Secure SSL communication problem to IMAP server when using certificate

NEW
Unassigned

Status

Thunderbird
Security
13 years ago
6 years ago

People

(Reporter: Radek Valko, Unassigned)

Tracking

(Depends on: 2 bugs)

x86
Windows XP
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(9 attachments)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Build Identifier: Thunderbird version 1.0.7 (20050923)

If I have installed private user certificate for encrypting my emails I can't 
use SSL comunication to IMAP server. I'm getting error message that number of 
connection exceed. But this is not true. Probably Thunderbird use my 
certificate instead asking for my pwd to access IMAP server. For pop gmail 
account this work fine. But for IMAP account is not possible use certificate 
and SSL comunication together. If I uncheck "Use Secure connection (SSL)" 
under server settings tab in Account settings manager than all works fine. If 
I check this and delete my certificate, it works again. But not together.

Reproducible: Always

Steps to Reproduce:
1. Start Thunderbird
2. Create new or use existing IMAP account
3. Go to Tools / Options / Advance / Certificates / Manage certificates
4. Import Your private certificate for email adress wich is the same for wich 
is IMAP account created.
5. Go to Tools / Account setting / Server setting on Your IMAP account
6. Check "Use secure connection (SSL)"
7. Try to connect to Your IMAP server and download messages

Actual Results:  
Error message :
Maximum coonection to server exceed.

Expected Results:  
Ask for password wich is needed for connection to IMAP server.

I tryed this on Windows XP SP2 and on MacOS, under Thunderbird 1.0.7 and 1.0.2

Comment 1

13 years ago
Hi.

Can you please attach a protocol log as described in the link below?

http://www.mozilla.org/quality/mailnews/mail-troubleshoot.html

Comment 2

13 years ago
This is WFM in 1.5beta1
Assignee: dveditz → mscott
(Reporter)

Comment 3

13 years ago
Created attachment 200175 [details]
Log from Thunderbird, protocol IMAP, level 5

Comment 4

13 years ago
we're flat out unable to establish a secure connection to the imap server using
the certificate, according to that log. So the failure is at the SSL level, long
before we even get a chance to send the password to the server. So, my guess is
that the server or the client security code is unhappy with the certificate. You
could try a packet sniffing program like ethereal. It's weird that you didn't
get an error message from the security library, if that indeed is the problem.
I'm not sure what diagnostics are available from the security library. Have you
tried going into the certificate management UI and seeing if it can view your cert?
Radek, 
please attach to this bug the two DER certificates that are relevant to this 
bug,  your personal email cert and the IMAP server's cert.  
Please attach them both with MIME content type application/octet-stream.
I'm guessing that we will find that they have the same serial numbers.

Comment 6

13 years ago
hello,

I have the same/a similar problem: happening with Mozilla Thunderbird Version 1.5 (20051201) Linux and Mozilla 1.8 beta2 and seamonkey 1.0 Windows.

I want to sign outgoing emails with one of my IMAP accounts. I have an A-Cert (an Austrian organisation) Certificate in p12 notation for that email address.

If I install this certificate for use in signing any attempt to connect to the mailserver - for any address in this domain - will produce this message (translated from german):

Error opening secure connection with smtp.domain.at: Error Code -12195

Ethereal log shows, that Thunderbird sends my Certificate to the Server, and the Server responds with: "Unknown CA".

So to me it seems like: If Thunderbird has a Certificate for an address, it will try to authenticate itself against the server with this cert and it fails.

It does not matter, if the CA root certificate is installed on the client. The problem disappears when I switch the account to not use ssl for connecting to the server.

thank you,

peter

PS: the NSPR_LOG_FILE stays empty, following above directions.
(Reporter)

Comment 7

13 years ago
Hi again,

I'm sorry for long delay! I didn't have time to play with EtherReal and analyzing packets. But I installed new version Thunderbird 1.5 and I also generate new private certificate for my email address. The problem is still the same. I totaly agree with Peter - problem is probably that thunderbird is trying to use my personal cert. to authenticate in SMT server.

1.
I'm using commercial IMAP server and I can't manage it. I'm also using SSL connection to this server - but I want to user username and password to authentication. This method is working fine.

2. I created my CA and I also genereted and signed cert. for my email address - just for testing purposes (I used openssl installed on FreeBSD)

3. I installed private cert. file (generated in step 2) to Thunderbird. I can see cert there without problems. I also installed crt file for CA.

