Open Bug 313012 Opened 19 years ago Updated 2 years ago

Secure SSL communication problem to IMAP server when using certificate

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect

Tracking

(Not tracked)

People

(Reporter: radek, Unassigned)

References

(Depends on 2 open bugs)

Details

(Whiteboard: [brokenserver])

Attachments

(9 files)

Log from Thunderbird, protocol IMAP, level 5
807 bytes, text/plain
Details
Screenshot of error message, after selecting my certificate
9.76 KB, image/png
Details
Screenshot of error message, prompting me for a certificate to identify myself to my ISP's SMTP server
197.70 KB, image/png
Details
Settings for BrescoBroadband's SMTP server
22.69 KB, image/png
Details
Settings for Ohio State's IMAP server, prompting me for a certificate at each folder I click on
88.26 KB, image/png
Details
SSL protocol trace for Ohio-state IMAPS server
6.53 KB, text/plain
Details
SSL protocol trace for Bresco Broadband SMTPS server
12.82 KB, text/plain
Details
SSL dialog with a yahoo smtp server for Nelson's inspection.
1.58 KB, text/plain
Details
SSL protocol trace for smtp.att.yahoo.com:465
4.66 KB, text/plain
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Build Identifier: Thunderbird version 1.0.7 (20050923) If I have installed private user certificate for encrypting my emails I can't use SSL comunication to IMAP server. I'm getting error message that number of connection exceed. But this is not true. Probably Thunderbird use my certificate instead asking for my pwd to access IMAP server. For pop gmail account this work fine. But for IMAP account is not possible use certificate and SSL comunication together. If I uncheck "Use Secure connection (SSL)" under server settings tab in Account settings manager than all works fine. If I check this and delete my certificate, it works again. But not together. Reproducible: Always Steps to Reproduce: 1. Start Thunderbird 2. Create new or use existing IMAP account 3. Go to Tools / Options / Advance / Certificates / Manage certificates 4. Import Your private certificate for email adress wich is the same for wich is IMAP account created. 5. Go to Tools / Account setting / Server setting on Your IMAP account 6. Check "Use secure connection (SSL)" 7. Try to connect to Your IMAP server and download messages Actual Results: Error message : Maximum coonection to server exceed. Expected Results: Ask for password wich is needed for connection to IMAP server. I tryed this on Windows XP SP2 and on MacOS, under Thunderbird 1.0.7 and 1.0.2
Hi. Can you please attach a protocol log as described in the link below? http://www.mozilla.org/quality/mailnews/mail-troubleshoot.html
This is WFM in 1.5beta1
Assignee: dveditz → mscott
we're flat out unable to establish a secure connection to the imap server using the certificate, according to that log. So the failure is at the SSL level, long before we even get a chance to send the password to the server. So, my guess is that the server or the client security code is unhappy with the certificate. You could try a packet sniffing program like ethereal. It's weird that you didn't get an error message from the security library, if that indeed is the problem. I'm not sure what diagnostics are available from the security library. Have you tried going into the certificate management UI and seeing if it can view your cert?
Radek, please attach to this bug the two DER certificates that are relevant to this bug, your personal email cert and the IMAP server's cert. Please attach them both with MIME content type application/octet-stream. I'm guessing that we will find that they have the same serial numbers.
hello, I have the same/a similar problem: happening with Mozilla Thunderbird Version 1.5 (20051201) Linux and Mozilla 1.8 beta2 and seamonkey 1.0 Windows. I want to sign outgoing emails with one of my IMAP accounts. I have an A-Cert (an Austrian organisation) Certificate in p12 notation for that email address. If I install this certificate for use in signing any attempt to connect to the mailserver - for any address in this domain - will produce this message (translated from german): Error opening secure connection with smtp.domain.at: Error Code -12195 Ethereal log shows, that Thunderbird sends my Certificate to the Server, and the Server responds with: "Unknown CA". So to me it seems like: If Thunderbird has a Certificate for an address, it will try to authenticate itself against the server with this cert and it fails. It does not matter, if the CA root certificate is installed on the client. The problem disappears when I switch the account to not use ssl for connecting to the server. thank you, peter PS: the NSPR_LOG_FILE stays empty, following above directions.
Hi again, I'm sorry for long delay! I didn't have time to play with EtherReal and analyzing packets. But I installed new version Thunderbird 1.5 and I also generate new private certificate for my email address. The problem is still the same. I totaly agree with Peter - problem is probably that thunderbird is trying to use my personal cert. to authenticate in SMT server. 1. I'm using commercial IMAP server and I can't manage it. I'm also using SSL connection to this server - but I want to user username and password to authentication. This method is working fine. 2. I created my CA and I also genereted and signed cert. for my email address - just for testing purposes (I used openssl installed on FreeBSD) 3. I installed private cert. file (generated in step 2) to Thunderbird. I can see cert there without problems. I also installed crt file for CA. 4. Close thunderbird and start again. 5. Now is not possible to connect to IMAP server. - Probably because thunderbird is using my private cert. too authenticate for SMTP server but this SMTP server doesn't know this cert. Thunderbird should use my username and password to authenticate. 6.1 When I removed my private cert. and restarted thunderbird - everything is wirking fine. or 6.2 (skip 6.1) When You change the security setting (Tools, Account settings, Server setting) for mail account to NEVER (do not use secure connection) and restart thunderbird - everything is working fine again. Thanks Radek
I would like to sumarize and explain again how to reproduce this error (bug). I will describe what I exactly did. 1. Installed thunderbird ;-) 2. created new imap account - let's say for example email address radek@domain1.cz. A also changed the location where to save data on local hdd. 3. I checked to use SSL (Tools / Account settings / server settings) 4. I created SMTP account I checked to use TLS for SMTP - for authentification I'm using same email address radek@domain1.cz (commercial IMAP/SMTP servers) 5. I checked that I can "download" new messages and I can also sent message. Great - thundrbird is working fine. 6. I added next email account (POP3) - let's say rvalko@domain2.com 7. I checked SSL (Tools / Account settings / server settings) for this account 8. I still can download messages for both accounts and also sent new messages (after several restart of thunderbird) 9. I created my own CA - using openssl installed on FreeBSD 10. I created user certificates for both email accounts 11. I installed first certificate to thunderbird (Tools/options/privacy/view certificates/Your certificates/import) 12. NOW IS IMPORTANT that thundrbird is working fine until You close it. After restart I'm getting error messages - for IMAP Error Code -12195 and for POP time out. 13. I tried to change SSL to TLS fot both (IMAP+POP) account but didn't help me. Sometimes I got other error message - Maximum coonection to server exceed. 14. When I changed setting for account to not use secure connection to server - everything worked. (after restart) 15 When I checked SSL again and deleted certificate and restarted thunderbird - everything worked again. But never together (installed private certificate and checked SSL or TLS for accounts) My expectation is to use my private certificates (one for each email account) for encryption and digital signing of emails but not for comunication with SMTP/IMAP/POP server. Maybe it's good idea to add some options in account settings if should be certificate use and which one. Thanks, Radek
Version: unspecified → 1.5
Reporters, does this issue still occur in the latest supported 2.0.0.14 / trunk nightlies?
Whiteboard: CLOSEME 2008-06-05
(In reply to comment #9) Yes and no. Right now, here's what happens: with security.default_personal_cert set to "Ask Every Time" (I believe that's the relevant setting, I don't think there's any way to get at this from the UI), every time it opens a connection to the SSL-enabled server (IMAP or SMTP) it prompts asking for which certificate to send, the choices being limited to my personal certificate. You have to hit the somewhat non-intuitive "Cancel." Since the connection closes periodically, this means that I get this prompt quite a number of times every day. But it works. It would be more civilized if I could permanently select a certificate for it to use for each SSL-enabled connection, with "None" and "Ask Every Time" being additional choices.
(In reply to comment #10) > Since the connection closes periodically, this means that I get this prompt > quite a number of times every day. This tells me that the server is not using any SSL session caching. That's a server configuration error, IMO. It means the server is doing many times more expensive private key operations than are necessary, and that the users are getting excessive numbers of prompts. Also, one wonders why the server requests that the client authenticate itself with a certificate if the server in not able to honor those client certs. That sounds like another server configuration error. > It would be more civilized if I could permanently select a certificate for > it to use for each SSL-enabled connection, with "None" and "Ask Every Time" > being additional choices. Yes, it would, I suggest you file an enhancement request "bug". OTOH, I'm not aware of any reports of SMTPS or IMAPS servers that successfully use client authentication certificates. AFAIK, all the reports I've ever received about IMAPS or SMTPS servers requesting client authentication with certificates have been reports that the server did not honor the cert. None of the reporters of this bug have suggested that the problem is merely "the wrong cert" being chosen by the server. Instead, they indicate that when the client supplies a cert, the connection fails. So, I'd suggest an additional option, which is: don't do client auth when the server requests it.
I can see this in wireshark: as part of the SSLv3 handshake, the server at once sends Server Hello, its Certificate and a CertificateRequest. When thunderbird then sends my certificate, the server alerts TB of a "Bad Certificate", which TB then ACKs and the server closes the connection. You can perform a test on the commandline to see the server-request: "echo 'a001 LOGOUT' | openssl s_client -connect bpop.telekom.at:993" I think it is trivial for anybody to test in thunderbird: just use "bpop.telekom.at" as the imaps server (port 993) for an mail account, for which you have a certificate on the e-mail address. What would I have to ask my e-mail provider to change at the server level?
Removing closeme due to more information being present.
Whiteboard: CLOSEME 2008-06-05
Finally I got openssl to use my certificate (had to concatenate private-key and user-cert into my.crt) - now, when trying my certificate with this server from the openssl command, the servers final error message in the ssl-handshake reads: "fatal unknown_ca". (again like in my comment #6 above - which may indicate that it just doesn't accept A-CERT as an authority…) "echo 'a001 LOGOUT' | openssl s_client -connect bpop.telekom.at:993 -msg -CApath /etc/ssl/certs -CAfile /etc/ssl/certs/a-cert.pem -cert my.crt" although its likely a server configuration error it was great if thunderbird could work around it by ignoring the certificate request - eg. the window that pops up "user identification" where I select the certificate would also offer "ignore request" as an option (the default one), and my choice would become permanent. (I second Nelsons comment #11 above.)
When the server requests client authentication, it sends a list of the names of the issuing CAs whose certificates it will accept for client authentication purposes. An empty list means "All certs from all CAs". The SSL code in Mozilla clients correctly obeys the server's list of acceptable issuers, and only sends a client cert if it was issued by an issuer in the server's list. The SSL code in Mozilla clients will always send as much of the certificate chain for the client certificate as it possesses, thereby assuring that the server will have enough of the chain to verify that the client cert was indeed issued by one of the CAs named by the servers, except in the case of the empty server CA list. It sounds to me like this server is misconfigured, and/or there is a bug in the server's SSL software. It is a server software error for the server to reject a certificate with "unknown CA" if that cert was issued by a CA in the server's list.
Addendum, JFYI: on the choice presented in mentioned dialogue - when thunderbird asks which certificate to present to the server: it seems to me based on domain name: Eg. my certificate is for me@dot.com; yet, if I want to check mail for the imaps account you@dot.com, thunderbird will suggest my certificate for me@dot.com, while checking mail for the imaps account him@dot.org will not bring up a prompt, it will just work:) -- peter - also wrote the mail server's postmaster, to no avail till now.
I don't understand comment 16. I have suspected for some time now that there is a problem in the mail/news clients (TB, SM) when they are configured with separate email accounts on the same server, each with a separate client certificate used for SSL client authentication to the server. I suspect that they are not making the call that causes each email account to have its own separate SSL client session cache, so all the accounts are sharing a single cache. That will cause the problem that, after authenticating with one cert for one account, an attempt to connect to the same server for another account will use an SSL session previously established with a cert for a different account. I don't have a server (e.g. IMAPS) with which I can test that suspicion. pch, it seems that perhaps you do. If so, perhaps I can help you to do that testing.
(In reply to comment #17) I am administering IT in a small business. There are several mail accounts in the same domain and thunderbird fetches their messages from a single server at the ISP's place. One of these accounts is set up with an ssl certificate in order to sign outgoing e-mails - this cert should not be used to authenticate against the server at all - this is actually impossible, as the ssl handshake always fails when trying to do so. As a matter of fact, all accounts are configured for plain, insecure connections - this is not that much a problem, as data travels only through the ISP's network, yet I'd rather use a secure channel nevertheless. (1) Now, when I switch any of those imap-accounts to use a secure connection (the server does not support TLS, but can do SSL on port 993), then Thunderbird will prompt for a certificate to use to authenticate against the server the next time I want to check mail, as the server requests that (see previous comments). Not just for the one address, the certificate is for (its owner e-mail-address), but for all accounts in the same domain: even if in thunderbirds account preferences, below S/MIME security, there is no cert provided for this account (signing). (2) As you, Nelson, did suggest, I now installed another certificate (a self signed one, including my own authority) into thunderbird: the owner-e-mail matches another account's address in this domain. And set it up to sign outgoing messages for that account. Yet, thunderbird will not consider this cert as suitable for authenticating with the server at all - so it will also not give me the choice to select that one, when it prompts for a cert as requested by the server and sends nulls instead (the effect of that being, that the ssl-handshake succeeds!) - this I came to know, as I did delete the other cert, just to see, as I could not select that from tb's prompt... I do not understand how thunderbird chooses certificates to authenticate against a server, still it seems to me, it does not do so based on (2) the owner-e-mail of the cert - to match the e-mail-address of the account its currently handling - and (1) also not on the accounts signing preference. This is highly complicated to me, it took me more than an hour to write this down, I hope I have expressed myself clearly! peter
(In reply to comment #18) > (In reply to comment #17) > > I am administering IT in a small business. Do you administer the mail server(s) in question? > One of these accounts is set up with an ssl certificate in > order to sign outgoing e-mails - this cert should not be used to authenticate > against the server at all - this is actually impossible, as the ssl handshake > always fails when trying to do so. As a matter of fact, all accounts are > configured for plain, insecure connections - this is not that much a problem, > as data travels only through the ISP's network, yet I'd rather use a secure > channel nevertheless. The above statements are self contradictory. If you're not using SSL, then there can be no certificate authentication taking place in the non-existent SSL handshake. > (1) Now, when I switch any of those imap-accounts to use a secure connection > (the server does not support TLS, but can do SSL on port 993), Ah, more confusion caused by the grossly misleading and inaccurate labels for the security options in the preferences dialogs. You do not actually have a choice between SSL and TLS, despite the fact that the dialog's radio button labels make it appear that you do. The labels are wrong. But it suffices to say: you're using IMAPS on port 993. > then Thunderbird > will prompt for a certificate to use to authenticate against the server the > next time I want to check mail, as the server requests that (see previous > comments). Not just for the one address, the certificate is for (its owner > e-mail-address), but for all accounts in the same domain: even if in > thunderbirds account preferences, below S/MIME security, there is no cert > provided for this account (signing). You are saying that when the global preference is set to ask the user to choose a certificate when the server asks, you get asked for all accounts, even for accounts that have no apparently-related certificate. This is expected, and is another reason why Thunderbird needs per-account prefs for recording the user's choice of SSL client auth certificate. > (2) As you, Nelson, did suggest, I now installed another certificate (a self > signed one, including my own authority) into thunderbird: the owner-e-mail > matches another account's address in this domain. And set it up to sign > outgoing messages for that account. Yet, thunderbird will not consider this > cert as suitable for authenticating with the server at all - so it will also > not give me the choice to select that one, when it prompts for a cert as > requested by the server The most probable explanation for this is very simple. When an SSL server requests client authentication, it must send a list of the names of the issuers (CAs) whose certificates it will accept for client authentication purposes. In the cert selection dialog, your browser only shows you the certs that meet the cert selection criteria. So, self signed certs will generally never work for SSL client authentication. > I do not understand how thunderbird chooses certificates to authenticate > against a server, still it seems to me, it does not do so based on (2) the > owner-e-mail of the cert - to match the e-mail-address of the account its > currently handling - and (1) also not on the accounts signing preference. Presently, the way it chooses is according to your preference. Your choices are: a) choose "automatically" (which means pick the first cert that was issued by any of the CAs named by the server when it requests client authentication), or b) ask the user to choose from among the certs issued by any of those CAs. > This is highly complicated to me, it took me more than an hour to write this > down, I hope I have expressed myself clearly! I think your explanation makes a strong case that the mail clients need per-account prefs for recording the user's SSL client cert selection, and for ensuring that each account uses its own separate SSL client session cache, so that different accounts don't use each other's previously-authenticated sessions.
hello Nelson! I do not administer the server, its at the ISPs place. I understand now, that when using a cert to sign messages I am not doing ssl but s/mime - please excuse this. I know that TLS is but SSL on the old 143 port after a starttls message and that preferences just have to be labelled somehow ;) Fact is: I can't have s/mime signing and SSL at the same time. I do not understand why my self signed cert is different from the A-CERT one, because both are not built into thunderbird and appear as software modules instead in the cert-manager. Also the server does not send a list of CAs on connecting: wireshark shows a 0 length distinguished names list in the cert-request and that should mean it accepts anything (acc. your comment #15). Maybe I just made my cert not valid for the purpose of client-auth tough (nsCertType=email)... I now also understand that there is no way in thunderbird to bind a specific cert for client-authentication to a certain account. And that this is a missing feature, and that the feature was incomplete if there was no way to tell it to not do client-auth at all. Thank you for your time and efforts.
In reply to comment 20, > Maybe I just made my cert not valid for the purpose of client-auth tough > (nsCertType=email)... Yes, that will cause the cert to be used for S/MIME only, not for SSL client auth, provided that you haven't set an SSL trust flag on that cert. BTW, the old Netscape Cert Type extension that you used is deprecated now that there exists a truly standard way of doing the same thing. The standardized replacement for the old Netscape Cert Type extension in the Extended Key Usage extension. We're going to discontinue support for the old Netscape Cert Type extension at some point in the not-too distant future, so it would be best to start using the standard extensions ASAP.
I am encountering a very similar error (version 2.0.0.14, in Ubuntu 8.04). Here is what I found: Any attempt to connect to an IMAP server with SSL enabled will result in Thunderbird attempting to use my certificate to establish the connection. While I don't know a lot about how these protocols work, I'm quite confident this is a bug because I've never needed a certificate before, and installed mine because I felt like it. Now it asks me to select one of my certificates to identify myself to the server, my school's server (imap.service.ohio-state.edu), which requires an SSL connection. If I select one, the connection fails (code -12195). If I hit cancel, the connection will proceed as normal. Thus, I'm able to connect, but I get annoyed by a bogus certificate prompt each time I click on a folder for my school's e-mail. An additional note, my ISP (brescobroadband.com) uses a secure SMTP server. Sending e-mail through it from an account that has a certificate installed results in the exact same problem as above. For some reason, when you have a certificate installed for a given account and attempt to establish a secure connection, Thunderbird is trying to use your certificate before anything else, rather than simply connecting through the site's own certificate. If you hit cancel in the certificate selection prompt, you'll be able to connect, but otherwise the connection will fail. If I can find a place to upload screenshots, I'll include them shortly...
Here I was told to select a certificate to identify myself to imap.service.ohio-state.edu, which requires SSL connections. Only 2 certificates are given as options: the 2 I have private keys for. Hitting cancel will result in a successful connection.
lavagolemking, this is actually an interesting observation which I suspected in the past but couldn't confirm. I suggest you open a new bug with this content (as in comment 22) and we'll investigate this somewhat more thorough. Post the bug number here or CC me.
In reply to comments 22-24, These comments describe a misconfigured server. There are at least 4 (likely 5) aspects of this server's configuration at issue. 1) The server has been configured to request client authentication on every SSL connection. This is why your email client asks you to choose a cert. The server asks it for a cert, and it asks you. 2. The server tells the client that it will accept a client certificate issued by ANY issuer. It should only identify the actual issuer or issuer's whose certificates it actually does accept. If it does not accept any client certificates (as I suspect), then if should not request client certificates AT ALL. 3. The server dos not accept your client certificate, and 4. Having rejected your client certificate, the server disconnects your client, rather than allowing your client to fall back to another form of authentication. 5. It is also likely that the server has not correctly implemented its SSL server session cache. (This problem is *extremely* common among servers that exhibit the other problems described above.) There is only one solution to these problems: get the server properly configured. If your mail service provider refuses to correctly configure their server, find one that will.
