Open Bug 1694023 Opened 3 years ago Updated 2 years ago

TB doesn't show me a pop-up with a warning about expired certificate for IMAPS and I can't add a security exception

Categories

(Thunderbird :: Account Manager, defect)

Product:
Thunderbird
Component:
Account Manager
Type:
defect

Tracking

(Not tracked)

People

(Reporter: orazio.catucci, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36

Steps to reproduce:

Server's certificate was expired.

Actual results:

TB doesn't show me a pop-up with a warning about that for IMAPS and I can't add a security exception. At the same time I get a popup window for SMTPS so I can add exception. In the end I can send email but I can't read the new ones.

I was also tried to add exclusion manually in this way
servername:993
But TB answer "impossible to retrieve". If I try to get certificate in this way:
https://servername:443
I get certificate but the exclusion doesn't work and IMAPS session can't come up.

It should be working for IMAP as well. Must be something else special with the invalid certificate.

Summary: Certificate expired prevents imaps session to come up → TB doesn't show me a pop-up with a warning about expired certificate for IMAPS and I can't add a security exception

Also have the same issue with self-signed mail server certificate and cannot add security exception for the certificate, because the prompt for adding the exception does not show up. Use TB 78.8 and 78.9. Also confirm the exception cannot be added manually from Certificate Manager if use 'mail.serverdomain.com:993', following message is displayed 'No information available. Unable to obtain identification status for this site'.
I have found 2 workarounds which let you add the security exception:

Workaround 1) :
The email domain (let's say example.com) must be the same as mail server address (means you specify mail server address example.com not mail.example.com) and the Common name in the self-signed certificate. This is not very flexible configuration and can be applied only for few lucky ones

Workaround 2):

  1. go to Options > Composition > Addressing
  2. Check Directory server and Edit Directories > Add new
  3. set name to: 'fakeLdapDirectory'
    specify server address: mail.mydomain.com
    Base DN: cn=base
    Check 'Use secure connection(SSL)'
    set port: 993
    Bind DN: cn=user,cn=base
    Base and Bind DN does not need to exist, cn=user,cn=base will doe the trick. Click OK, close Edit connections dialog.
  4. Select directory server in the list
  5. Go to Inbox Tab > Address Book
    Select fakeLdapDirectory in the list and type something into the search input on top right. If asked for password type anything e.g. 'letMeIn'
    You should get 'confirm certificate exception dialog', confirm it, now mail messages should be downloadable

I just ran into the same issue.

For me the work-around in https://stackoverflow.com/a/63952132/1039973 worked:

  • Add a string configuration network.security.ports.banned.override with the value 993
  • Download the certificate manually using the Certificate Manager using https://your-server:993
  • Add as an exception

So I just deleted and re-added the account.

On account creation the certificate exception is added automatically without any notice or pop-up. This seems like a privacy issue to me, no?

When I delete the exception from the Certificate Manager or the certificate expires or the certificate changes on the server side I don't get any notification and TB hangs on "Checking capabilities of the server" (translated back from German).

FTR: I am on TB 78.10.0.

(In reply to kg from comment #5)

So I just deleted and re-added the account.

On account creation the certificate exception is added automatically without any notice or pop-up. This seems like a privacy issue to me, no?

I am sorry, I got confused on that one. I still had the exception in place after deleting the account.

I can confirm this issue. Certificates are expired, but I cannot add exception.

I have tried adding an exception, but Thunderbird claims that it cannot find server information. But I can use curl -vvv and can clearly see a certificate was fetched.

See Also: → 1720878
Status: UNCONFIRMED → NEW
Ever confirmed: true

I confirm that bug and another bug for STARTTLS with another solution
https://bugzilla.mozilla.org/show_bug.cgi?id=1765757

You need to log in before you can comment on or make changes to this bug.