4. Close thunderbird and start again.

5. Now is not possible to connect to IMAP server. - Probably because thunderbird is using my private cert. too authenticate for SMTP server but this SMTP server doesn't know this cert. Thunderbird should use my username and password to authenticate.

6.1 
When I removed my private cert. and restarted thunderbird - everything is wirking fine.
or
6.2 (skip 6.1)
When You change the security setting (Tools, Account settings, Server setting) for mail account to NEVER (do not use secure connection) and restart thunderbird - everything is working fine again.

Thanks

Radek
(Reporter)

Comment 8

13 years ago
I would like to sumarize and explain again how to reproduce this error (bug). I will describe what I exactly did.

1. Installed thunderbird ;-)

2. created new imap account - let's say for example email address radek@domain1.cz. A also changed the location where to save data on local hdd.

3. I checked to use SSL (Tools / Account settings / server settings)

4. I created SMTP account I checked to use TLS for SMTP - for authentification I'm using same email address radek@domain1.cz (commercial IMAP/SMTP servers)

5. I checked that I can "download" new messages and I can also sent message. Great - thundrbird is working fine.

6. I added next email account (POP3) - let's say rvalko@domain2.com

7. I checked SSL (Tools / Account settings / server settings) for this account

8. I still can download messages for both accounts and also sent new messages (after several restart of thunderbird)

9. I created my own CA - using openssl installed on FreeBSD

10. I created user certificates for both email accounts

11. I installed first certificate to thunderbird (Tools/options/privacy/view certificates/Your certificates/import)

12. NOW IS IMPORTANT that thundrbird is working fine until You close it. After restart I'm getting error messages - for IMAP Error Code -12195 and for POP time out.

13. I tried to change SSL to TLS fot both (IMAP+POP) account but didn't help me. Sometimes I got other error message - Maximum coonection to server exceed.

14. When I changed setting for account to not use secure connection to server - everything worked. (after restart)

15 When I checked SSL again and deleted certificate and restarted thunderbird - everything worked again. But never together (installed private certificate and checked SSL or TLS for accounts)


My expectation is to use my private certificates (one for each email account) for encryption and digital signing of emails but not for comunication with SMTP/IMAP/POP server. Maybe it's good idea to add some options in account settings if should be certificate use and which one.

Thanks,

Radek
Version: unspecified → 1.5
Reporters, does this issue still occur in the latest supported 2.0.0.14 / trunk nightlies?
Whiteboard: CLOSEME 2008-06-05

Comment 10

10 years ago
(In reply to comment #9)

Yes and no.  Right now, here's what happens: with security.default_personal_cert set to "Ask Every Time" (I believe that's the relevant setting, I don't think there's any way to get at this from the UI), every time it opens a connection to the SSL-enabled server (IMAP or SMTP) it prompts asking for which certificate to send, the choices being limited to my personal certificate.  You have to hit the somewhat non-intuitive "Cancel."  Since the connection closes periodically, this means that I get this prompt quite a number of times every day.  But it works.  It would be more civilized if I could permanently select a certificate for it to use for each SSL-enabled connection, with "None" and "Ask Every Time" being additional choices.
(In reply to comment #10)

> Since the connection closes periodically, this means that I get this prompt
> quite a number of times every day.  

This tells me that the server is not using any SSL session caching.  That's
a server configuration error, IMO.  It means the server is doing many times
more expensive private key operations than are necessary, and that the users
are getting excessive numbers of prompts.

Also, one wonders why the server requests that the client authenticate 
itself with a certificate if the server in not able to honor those client
certs.  That sounds like another server configuration error.

> It would be more civilized if I could permanently select a certificate for 
> it to use for each SSL-enabled connection, with "None" and "Ask Every Time" 
> being additional choices.

Yes, it would,  I suggest you file an enhancement request "bug".  
OTOH, I'm not aware of any reports of SMTPS or IMAPS servers that successfully
use client authentication certificates.  AFAIK, all the reports I've ever 
received about IMAPS or SMTPS servers requesting client authentication with 
certificates have been reports that the server did not honor the cert.  
None of the reporters of this bug have suggested that the problem is merely 
"the wrong cert" being chosen by the server.  Instead, they indicate that 
when the client supplies a cert, the connection fails.  So, I'd suggest an
additional option, which is: don't do client auth when the server requests it.

Comment 12

10 years ago
I can see this in wireshark: as part of the SSLv3 handshake, the server at once sends Server Hello, its Certificate and a CertificateRequest. When thunderbird then sends my certificate, the server alerts TB of a "Bad Certificate", which TB then ACKs and the server closes the connection.

You can perform a test on the commandline to see the server-request:
"echo 'a001 LOGOUT' | openssl s_client -connect bpop.telekom.at:993"

I think it is trivial for anybody to test in thunderbird: just use "bpop.telekom.at" as the imaps server (port 993) for an mail account, for which you have a certificate on the e-mail address.

What would I have to ask my e-mail provider to change at the server level?
Removing closeme due to more information being present.
Whiteboard: CLOSEME 2008-06-05

Comment 14

10 years ago
Finally I got openssl to use my certificate (had to concatenate private-key and user-cert into my.crt) - now, when trying my certificate with this server from the openssl command, the servers final error message in the ssl-handshake reads: "fatal unknown_ca". (again like in my comment #6 above - which may indicate that it just doesn't accept A-CERT as an authority…)

"echo 'a001 LOGOUT' | openssl s_client -connect bpop.telekom.at:993 -msg -CApath /etc/ssl/certs -CAfile /etc/ssl/certs/a-cert.pem -cert my.crt"

although its likely a server configuration error it was great if thunderbird could work around it by ignoring the certificate request - eg. the window that pops up "user identification" where I select the certificate would also offer "ignore request" as an option (the default one), and my choice would become permanent. (I second Nelsons comment #11 above.)
When the server requests client authentication, it sends a list of the
names of the issuing CAs whose certificates it will accept for client
authentication purposes.  An empty list means "All certs from all CAs".

The SSL code in Mozilla clients correctly obeys the server's list of 
acceptable issuers, and only sends a client cert if it was issued by 
an issuer in the server's list.  The SSL code in Mozilla clients will
always send as much of the certificate chain for the client certificate
as it possesses, thereby assuring that the server will have enough of 
the chain to verify that the client cert was indeed issued by one of
the CAs named by the servers, except in the case of the empty server 
CA list.

It sounds to me like this server is misconfigured, and/or there is a bug
in the server's SSL software. It is a server software error for the server 
to reject a certificate with "unknown CA" if that cert was issued by a CA 
in the server's list.  

Comment 16

10 years ago
Addendum, JFYI: on the choice presented in mentioned dialogue - when thunderbird asks which certificate to present to the server: it seems to me based on domain name: Eg. my certificate is for me@dot.com; yet, if I want to check mail for the imaps account you@dot.com, thunderbird will suggest my certificate for me@dot.com, while checking mail for the imaps account him@dot.org will not bring up a prompt, it will just work:)

-- 
peter - also wrote the mail server's postmaster, to no avail till now.
I don't understand comment 16.  

I have suspected for some time now that there is a problem in the mail/news
clients (TB, SM) when they are configured with separate email accounts on 
the same server, each with a separate client certificate used for SSL client 
authentication to the server.  I suspect that they are not making the call
that causes each email account to have its own separate SSL client session
cache, so all the accounts are sharing a single cache.  That will cause the 
problem that, after authenticating with one cert for one account, an attempt
to connect to the same server for another account will use an SSL session 
previously established with a cert for a different account.  

I don't have a server (e.g. IMAPS) with which I can test that suspicion.
pch, it seems that perhaps you do.  If so, perhaps I can help you to do 
that testing.

Comment 18

10 years ago
(In reply to comment #17)

I am administering IT in a small business. There are several mail accounts in the same domain and thunderbird fetches their messages from a single server at the ISP's place. One of these accounts is set up with an ssl certificate in order to sign outgoing e-mails - this cert should not be used to authenticate against the server at all - this is actually impossible, as the ssl handshake always fails when trying to do so. As a matter of fact, all accounts are configured for plain, insecure connections - this is not that much a problem, as data travels only through the ISP's network, yet I'd rather use a secure channel nevertheless.

(1) Now, when I switch any of those imap-accounts to use a secure connection (the server does not support TLS, but can do SSL on port 993), then Thunderbird will prompt for a certificate to use to authenticate against the server the next time I want to check mail, as the server requests that (see previous comments). Not just for the one address, the certificate is for (its owner e-mail-address), but for all accounts in the same domain: even if in thunderbirds account preferences, below S/MIME security, there is no cert provided for this account (signing).

(2) As you, Nelson, did suggest, I now installed another certificate (a self signed one, including my own authority) into thunderbird: the owner-e-mail matches another account's address in this domain. And set it up to sign outgoing messages for that account. Yet, thunderbird will not consider this cert as suitable for authenticating with the server at all - so it will also not give me the choice to select that one, when it prompts for a cert as requested by the server and sends nulls instead (the effect of that being, that the ssl-handshake succeeds!) - this I came to know, as I did delete the other cert, just to see, as I could not select that from tb's prompt...

I do not understand how thunderbird chooses certificates to authenticate against a server, still it seems to me, it does not do so based on (2) the owner-e-mail of the cert - to match the e-mail-address of the account its currently handling - and (1) also not on the accounts signing preference.

This is highly complicated to me, it took me more than an hour to write this down, I hope I have expressed myself clearly!

peter
(In reply to comment #18)
> (In reply to comment #17)
> 
> I am administering IT in a small business.
Do you administer the mail server(s) in question?

> One of these accounts is set up with an ssl certificate in
> order to sign outgoing e-mails - this cert should not be used to authenticate
> against the server at all - this is actually impossible, as the ssl handshake
> always fails when trying to do so. As a matter of fact, all accounts are
> configured for plain, insecure connections - this is not that much a problem,
> as data travels only through the ISP's network, yet I'd rather use a secure
> channel nevertheless.

The above statements are self contradictory.  If you're not using SSL, then
there can be no certificate authentication taking place in the non-existent
SSL handshake.

> (1) Now, when I switch any of those imap-accounts to use a secure connection
> (the server does not support TLS, but can do SSL on port 993), 

Ah, more confusion caused by the grossly misleading and inaccurate labels 
for the security options in the preferences dialogs.  You do not actually 
have a choice between SSL and TLS, despite the fact that the dialog's 
radio button labels make it appear that you do.  The labels are wrong.
But it suffices to say: you're using IMAPS on port 993.

> then Thunderbird
> will prompt for a certificate to use to authenticate against the server the
> next time I want to check mail, as the server requests that (see previous
> comments). Not just for the one address, the certificate is for (its owner
> e-mail-address), but for all accounts in the same domain: even if in
> thunderbirds account preferences, below S/MIME security, there is no cert
> provided for this account (signing).

You are saying that when the global preference is set to ask the user to 
choose a certificate when the server asks, you get asked for all accounts,
even for accounts that have no apparently-related certificate.  This is 
expected, and is another reason why Thunderbird needs per-account prefs 
for recording the user's choice of SSL client auth certificate.

> (2) As you, Nelson, did suggest, I now installed another certificate (a self
> signed one, including my own authority) into thunderbird: the owner-e-mail
> matches another account's address in this domain. And set it up to sign
> outgoing messages for that account. Yet, thunderbird will not consider this
> cert as suitable for authenticating with the server at all - so it will also
> not give me the choice to select that one, when it prompts for a cert as
> requested by the server 

The most probable explanation for this is very simple.  When an SSL server 
requests client authentication, it must send a list of the names of the 
issuers (CAs) whose certificates it will accept for client authentication purposes.  In the cert selection dialog, your browser only shows you the 
certs that meet the cert selection criteria.  So, self signed certs will 
generally never work for SSL client authentication.

> I do not understand how thunderbird chooses certificates to authenticate
> against a server, still it seems to me, it does not do so based on (2) the
> owner-e-mail of the cert - to match the e-mail-address of the account its
> currently handling - and (1) also not on the accounts signing preference.

Presently, the way it chooses is according to your preference. Your choices 
are:
a) choose "automatically" (which means pick the first cert that was issued 
by any of the CAs named by the server when it requests client authentication),
or
b) ask the user to choose from among the certs issued by any of those CAs.

> This is highly complicated to me, it took me more than an hour to write this
> down, I hope I have expressed myself clearly!

I think your explanation makes a strong case that the mail clients need 
per-account prefs for recording the user's SSL client cert selection, and 
for ensuring that each account uses its own separate SSL client session 
cache, so that different accounts don't use each other's previously-authenticated sessions.

Comment 20

10 years ago
hello Nelson!

I do not administer the server, its at the ISPs place. I understand now, that when using a cert to sign messages I am not doing ssl but s/mime - please excuse this. I know that TLS is but SSL on the old 143 port after a starttls message and that preferences just have to be labelled somehow ;) Fact is: I can't have s/mime signing and SSL at the same time.

I do not understand why my self signed cert is different from the A-CERT one, because both are not built into thunderbird and appear as software modules instead in the cert-manager. Also the server does not send a list of CAs on connecting: wireshark shows a 0 length distinguished names list in the cert-request and that should mean it accepts anything (acc. your comment #15). Maybe I just made my cert not valid for the purpose of client-auth tough (nsCertType=email)...

I now also understand that there is no way in thunderbird to bind a specific cert for client-authentication to a certain account. And that this is a missing feature, and that the feature was incomplete if there was no way to tell it to not do client-auth at all.

Thank you for your time and efforts.
In reply to comment 20,
> Maybe I just made my cert not valid for the purpose of client-auth tough
> (nsCertType=email)...

Yes, that will cause the cert to be used for S/MIME only, not for SSL client 
auth, provided that you haven't set an SSL trust flag on that cert.  

BTW, the old Netscape Cert Type extension that you used is deprecated now 
that there exists a truly standard way of doing the same thing.  The 
standardized replacement for the old Netscape Cert Type extension in the 
Extended Key Usage extension.  We're going to discontinue support for the 
old Netscape Cert Type extension at some point in the not-too distant future,
so it would be best to start using the standard extensions ASAP.

Comment 22

10 years ago
I am encountering a very similar error (version 2.0.0.14, in Ubuntu 8.04). Here is what I found:

Any attempt to connect to an IMAP server with SSL enabled will result in Thunderbird attempting to use my certificate to establish the connection. While I don't know a lot about how these protocols work, I'm quite confident this is a bug because I've never needed a certificate before, and installed mine because I felt like it. Now it asks me to select one of my certificates to identify myself to the server, my school's server (imap.service.ohio-state.edu), which requires an SSL connection. If I select one, the connection fails (code -12195). If I hit cancel, the connection will proceed as normal. Thus, I'm able to connect, but I get annoyed by a bogus certificate prompt each time I click on a folder for my school's e-mail.

An additional note, my ISP (brescobroadband.com) uses a secure SMTP server. Sending e-mail through it from an account that has a certificate installed results in the exact same problem as above.

For some reason, when you have a certificate installed for a given account and attempt to establish a secure connection, Thunderbird is trying to use your certificate before anything else, rather than simply connecting through the site's own certificate. If you hit cancel in the certificate selection prompt, you'll be able to connect, but otherwise the connection will fail. If I can find a place to upload screenshots, I'll include them shortly...

Comment 23

10 years ago
Created attachment 329341 [details]
Screenshot of error message, after selecting my certificate

Here I was told to select a certificate to identify myself to imap.service.ohio-state.edu, which requires SSL connections. Only 2 certificates are given as options: the 2 I have private keys for. Hitting cancel will result in a successful connection.

Comment 24

10 years ago
Created attachment 329342 [details]
Screenshot of error message, prompting me for a certificate to identify myself to my ISP's SMTP server

Comment 25

10 years ago
lavagolemking, this is actually an interesting observation which I suspected in the past but couldn't confirm. I suggest you open a new bug with this content (as in comment 22) and we'll investigate this somewhat more thorough. Post the bug number here or CC me.
In reply to comments 22-24, These comments describe a misconfigured server.
There are at least 4 (likely 5) aspects of this server's configuration at 
issue.

1) The server has been configured to request client authentication on every
SSL connection.  This is why your email client asks you to choose a cert.
The server asks it for a cert, and it asks you.

2. The server tells the client that it will accept a client certificate 
issued by ANY issuer.  It should only identify the actual issuer or 
issuer's whose certificates it actually does accept.  If it does not 
accept any client certificates (as I suspect), then if should not request
client certificates AT ALL.

3. The server dos not accept your client certificate, and 

4. Having rejected your client certificate, the server disconnects your 
client, rather than allowing your client to fall back to another form of
authentication. 

5. It is also likely that the server has not correctly implemented its 
SSL server session cache.  (This problem is *extremely* common among servers
that exhibit the other problems described above.)

There is only one solution to these problems: get the server properly 
configured.  If your mail service provider refuses to correctly configure
their server, find one that will. 

Comment 27

10 years ago
This seems unlikely for a couple of reasons. First off, I wasn't experiencing any issues until I got the certificates. Second, the SMTP server is TLS, while the IMAP one is SSL, so the issue is presenting itself on 2 protocols. It seems unlikely that 2 different service providers made the same mistake on 2 different protocols. The IMAP server requires authentication in the form of a username/password, not a certificate, and the SMTP one (TLS) doesn't require authentication, except in that I'm on their network. Yet, both are encountering this same problem, which again, if I cancel out of, the connection is successful.

Given that the mail server is that of my ISP (which is hard to avoid, short of SSH-tunneling into my school), and the other one is where I get my school-related e-mail, it's hard for me to simply "find one that will", and even harder for me to prove that their server is misconfigured.

In response to comment 25, I thought that's what this bug report was about, but if it's preferable, I can open it separately.

(In reply to comment #26)
> In reply to comments 22-24, These comments describe a misconfigured server.
> There are at least 4 (likely 5) aspects of this server's configuration at 
> issue.
> 
> 1) The server has been configured to request client authentication on every
> SSL connection.  This is why your email client asks you to choose a cert.
> The server asks it for a cert, and it asks you.
> 
> 2. The server tells the client that it will accept a client certificate 
> issued by ANY issuer.  It should only identify the actual issuer or 
> issuer's whose certificates it actually does accept.  If it does not 
> accept any client certificates (as I suspect), then if should not request
> client certificates AT ALL.
> 
> 3. The server dos not accept your client certificate, and 
> 
> 4. Having rejected your client certificate, the server disconnects your 
> client, rather than allowing your client to fall back to another form of
> authentication. 
> 
> 5. It is also likely that the server has not correctly implemented its 
> SSL server session cache.  (This problem is *extremely* common among servers
> that exhibit the other problems described above.)
> 
> There is only one solution to these problems: get the server properly 
> configured.  If your mail service provider refuses to correctly configure
> their server, find one that will. 
> 

Comment 28

10 years ago
Created attachment 329405 [details]
Settings for BrescoBroadband's SMTP server

All e-mail sent here will inappropriately prompt me to select a certificate.

Comment 29

10 years ago
Created attachment 329406 [details]
Settings for Ohio State's IMAP server, prompting me for a certificate at each folder I click on

Comment 30

10 years ago
I posted it here:
https://bugzilla.mozilla.org/show_bug.cgi?id=445113

(In reply to comment #25)
> lavagolemking, this is actually an interesting observation which I suspected in
> the past but couldn't confirm. I suggest you open a new bug with this content
> (as in comment 22) and we'll investigate this somewhat more thorough. Post the
> bug number here or CC me.
> 

Comment 31

10 years ago
(In reply to comment #27) I also experience this same problem with an IMAP Server, and the postmaster here actually did respond as I made him aware of the problem and we are about to sort it out.

lavagolemking, you can see the server asking thunderbird to provide a certificate if you paste any of the two commands below into a terminal window on your computer and scan the output for the word "CertificateRequest" (you may have to install the "openssl" package on your system to make it work):

1)
echo "a001 LOGOUT" \
	| openssl s_client -msg \
	-connect imap.service.ohio-state.edu:993
2)
echo "Quit" \
	| openssl s_client -msg -starttls smtp \
	-connect email.brescobroadband.com:25

nelson, the smtpd actually seems to send a list of authorities that it does accept, so should'nt thunderbird try to authenticate with a certificate only if it was on the list?

lavagolemking, please vote for bug #437683 - its an enhancement request, so thunderbird users are not at the mercy of postmasters of broken servers.

Comment 32

10 years ago
They do use certificates, but they send you the certificates they use. There is one for email.brescobroadband, and another for imap.service.ohio-state.edu. It just doesn't need to (and shouldn't) be mine. They use their own certificates, but Thunderbird isn't giving me the option to use their certificates, only the 2 I have installed (as in with private keys). I had to install certificates for their servers (at least one anyway) a while ago, but those don't show up in the list, which I would think should be the default options.
In reply to comment 27, 
a) when I say that the server is misconfigured, I don't mean the server 
settings in your client, I mean the actual server itself.

b) TLS is simply another name for SSL 3.1.  SSL 3.1 is just a small variation
on SSL 3.0, which is why people refer to TLS as SSL.  It actually IS SSL.

c) The labels in the dialog you showed in the screen shot are incorrect, 
erroneous and misleading.  Those labels have misled you, as they mislead 
most users who read them, into thinking that you are choosing between SSL and
TLS.  You are not.  That Dialog does not actually let you choose between SSL
and TLS, or between any one version of SSL and any other version of SSL.  
It lets you choose if and how SSL will be used with SMTP.  The same set of 
4 radio button choices is used in several similar dialogs.  It is also used
with IMAP and POP3.  Regardless of which of those email protocols uses it,
that dialog lets you choose between these choices (in order)
1) IMAP/SMTP/POP3 without SSL,
2) IMAP/SMTP/POP3 that negotiates the use of SSL 3.x in the middle of the 
   IMAP/SMTP/POP3 protocol.  The protocol starts out with IMAP/SMTP/POP3 
   "in the clear" on the normal port for that protocol, and then attempts to 
   switch to using IMAP/SMTP/POP3 over SSL 3.x, on that same connection, 
   after it gets started.  With this second choice, if the server does not 
   offer SSL 3.x, IMAP/SMTP/POP3 continues on "in the clear" without SSL.
3) This choice is like the second choice, except that if the server does not
   offer SSL 3.x, the client terminates the connection.
4) IMAP/SMTP/POP3 over SSL.  This is on a separate port (not the normal port
   for the protocol).  On this port, SSL is used FIRST, and then only if it
   succeeds does IMAP/SMTP/POP3 begin.

As you can see, the difference is not the choice of SSL 3.0 vs SSL 3.1 (TLS)
at all, but rather is the choice of whether to start SSL first and then SMTP
or to start SMTP first and then SSL.  

Your client doesn't prompt you for to choose a certificate unless ALL of the
following are true:
a) The server requests that your client authenticate itself to the server with
   a certificate, and 
b) your client has a certificate (that identifies you). and 
c) your certificate can be used for SSL client authentication, and 
d) your certificate was either 
   - issued by one of the issuers named by the server, or 
   - the server says "I accept certs from all issuers".

The server you are using always asked for a certificate.  Before you had a
cert of your own, your client didn't ask you to choose one (because you had
none to choose from).  But when you got (or created) a cert, and your cert
appeared to be issued by an issuer that is acceptable to the server, your 
client began to ask you to choose it.  

It's that simple.  Your client is doing exactly what it was intended to do.
The fact that your server requests your cert, then rejects it, and does not
allow you to then "fall back" to using a password is all under the control
of the server, and needs to be corrected by the server administrator.
In reply to comment 31, 
> the smtpd actually seems to send a list of authorities that it does accept, 
> so should'nt thunderbird try to authenticate with a certificate only if
> it was on the list?

Yes.  The client should only try to authenticate if the user has a cert that
was issued, directly or indirectly, by an issuer named by the server. 
An empty list of issuer names from the server is understood to mean "any 
issuer".  If the user has a cert with a chain such as A -> B -> C -> D
(where A is the root and D is the user's cert), and the server names any of
A, B or C among its acceptable issuers, or sends an empty list of acceptable issuers. then the client will include D among the certs from which it asks 
the user to choose.  

Comment 35

10 years ago
Then why does it only give me a list of certificates that I own to choose from? Using the server's own certificate isn't an option, so unless I hit cancel in each prompt (which happens each time I click on something), the connection will fail.
In reply to comment 35, 
> why does it only give me a list of certificates that I own to choose from?
Because the server is asking you to identify YOURSELF.  The server doesn't
want you to identify the server to itself.  The server sends you its 
certificate so that the server can be identified to you (the client), the 
server also wants you to send YOUR certificate to IT, so that you (the 
client) can be identified to the server.  That's the whole point of the 
server's request.  It's asking you to use a certificate that identifies YOU,
instead of a password that identifies YOU.  

You're unhappy about this, but understand, you're unhappy about a decision 
that the server administrator has made, to use a feature of SSL that is 
rarely used, a feature for identifying clients to servers with client certificates.  Unfortunately, it appears to have been setup incorrectly 
at the server.  

Comment 37

10 years ago
Ok, then my bug is more of a request, in that I should be able to turn that off. I don't forsee that feature working for a LONG time, since they only use a centralized password system for authentication (which is done on all their servers).

Updated

10 years ago
Assignee: mscott → nobody

Comment 38

10 years ago
> You're unhappy about this, but understand, you're unhappy about a decision 
> that the server administrator has made, to use a feature of SSL that is 
> rarely used, a feature for identifying clients to servers with client
> certificates.  Unfortunately, it appears to have been setup incorrectly 
> at the server.  

Nelson, you've explained this problem very well, thank you, but how can
I explain it to my ISP (ATT, who subcontract their email out to yahoo.com)
so they don't dismiss me as a crank?  (And you know they will :-)

You are obviously expert in this area and perhaps yahoo's mail admin
would listen to an expert rather than a mere paying customer. Is there
a website somewhere that I could refer them to, maybe?  If not, would
you write one? 

Thanks!
Created attachment 356347 [details]
SSL protocol trace for Ohio-state IMAPS server

This protocol trace shows OSU's IMAPS server requesting client auth 
without specifying the names of any trusted issuers (implying that all
issuers are trusted).  This is nearly always a misconfiguration.
Created attachment 356350 [details]
SSL protocol trace for Bresco Broadband SMTPS server

The situation for this server was quite different.  This server sends out a
list of 60 (!) names of CAs that it trusts to issue client certificates, 
including one belonging to Red Hat.  I doubt that's accidental.  If you ask
them about it, they might actually know what you're asking about.

Comment 41

10 years ago
Created attachment 356569 [details]
SSL dialog with a yahoo smtp server for Nelson's inspection.

This is my manual openssl session with an smtp server, but pop3
gives the same result.  I did not attempt to send mail here, so
every verification error must refer to the *server's* cert, not
mine (i.e. I didn't tell openssl to send my cert).

This makes me wonder who is refusing who's certificate, anyway.

Thunderbird is telling me that yahoo is sending an unknown_ca
error about *my* certificate -- could thunderbird be getting
that error message backwards?
Created attachment 356579 [details]
SSL protocol trace for smtp.att.yahoo.com:465

Like OSU, smtp.att.yahoo.com:465 is requesting client authentication but 
is sending an empty list of trusted CA names, typically a sign of server 
misconfiguration.

Comment 43

9 years ago
Question:

Why is this bug marked Depends on: 437683 437685?

Please see comments #48 and #49 of 437683.  It appears that this bug, 313012, may be resolved with a config change, adding an option to an existing config item:

set
   security.default_personal_cert 
to 
   Send no certificate
(not a per account configuration) 

This bug is not assigned. Is there anyone who will work on adding the config option to Thunderbird 3?


Thanks everyone. Please forgive my ignorance of how Depends on: is used.

Comment 44

9 years ago
(In reply to comment #42)
> Created an attachment (id=356579) [details]
> SSL protocol trace for smtp.att.yahoo.com:465
> 
> Like OSU, smtp.att.yahoo.com:465 is requesting client authentication but 
> is sending an empty list of trusted CA names, typically a sign of server 
> misconfiguration.

Is it OK to mark this bug as INVALID?
The bottom line for this bug is: some of the nation's very biggest mail
service providers continue to run misconfigured mail servers, and users
of Thunderbird who have email certificates CANNOT use those servers 
unless and until either
a) those servers are fixed or 
b) TBird gets some sort of per-server client-auth cert configuration that
allows the user to say "don't send a client cert to this server, no matter
how hard it begs".  

That last item should be pretty easy and would make Tbird a lot more useful
to users who're trying to use SMIME certs with Yahoo, most of the DSL ISPs,
etc.
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 46

9 years ago
(In reply to comment #45)
> The bottom line for this bug is: some of the nation's very biggest mail
> service providers continue to run misconfigured mail servers, and users
> of Thunderbird who have email certificates CANNOT use those servers 
> unless and until either
> a) those servers are fixed or 
> b) TBird gets some sort of per-server client-auth cert configuration that
> allows the user to say "don't send a client cert to this server, no matter
> how hard it begs".  

Is there a Tech Evangelism bug to track these broken servers?  If not, would you be able to open one?
You need to log in before you can comment on or make changes to this bug.