Closed Bug 1840244 Opened 2 years ago Closed 2 years ago

improved logging when certificate errors are encountered

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 102
Type:
defect

Tracking

(thunderbird_esr115 fixed)

Status:
RESOLVED FIXED
Milestone:
119 Branch
Tracking Flags:
Tracking Status
thunderbird_esr115 --- fixed

People

(Reporter: achowe, Assigned: mkmelin)

References

Details

(Whiteboard: [TM 115.3.1])

Attachments

(1 file)

Bug 1840244 - make bad cert logging more informative. r=babolivier
48 bytes, text/x-phabricator-request
wsmwk
: approval-comm-esr115+
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0

Steps to reproduce:

Have a private / personal CA (CA:true, keyUsage: keyCertSign enabled). Generated a new host certificate used for SMTP STARTTLS, IMAPS, and POPS. (this is a yearly cert renewal).

Manually testing with openssl s_client -connect host:993 -CAfile /etc/openssl/cert.pem (containing a copy of the private root CA) shows no issue / error with the host certificate (Verify return code: 0 (ok)).

The private CA has been manually added to TB's Certificate Authorities list.

Start (Windows) TB and it attempts to connect to the IMAPS accounts. Clicking on a message to read also attempt to re-connect and fails.

Actual results:

TB fails to connect to IMAPS.

  • Activity Manager and Error Console provide no information / insight WRT certificate issues.

  • Does not appear to compare the host's Issuer CA against the private root CA that TB has knowledge of.

  • Does not prompt for a server security exception.

  • Impossible to manually add server security exception via Manage Certificates.

From host's maillog, very few details:

Jun 22 18:09:51 mx imapd[7405]: imaps SSL service init from 108.162.xxx.yyy
Jun 22 18:09:51 mx imapd[7405]: imaps SSL service init from 108.162.xxx.yyy
Jun 22 18:09:51 mx imapd[7405]: Unexpected client disconnect, while reading line user=??? host=some.host.name [108.162.xxx.yyy]
Jun 22 18:09:51 mx imapd[7405]: Unexpected client disconnect, while reading line user=??? host=some.host.name [108.162.xxx.yyy]

Expected results:

  • More informative logging.

  • Given a manually added private CA Authority, the Issuer CA should match.

  • Alternatively should have prompted for a server security exception.

  • Should be able to manually server security exception:

    • Manually adding an exception assumes the mail host has a https:// server. https://host:993/ does not work.
    • does not support imaps://host

Workaround:

  • Config Editor
  • Create string entry network.security.ports.banned.override value 993
  • Repeat to manually add server security with https://host:993 now works!

Maybe similar to 1590474.

If you click "Get messages" and there is an overridable cert problem, you will get prompted. This is generally working.

(In reply to Magnus Melin [:mkmelin] from comment #2)

If you click "Get messages" and there is an overridable cert problem, you will get prompted. This is generally working.

Never had to do that before, typically I'm prompted when TB first connects or when I try to read a message and it needs to connect.

Anyway I tested the above suggestion. I removed my previous server exception; restarted TB just to be sure; and clicked Get Messages. This method did work and was prompted for a security exception.

However, there are still the other related issues outlined above that need addressing.

I'll grab this bug to make the logging more informative.

Assignee: nobody → mkmelin+mozilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: No prompt to add security exception for IMAPS certificate. → improved logging when certificate errors are encountered

Make the logging more informative, and make sure connections are closed on receiving bad certs.

Duplicate of this bug: 1851793
status-thunderbird_esr115: --- → affected
Keywords: checkin-needed-tb
Target Milestone: --- → 119 Branch

Pushed by solange@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/099a27e606a8
make bad cert logging more informative. r=babolivier

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

I backed this out. It's breaking browser_attachmentReminder.js somehow.

Backout:
https://hg.mozilla.org/comm-central/rev/f80c2fb1d090b762d472e5729b0ff5e68518de21

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Keywords: checkin-needed-tb

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/9c628be72556
make bad cert logging more informative. r=babolivier

Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

Comment on attachment 9352447 [details]
Bug 1840244 - make bad cert logging more informative. r=babolivier

[Approval Request Comment]
User impact if declined: more difficult to debug invalid cert issues
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): safe, but could still well bake for a 115 dot.dot release

Attachment #9352447 - Flags: approval-comm-esr115?
Whiteboard: [TM 115.3.1]

Comment on attachment 9352447 [details]
Bug 1840244 - make bad cert logging more informative. r=babolivier

[Triage Comment]
Approved for esr115 after two weeks on beta

Attachment #9352447 - Flags: approval-comm-esr115? → approval-comm-esr115+

Comment on attachment 9352447 [details]
Bug 1840244 - make bad cert logging more informative. r=babolivier

[Triage Comment]
Approved for esr115 after two weeks on beta

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: