292840 - cannot send a signed and encrypted mail although the certificates are imported

Status: RESOLVED WORKSFORME

(MailNews Core :: Security: S/MIME, defect, P2)

Description

[Peter Hangya]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; hu-HU; rv:1.7.6) Gecko/20050318 Firefox/1.0.2
Build Identifier: Thunderbird/1.0.2 (20050317)

I made a certification authority and authorized keys for all my fellow workers.
Everyone imported his key for signing and all the others' keys for encrypting
the mails. All of us also have imported the CA and its (also self-made) root CA
certificates. Everything is ok (all the certificates are considered valid, we
can send signed and/or encrypted mails to each other) until the next start of
Thunderbird.
After a restart, the program cannot encrypt the messages, because it says there
is no suitable certificate for it. When I open the "manage certificates" panel,
all the certs are there. After closing the panel, everything _works again_.


Reproducible: Always

Steps to Reproduce:
1.start Thunderbird
2.try to send encrypted mail -> error message
3.open "manage certs" panel
4.close it
5.everything works fine until next restart


Actual Results:  
After step 2.:
(the error messages, depending on what did I want to do with it - encrypt or
sign - doing both gives the encryption error msg)

"Sending of message failed.
Unable to sign message. Please check that... ...are valid and trusted."

-or-

"Sending of message failed.
You specified encryption... ...application falied to find an encryption
certificate for [my_email_address]."




Expected Results:  
The mail should have been sent without errors.

Comment 1

[Daniel Veditz [:dveditz]]

We're seeing certificates work here, would help if you attached you CA cert and
one of the signing certs (make up a dummy) to this bug.

Comment 2

[mwf104]

(In reply to comment #0)

I see a bug very similar to this in Linux (build 20050317) with self-made
certificates, but only if the FIPS mode is enabled.  I only get the error that
it cannot find the certifictate for <recipient address>, not the "check...valid
and trusted" one.  This is when trying to send an encrypted email.

If I go to Preferences -> Advanced -> Manage Security Devices and log into the
software security device (PSM Internal FIPS-140-1 Cyryptogr...), then the
encrypted message sends just fine.  Alternatively, if I open a signed email from
<recipient> (which I have saved for this purpose), it prompts for the master
password for the security device and logs me into it.  Then I can switch back to
my compose window and send the encrypted mail without error.

A related issue I have come across is that you can't edit the trust settings for
my homemade certificate authority unless you are logged into the FIPS security
device.  Instead of an error, though, pressing "ok" does nothing.  I can only
use the "cancel" or "help" buttons.  When logged into the FIPS security device,
the "ok" button works.  Again, with FIPS mode disabled, I don't see this issue.

My certificates have worked normally from Netscape 4.x through Mozilla 1.7 and
in Thunderbird as long as FIPS mode is disabled.  

I thought perhaps the original reporter should had to log into the security
device to open the "manage certificates" panel, which is probably why his issue
is resolved after that.  But I can open the panel without entering a password,
only the status of both my and others' certifiates are "unknown" and when I view
them, it says "this certificate could not be verified for unknown reasons." 
Again, logging into the security device corrects the problem.

Comment 3

[Gervase Markham [:gerv]]

This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

Comment 4

[Gervase Markham [:gerv]]

This bug has been automatically resolved after a period of inactivity (see above
comment). If anyone thinks this is incorrect, they should feel free to reopen it.

Comment 5

[Daniel Veditz [:dveditz]]

I don't know if it'll do any good, but I'm reopening.

Comment 6

[Karl Heiz Hinterseeer]

Attachment: certificate for dummy1234@mozilla.org

the CA cert is at http://people.freenet.de/jena/cacert.crt

Comment 7

[Karl Heiz Hinterseeer]

if there is an expired Other People's eMail signing certificate and a valid for the same eMail address, ?sometimes? I was not able to send encrypted eMail.
In fact I couldn't destingish if it is SeaMonky1.0 that cases the problem or the new certificates because the events changing from SeaMonkey beta to 1.0 and new certificates overlap,
but the first mail after I got the new certificate with
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060130 SeaMonkey/1.0
, there were no problems with this.
But now, and after I deleted the expired certificate, too, I couldn't send encrypted eMail.
My own certificate is valid and the CA certificate is valid, too, as is the recipients signature.

Comment 8

[Nelson Bolyard (seldom reads bugmail)]

Perhaps yet another manifestation of bug 335021 ?

Comment 9

[Kai Engert (:KaiE:)]

If you can, please try a nightly build from latest-mozilla1.8
and test whether behaviour has improved. Thanks!

Comment 10

[Karl Heiz Hinterseeer]

tried  with 2006052909 but this doesn't help.
I tried sending encrypted  on different PCs, W98, ME, XP and could reproduce that it was exactly one (the first) time possible to  send encrypted with the SeaMonkey release version but never after with the same key ("application failed to find certificate" but it is present in Peoples Certificates)
The root CA certificate moved from Authorities where it resides in the session I installed it for eMail signing and encryption to Your Certificates after the next SeaMonkey restart!

Comment 11

[Kai Engert (:KaiE:)]

needs analysis of the attached cert

Comment 12

[Alan Batie]

I finally upgraded to 2.0.0.6 (OSX 10.4.10), and it lost my certs.  I reimported one, and it still thinks it's not there, even after restarting.  Attaching screenshots.  Oh, and it *still* tries to save drafts signed, which is *completely* the wrong thing to do.

Comment 13

[Alan Batie]

Attachment: Shows the cert overview in tbird, with expiration date in the future

Comment 14

[Alan Batie]

Attachment: Shows certificate details, namely the subject matches the email address

Comment 15

[Alan Batie]

Attachment: Shows the error message issued when trying to send a signed message using that address

Comment 16

[Alan Batie]

Fixed by going back into preferences and reselecting the certificate.

Comment 17

[Bob Lord]

This is pretty old and I have not seen this issue.  Please reopen if you can reproduce with TB3.