Instant timeout when connecting to SMTP server with self-signed certificate
Categories
(MailNews Core :: Security, defect)
Tracking
(thunderbird_esr140 fixed)
| Tracking | Status | |
|---|---|---|
| thunderbird_esr140 | --- | fixed |
People
(Reporter: Apfelkomplott, Assigned: KaiE)
References
(Blocks 1 open bug)
Details
(Keywords: regression)
Attachments
(1 file)
|
Bug 1977400 - Offer to set a certificate override on PKIX certificate validation failures. r=mkmelin
48 bytes,
text/x-phabricator-request
|
corey
:
approval-comm-esr140+
|
Details | Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Steps to reproduce:
- I setup a new e-mail account with credentials to a server which uses self-signed certificates for TLS/SSL connections. IMAP settings: Port 993 using TLS. SMTP settings: Port 25 using STARTTLS.
- Optional: I imported the root certificate of the self-signed server certificate as Certificate Authority (CA)
Actual results:
- Fetching emails using IMAP works after I accept the self-signed certificate in the dialog that pops up
- Sending an email fails immediately with a timeout. No dialog is shown where I could accept the certificate.
Expected results:
Sending emails using a server with self-signed certificates should work.
|
Reporter | |
Comment 1•7 months ago
|
||
BTW: The problem occured on a Windows 11 machine.
We had this issue after the update to 141.0esr. Although in our case the issue is a certificate with an invalid domain, rather than a self-signed certificate, it exhibited the same issue.
We fixed it by first setting the connection security to None, and the authentication to "password, transmitted insecurely", sending an email, then changing the connection security back to STARTTLS.
|
||
Updated•7 months ago
|
|
Assignee | |
Updated•7 months ago
|
|
|
Assignee | |
Comment 3•7 months ago
|
||
Nic Jones:
I can reproduce the bug in 141 in later. It seems to be related to STARTTLS.
|
|
Assignee | |
Comment 4•7 months ago
|
||
Apfelkomplott:
Can you please say in version you experience this bug?
I don't see a bug in 140. You initially reported this bug against version 140.
I see the bug in 141 and later.
|
|
Assignee | |
Comment 5•6 months ago
|
||
Not sure what happened when I wrote comment 4.
Today I can reproduce with 140, too.
|
||
Updated•6 months ago
|
|
|
Assignee | |
Comment 6•6 months ago
|
||
|
||
Updated•6 months ago
|
|
|
Assignee | |
Comment 7•6 months ago
|
||
Could you please help to test a potential fix for this bug?
Please download and extract the following build, and run it directly from the extracted directory.
It is a build based on 140.x, so it should work fine with your existing profile from the 140.x version.
(If necessary, you can pass the -P parameter to Thunderbird to get a profile selection prompt.)
Windows 64bit:
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/X1Yw7SySSvenoU7teEbm7A/runs/0/artifacts/public/build/target.zip
Let me know if you need another platform for testing.
(The test build contains a view additional fixes, test build is here:
https://treeherder.mozilla.org/jobs?repo=try-comm-central&revision=24c779a2db5ec40dd1b5676f48944aceabd973fc )
|
|
Assignee | |
Comment 8•6 months ago
|
||
Does anyone prefer to test the fix with another version, 141, 142, 143 ?
(In reply to Kai Engert [:KaiE:] from comment #7)
Could you please help to test a potential fix for this bug?
Please download and extract the following build, and run it directly from the extracted directory.
It is a build based on 140.x, so it should work fine with your existing profile from the 140.x version.
(If necessary, you can pass the -P parameter to Thunderbird to get a profile selection prompt.)
I can confirm it works now! After sending an e-mail the security exceptions dialog appears. Thank you for the fix.
|
|
Reporter | |
Comment 10•6 months ago
|
||
Hello Kai, thanks for your efforts and sorry for my late reply (my notification settings were broken).
I tested your provided build but it does not seem to solve the problem. But the workaround mentioned in comment 2 is working: Changing the connection security to "None" and sending an email and then changing the setting back to "STARTTLS". This workaround also works with the normal 140 release.
Other colleagues who have configured Thunderbird a long time ago can also use the latest release without problems, i. e. the problem only occurs when configuring a new account (after a new installation). Somehow the security setting (or something else) is not properly set when using the dialog for the first time.
|
|
Assignee | |
Updated•6 months ago
|
|
|
Assignee | |
Comment 11•6 months ago
|
||
The workaround from comment 2 isn't great, because your login credentials will be leaked over the wire.
I don't understand why sending an email once fixes the problem. Does that really fix the problem permanently, and is still working after a restart of Thunderbird?
Because raal confirmed the fix helps in their configuration we will be landing a fix soon, and I'll request inclusion in the 140 branch, but that might take a couple of weeks.
|
|
||
Updated•6 months ago
|
|
||
Comment 12•6 months ago
|
||
Pushed by martin@humanoids.be:
https://hg.mozilla.org/comm-central/rev/a0fa02be96c2
Offer to set a certificate override on PKIX certificate validation failures. r=mkmelin
|
|
Assignee | |
Comment 13•5 months ago
|
||
Comment on attachment 9506361 [details]
Bug 1977400 - Offer to set a certificate override on PKIX certificate validation failures. r=mkmelin
Uplift Approval Request
- Please state case for uplift consideration and ensure bug severity is set: Users cannot override expired or self-signed certificates for SMTP servers
- User impact if declined: Blocked access to user's servers
- Is this code covered by automated tests?: No
- Has the fix been verified in Daily?: Yes
- Has the fix been verified in Beta?: Yes
- Needs manual test from QA?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
- Does the fix cause any migrations to be skipped?: No
- String changes made/needed:
|
|
||
Comment 14•5 months ago
|
||
Comment on attachment 9506361 [details]
Bug 1977400 - Offer to set a certificate override on PKIX certificate validation failures. r=mkmelin
[Triage Comment]
Approved for esr140
Kai, in the future please assess the risk level in "Why is the change risky/not risky? (and alternatives if risky):"
|
||
Comment 15•5 months ago
|
||
| uplift | ||
Description
•