Open Bug 1700044 Opened 4 years ago Updated 3 years ago

When using a self-signed certificate for Davical server with non-standard port number, it is no longer permanently accepted, even if told so

Categories

(Calendar :: Provider: CalDAV, defect)

Product:
Calendar
Component:
Provider: CalDAV
Version:
Thunderbird 78
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: fr, Unassigned)

References

Details

(Keywords: regression)

Attachments

(4 files)

Annoying dialog
112.01 KB, image/png
Details
Bildschirmfoto zu 2021-03-22 09-14-58.png
96.51 KB, image/png
Details
tb91.5.0_x64_Linux_cert_prob.png
139.61 KB, image/png
Details
error_msgs.png
278.22 KB, image/png
Details
Attached image Annoying dialog —

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0

Steps to reproduce:

I have a Davical calendar that uses a self-signed certificate. Normally, Thunderbird should accept it after being told so (Save exception permanently). The certificate is listed in the list of the settings dialog.

Actual results:

I get dozens of warning messages as my request to Accept the certificate permanently is ignored

Expected results:

Invalid/self-signed certificate should be accepted permanently

See Also: → 1700045
Component: Untriaged → Security
Keywords: regression

Any news on this case? I am really tired of clicking away 30 messages every time I wake up my PC.

Richard, any insight into comment 0?

Flags: needinfo?(richard.leger)

(In reply to Wayne Mery (:wsmwk) from comment #3)

Richard, any insight into comment 0?

@fr,

Have you tried:

  • replace your current self-signed certificate with one which is not expired? We are well past Jul 2015 :-) Just re-generate a new self signed one...
  • in the last version TB 78.11.0 (is it run on Linux, Windows or else?)
  • to remove the certificate exception from the certificate manager windows first, prior re-setting the permanent exception?
  • with another caldav client than Thunderbird
  • access your calendar via a Get request in Firefox something like: https://192.168.2.84/davical/caldav.php/fr/calendar (this is just an example you need to adjust the path to the correct one on your system, I assume here that 192.168.2.84 is your calendar server, running a Davical caldav instance but you may be using something else so the path might be slightly different for you). This way you should be able to check if Firefox can see and handle properly the self signed certificate exception or not?

Let us know how you get on with the above...
Sorry all my caldav instance run free Let's Encrypt or commercial valid certificates so I can no longer test with a self-signed one at the minute...

Cheers,
Richard

Flags: needinfo?(richard.leger)

Thanks very much for helping me. The problem was that the server is running on port 18443 instead of 443. When I added the port in the warning dialog, i.e. [server]:18443, and confirmed the exception, sync became operational again, no more error/warning messages. I took the chance to renew the self-signed certificate, but that did not have an effect (other than making me experiment a bit...). Thanks again, also for your patience.

Felix

(In reply to fr from comment #5)

Thanks very much for helping me. The problem was that the server is running on port 18443 instead of 443. When I added the port in the warning dialog, i.e. [server]:18443, and confirmed the exception, sync became operational again

@fr
Well done and thanks for.your feedback. When you setup you caldav account I suspect you did set the port correctly no?
So in theory TB shall have it detected for the exception, it shall not have assumed 443...

@Wayne
Do you think that may be a bug in TB as not using properly the account settings port when trigerring exception request to end-user?

Flags: needinfo?(vseerror)

Do you think that may be a bug in TB as not using properly the account settings port when trigerring exception request to end-user?

Maybe? I've CC others who should have a more informed opinion

Flags: needinfo?(vseerror)

Reporter claims that his server has port 18443, but TB saved an exception for port 443, so that theory makes sense. However, the question is what exactly the reporter entered, and where.

@fr (Reporter): Please give reproduction steps, starting with a fresh profile. Particularly, which exact and concrete caldav URL do you enter (including port, if you used a port number!), and where exactly you enter it. Is that Lightning, or an extension? Please make a screenshot of the dialog where you enter your server URL. (You may blank out your domain name and user name, but nothing else.) Please follow https://secure.phabricator.com/book/phabcontrib/article/reproduction_steps/

Severity: -- → S4
Component: Security → Provider: CalDAV
Product: Thunderbird → Calendar
Summary: When using a self-signed certificate for Davical, it is no longer permanently accepted, even if told so → When using a self-signed certificate for Davical server with non-standard port number, it is no longer permanently accepted, even if told so
Version: 78 → Thunderbird 78

Ok, assume the calendar address is https://whatever.com:18443/davical/caldav.php/felix/calendar/
The message allowing to add the certificate exception proposes
https://whatever.com
(over and over again, unless you know that you need to add :443 manually). I hope this quick reply will be useful for you, going through the steps one by one will take more time. I am a developer myself, so I can kinda imagine how the code looks like, and that it currently assumes that the standard port of the protocol is used, i.e. the case "port is not equal to the standard one" is not covered - which probably works for most cases...

The update to TB 91.5.0 recent brought the bug back.

Attached image error_msgs.png —

Buy one error message, get 5 free

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: