Closed Bug 1696906 Opened 4 years ago Closed 2 years ago

messenger.tabs.create does not use Windows Certificate Store for verification of SSL certificates

Categories

(Thunderbird :: Toolbars and Tabs, defect)

defect

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: florian.unger, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.107 Safari/537.36

Steps to reproduce:

open a URL with messenger.tabs.create where the Webserver uses a SSL Certificate where the CA is only present in Windows Certificate Store.

Actual results:

Opening the website in the tab fails with error "connection is not secure" because the verification of the server SSL certificate fails.

Expected results:

Opening the same URL works in Firefox 78.8.0esr and in Thunderbird 68.12.1 without an SSL Cert error, but not in Thunderbird 78 - tested with 78.1.ß and 78.8.0

Summary: messenger.tabs.create does not use Windows Certificate Store for verification of SSL certifcates → messenger.tabs.create does not use Windows Certificate Store for verification of SSL certificates

The issue was caused by the default setting of preference "security.enterprise_roots.enabled".
I found that in TB68 this defaults to "true" on installation.
But in TB 78 this is set to "false" by default on installation.

I would be great if "security.enterprise_roots.enabled" set to "true" could be the default again.

This behavior seems to be based on the core Firefox platform, not specific to Thunderbird.

Maybe Mike can comment on your request.

Mike, can you confirm this was changed, and was it intentional?

I couldn't find a change after 68 - rather the last change appears to have been in bug 1491664, which was for version 64 (and consequently was active for 68 already).

Florian/Int: Is it possible that you have an enterprise policy that uses an old syntax, and no longer works with recent versions?

We built MiTM detection that could inform the user when antivirus was causing issues with Firefox and they could flip the pref in the certificate error.

That detection was not ready for ESR68, so we made the decision to set security.enterprise_roots.enabled to true on that ESR only.

https://bugzilla.mozilla.org/show_bug.cgi?id=1541012

If you want this to be true, you would need to flip the pref or use policy to do it.

Mike, thanks a lot for your quick response and the explanation!

GIven Thunderbird hasn't changed behavior since version 78, I'm marking this as invalid.

Reporter, please use the workaround described by Mike, if you need it.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID

Hi,
I now use the current AD templates to configure this on all clients and it works very well.
In fact I also helped a little bit to get the official Thunderbird AD templates started. It is great that you maintain the official Thunderbird AD templates so well now.

From my point of view you can close this ticket.

You need to log in before you can comment on or make changes to this bug.