Closed Bug 1708933 Opened 3 years ago Closed 3 years ago

"Add Security Exception" popup for a certificate warning causes Thunderbird to get stuck in a loop requiring Thunderbird to be killed

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: mozillabugs, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

ssl cannot accept certificate.png
101.40 KB, image/png
Details

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0

Steps to reproduce:

While running normally, if the Certificate issuer renews the certificate for a mailserver, Thunderbird raises the error dialog.

Actual results:

-The warning dialog, "Add security exception" is window-modal, so the user cannot do anything with Thunderbird's main window while the dialog is up (but other open windows can be used)
-Clicking on "Confirm security exception", "Cancel", do cause the dialog to close, but none of them -- even if "Get certificate" etc was clicked and accepted -- cause the dialog to stop immediately re-appearing.
-Since the dialog keeps appearing, that requires restarting thunderbird to fix the problem

Some diagnostics show that this happens when the certificate on the server is renewed. And for some certificate issuers, the renewal rate can be as low as 4 months. This means the bug can be triggered every 4 months, and given a lack of session restore (for thunderbird windows, including composer windows) that means that a lot of work can potentially be lost in the restart.. not to mention the annoyance of the process and bringing back all the windows you had open.

There was already a bug filed for this 11 years ago (Bug 539939), but it was closed, and I was told to open a new one instead of commenting there. So hence this bug filing. That bug also references another closed bug 493980.

Tested on Thunderbird 68 (linux Fedora 31), and many versions prior to it which all had the bug (I am thinking about an upgrade to version 78 -- but the changelog says a lot of my extensions will no longer work, so that makes me hesitant).

My mailserver's sys admin is willing to help in debugging/testing this.

Expected results:

Once you click on either "Cancel" or "Confirm security exception" the dialog should go away and perform the specified action, without reappearing.

It seems a similar problem is present in Thunderbird 78: https://stackoverflow.com/questions/65003655/thunderbird-keeps-asking-me-to-add-security-exception where someone suggests editing "cert_override.txt". That makes me a little nervous, so I will wait to hear what the devs say.

URL: https://stackoverflow.com/questions/6...
Component: Untriaged → Security
See Also: → 539939
Flags: needinfo?(mkmelin+mozilla)

Since this is reported against 68, let's close. How this is handled was almost completely changed for 78.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(mkmelin+mozilla)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: