Open Bug 1919271 Opened 1 year ago Updated 2 months ago

Cannot send encrypted mail to user with S/MIME certificate from "Deutsche Telekom AG secure email CA E05"

Categories

(MailNews Core :: Security: S/MIME, defect)

Product:
MailNews Core
Component:
Security: S/MIME
Version:
Thunderbird 128
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: falko.strenzke, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0

Steps to reproduce:

I am currently using 128.2.0esr (64-Bit) on Debian 11.

I have in the Thunderbird certificate store the certificates:

  • "Deutsche Telekom AG secure email CA E05" (Subject Key ID 45:EF:6F:A8:A7:9A:E4:EB:CA:CC:5E:4F:A0:5A:95:B2:F5:9A:10:20)
  • and its issuer "T-TeleSec GlobalRoot Class 2" (Subject Key ID BF:59:20:36:00:79:A0:A0:22:6B:8C:D5:F2:61:D2:B8:2C:CB:82:4A)

I have two contacts who each have a valid S/MIME certificate issued by "Deutsche Telekom AG secure email CA E05". I try to encrypt an email to either of these contacts.

Actual results:

I cannot encrypt mails to these recipients. When I try, the GUI shows that no certificate is found for that recipient.

Expected results:

The certificate should have been found as valid. All my colleages don't seem to have a problem with these certificates. They are mostly working with Thunderbird on Windows.

Component: Untriaged → Security: S/MIME
Product: Thunderbird → MailNews Core

You say it's broken with Thunderbird on Debian,
but it's working with Thunderbird on Windows?

That it works under Windows is my conjecture because my colleages who are using Thunderbird on Windows don't seem to have that problem. But it might of course also be a subtle configuration problem on my system. I will try to find another colleage who uses Thunderbird on Linux to see if they have the same problem with those certificates. I will get back to you with more information.

We made some further tests now:

  • On a Debian 10 system with Thunderbird 128 the same error occurs for the affected certificate.
  • On an OpenSUSE Tumbleweed system with Thunderbird 115.15.0 the encryption to the certificate works (at least no error is shown in the compose window)

Also I recall that "up to some point" the same certificate worked on my system as well. Most likely that point was the update to Thunderbird 128.

Would it help if I sent you one of the affected certificates? Then I would ask the certificate holders if they agree to sharing the certificate with you. I would send it to you on a private channel in that case.

(In reply to Falko Strenzke from comment #3)

Would it help if I sent you one of the affected certificates? Then I would ask the certificate holders if they agree to sharing the certificate with you. I would send it to you on a private channel in that case.

yes please

Falko, sorry for the long delay, I had to help out with other tasks.

I don't recall if you sent those certificates to me. I don't see any emails from you on this topic, and I cannot find any emails that mention this bug number.

Flags: needinfo?(falko.strenzke)

Yeah, unfortunately I didn't get the approval (nor denial) from the certificate owner to forward it. I hope to still be able to get this approval on the next occasion when talking to that person.

Flags: needinfo?(falko.strenzke)

The affected certificates have now expired. The new ones are working for some reason – either there is a difference or Thunderbird has fixed the problem in the meantime. So I suggest we close this report.

(In reply to Falko Strenzke from comment #7)

The affected certificates have now expired. The new ones are working for some reason – either there is a difference or Thunderbird has fixed the problem in the meantime. So I suggest we close this report.

Hi Falko,
I think I got the same issue (1949772). It appeared about have a year ago and stayed. There are more and more certificates from a specific CA (I'm not allowed to share :/ ) that can send me encrypted AND SIGNED messages but when I try to answer, I can even click on the "encrypt" button within the mail compose window and the persons mailadress is not highlighted yellow (certificate now found) but normally grey (everything is ok). But when I open the S/MIME dropdown and open the "Show recipients certificates" (dont know the exact name, mine is in german), the users certificate is marked as "not found".
I already did A LOT of troubleshooting but nothing helped.

Did you investigage enything that led to that issue?

Best

You need to log in before you can comment on or make changes to this bug.