(null) 73417: IMAP]: I/IMAP 0x137b11800:mail.example.com:NA:TellThreadToDie: close socket connection
2020-11-05 07:58:14.988865 UTC - [(null) 73417: IMAP]: I/IMAP 0x137b11800:mail.example.com:NA:CreateNewLineFromSocket: (null)
2020-11-05 07:58:14.988867 UTC - [(null) 73417: IMAP]: D/IMAP SetConnectionStatus(0x805a1ff3)
(slightly obfuscated user/domain)
So, I'm kind of frustrated, three ways of giving me some hint on whats wrong, activity monitor (toplevel), error console (mid?), and debug envs. Still no sign of what is wrong, why it isn't progressing and of course, what can I do to work around it at least temporarily.
|
||
Comment 3•5 years ago
|
||
https://james-ross.co.uk/mozilla/misc/nserror?0x805A1FF3 - unknown issuer - yes self signed certification.
If you click the "Get Messages" button you should trigger a flow that will allow you to override the certificate trust.
|
|
||
Comment 4•5 years ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #3)
https://james-ross.co.uk/mozilla/misc/nserror?0x805A1FF3 - unknown issuer - yes self signed certification.
If you click the "Get Messages" button you should trigger a flow that will allow you to override the certificate trust.
It doesn't trigger any flows, it just prints "Connected to mail.example.com" at the bottom of TB next to the ((*)) icon.
|
|
||
Comment 5•5 years ago
|
||
In 78.4 and above, you should get a dialog that lets you add an exception.
|
|
||
Comment 6•5 years ago
|
||
It doesn't, and as said, this came when I got upgrade to 78.4.0.
I think the "check mail every 10 minutes" and "check mail at startup" for the last days would have shown it by now.
That was the whole point of my rant/initial message, there is zero interaction, zero things telling me where to look, what to change, what it is doing apart from not getting me my emails on that account and getting stuck there.
|
|
||
Comment 7•5 years ago
|
||
Check on startup and every x minutes are unrelated.
|
|
||
Comment 8•5 years ago
|
||
Ok, I'll be explicit if this is required, even though I already said it in Comment #4 and #6:
Yes, I have pressed Get Messages, and it doesn't have an effect, it doesn't pop up requesters, I do not see any indication of failure not do I get any choices or a report of that it disliked the configuration and the endpoint imap server.
Nor do does the activity monitor or the error console report failures in spawning this interaction.
|
|
||
Comment 9•5 years ago
|
||
Then I don't know. Something is wrong with the certificate. Not every misconfiguration can be overridden. You could try if the setup wizard lets you add something.
|
|
||
Comment 10•5 years ago
|
||
The main bug is not "TB 78.x stops accepting [certain types of] bad certs", it is the lack of feedback.
Even browsers doing more or less the same x509 cert validation steps can tell you "this cert is so bad that we will not even allow you to override due to date/CN/crypto methods/bad-CA/revoked" when you are going to places with broken setups.
At no point would they settle for printing "connected to https://badssl.com/" and then just not tell you why you don't get progress.
|
|
||
Updated•5 years ago
|
|
||
Comment 11•5 years ago
|
||
I think that one of the bigger problems here is that if a new certificate is issued but is invalid (e.g. using LetsEncrypt, but the domain in the certificate doesn't match the FQDN of the mail server), the user is not prompted to accept the new certificate.
As a workaround, I have found that I have to select an account and manually click "Get Messages" in order to display the pop-up that allows a certificate exception. This pop-up should be displayed automatically when checking for new mails (and I believe that it used to be prior to the release of Thunderbird 78 [meaning back in the Thunderbird 68 days and before]).
Currently I'm running Thunderbird 78.5.1, but I have heard from many of my clients that they're not prompted (without this workaround).
Cheers,
Nathan Zachary
|
|
||
Comment 12•5 years ago
|
||
Let's handle in bug 1681960
Description
•