Open Bug 1678792 Opened 4 years ago Updated 4 years ago

"Up-to-date version" does not allow me to bypass invalid certificate (cert for wrong domain name)

Categories

(Thunderbird :: Security, defect)

defect

Tracking

(Not tracked)

REOPENED

People

(Reporter: standeming, Unassigned, NeedInfo)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0

Steps to reproduce:

78.5.2 does not let me bypass invalid certificate issue. I didn't do anything. I just can't get me emails from statisticaldesigns.com like I used to. I know the certificate is invalid, but Thuderbird would allow me to bypass it (and remember it). Now, apparently with the new update (?), it doesn't.

Actual results:

See above

Expected results:

See above

I don't now see a 78.5.2 on the tb archive site, just 78.5.0. It works for me in that self-signed certs can be accepted. However, when running a recent trunk version I only got prompt to cert override for sending SMTP and not for incoming (IMAP). When I tested with release 78.4.3 and release 78.5.0 it worked for both. Not sure what's going on with this.

Stan, Mine works OK with the releases (as I mentioned above). It also works OK with the daily for 11-22 that I just download. (I probably need to re-build my trunk version with new "hg pull -u" on both comm-central and moz.). By "OK" I mean I'm setting up a new account with the imap and smtp servers running on localhost/127.0.0.1 using STARTTLS with a self-signed certificate.

Anyhow, probably need a bit more information from you. What version were you running prior to 78.5.x that worked ok with your mail server "statistical...."? Are you trying to set up a new account for "statistical..." or are you saying it was working then after a tb update it stopped?

One thing to try is just click the "Get Messages" button with Inbox selected. That may trigger the "confirm exception" dialog for incoming mail. You may need to attempt to send a mail to trigger the exception dialog for outgoing mail.

You might also look inside the file cert_override.txt at the top level of you profile. If the exceptions are recorded you should see a line for incoming and outgoing mail for "statistical..." marked with the appropriate port. I don't know much about this file but it appears if the lines were set on a previous working version that they remain set on a updated tb version so the exception dialog doesn't occur.

I can also delete these two lines, leaving all others in place, and on tb restart I get the exception dialog when I "get message" or attempt to send a message and the lines get written back to the file. I'm not recommending you do this but for you info, my outgoing and incoming lines look like this:
127.0.0.1:1025 OID.2.16.840.1.101.3.4.2.1 9C:79:75:9D:9D:B9:6B:7A:59:<snip>
127.0.0.1:1143 OID.2.16.840.1.101.3.4.2.1 9C:79:75:9D:9D:B9:6B:7A:59:<snip>

Ok, I pulled/updated the lastest comm- and mozilla- central and rebuilt after clobber. It still won't flag a certificate override for incoming (imap). It still does flag the override when I try to send an email. Then I see the new line in cert_override.txt shown in comment 2 for outgoing smtp port, 1025. If I copy that line and paste it back into cert_override.txt and change the port on the pasted new line to 1143, after tb restart it then works (discovers folders and email are fetched) for incoming/imap with my trunk build and no override dialog occurs.

But this works fine with the latest daily build I just recently downloaded (get an override dialog on click of get new mail and folders are discovered and mail is fetched). What can cause a home-brewed trunk build to not work the same as the officially built daily? Maybe Magnus knows a reason...

Flags: needinfo?(mkmelin+mozilla)

Maybe some patches applied locally causing it?

For this particular bug, if I do nmap -vv --script ssl-cert -Pn -p 993 statisticaldesigns.com it tells me that certificate is only valid for verio.com

| ssl-cert: Subject: commonName=.verio.com
| Subject Alternative Name: DNS:
.verio.com, DNS:verio.com

That's not usually possible to override.

Flags: needinfo?(mkmelin+mozilla)

Off topic of this bug:

Maybe some patches applied locally causing it?

Thanks Magnus and yes, that's what it was. Had some changes applied and after reading what BenC wrote to me in another bug, I realized they were causing the problem. Working as expected now.

Since the cert is for another domain, I think this is invalid.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
Summary: "Up-to-date version" does not allow me to bypass invalid certificate -- grrrrrrrr! → "Up-to-date version" does not allow me to bypass invalid certificate (cert for wrong domain name)

(In reply to Magnus Melin [:mkmelin] from comment #4)

For this particular bug, if I do nmap -vv --script ssl-cert -Pn -p 993 statisticaldesigns.com it tells me that certificate is only valid for verio.com

| ssl-cert: Subject: commonName=.verio.com
| Subject Alternative Name: DNS:
.verio.com, DNS:verio.com

That's not usually possible to override.

According to this it should be overrideable:
https://searchfox.org/comm-central/source/mozilla/security/manager/ssl/NSSErrorsService.cpp#154

Without deleting and re-entering the account, an override dialog should occur, if overridable, by clicking "Get Messages" button.

But haven't heard anything more from reporter since comment 0. I'm curious if problem resolved.

Flags: needinfo?(standeming)
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---
Component: Untriaged → Security
You need to log in before you can comment on or make changes to this bug.