This seems unlikely for a couple of reasons. First off, I wasn't experiencing any issues until I got the certificates. Second, the SMTP server is TLS, while the IMAP one is SSL, so the issue is presenting itself on 2 protocols. It seems unlikely that 2 different service providers made the same mistake on 2 different protocols. The IMAP server requires authentication in the form of a username/password, not a certificate, and the SMTP one (TLS) doesn't require authentication, except in that I'm on their network. Yet, both are encountering this same problem, which again, if I cancel out of, the connection is successful. Given that the mail server is that of my ISP (which is hard to avoid, short of SSH-tunneling into my school), and the other one is where I get my school-related e-mail, it's hard for me to simply "find one that will", and even harder for me to prove that their server is misconfigured. In response to comment 25, I thought that's what this bug report was about, but if it's preferable, I can open it separately. (In reply to comment #26) > In reply to comments 22-24, These comments describe a misconfigured server. > There are at least 4 (likely 5) aspects of this server's configuration at > issue. > > 1) The server has been configured to request client authentication on every > SSL connection. This is why your email client asks you to choose a cert. > The server asks it for a cert, and it asks you. > > 2. The server tells the client that it will accept a client certificate > issued by ANY issuer. It should only identify the actual issuer or > issuer's whose certificates it actually does accept. If it does not > accept any client certificates (as I suspect), then if should not request > client certificates AT ALL. > > 3. The server dos not accept your client certificate, and > > 4. Having rejected your client certificate, the server disconnects your > client, rather than allowing your client to fall back to another form of > authentication. > > 5. It is also likely that the server has not correctly implemented its > SSL server session cache. (This problem is *extremely* common among servers > that exhibit the other problems described above.) > > There is only one solution to these problems: get the server properly > configured. If your mail service provider refuses to correctly configure > their server, find one that will. >
All e-mail sent here will inappropriately prompt me to select a certificate.
I posted it here: https://bugzilla.mozilla.org/show_bug.cgi?id=445113 (In reply to comment #25) > lavagolemking, this is actually an interesting observation which I suspected in > the past but couldn't confirm. I suggest you open a new bug with this content > (as in comment 22) and we'll investigate this somewhat more thorough. Post the > bug number here or CC me. >
(In reply to comment #27) I also experience this same problem with an IMAP Server, and the postmaster here actually did respond as I made him aware of the problem and we are about to sort it out. lavagolemking, you can see the server asking thunderbird to provide a certificate if you paste any of the two commands below into a terminal window on your computer and scan the output for the word "CertificateRequest" (you may have to install the "openssl" package on your system to make it work): 1) echo "a001 LOGOUT" \ | openssl s_client -msg \ -connect imap.service.ohio-state.edu:993 2) echo "Quit" \ | openssl s_client -msg -starttls smtp \ -connect email.brescobroadband.com:25 nelson, the smtpd actually seems to send a list of authorities that it does accept, so should'nt thunderbird try to authenticate with a certificate only if it was on the list? lavagolemking, please vote for bug #437683 - its an enhancement request, so thunderbird users are not at the mercy of postmasters of broken servers.
They do use certificates, but they send you the certificates they use. There is one for email.brescobroadband, and another for imap.service.ohio-state.edu. It just doesn't need to (and shouldn't) be mine. They use their own certificates, but Thunderbird isn't giving me the option to use their certificates, only the 2 I have installed (as in with private keys). I had to install certificates for their servers (at least one anyway) a while ago, but those don't show up in the list, which I would think should be the default options.
In reply to comment 27, a) when I say that the server is misconfigured, I don't mean the server settings in your client, I mean the actual server itself. b) TLS is simply another name for SSL 3.1. SSL 3.1 is just a small variation on SSL 3.0, which is why people refer to TLS as SSL. It actually IS SSL. c) The labels in the dialog you showed in the screen shot are incorrect, erroneous and misleading. Those labels have misled you, as they mislead most users who read them, into thinking that you are choosing between SSL and TLS. You are not. That Dialog does not actually let you choose between SSL and TLS, or between any one version of SSL and any other version of SSL. It lets you choose if and how SSL will be used with SMTP. The same set of 4 radio button choices is used in several similar dialogs. It is also used with IMAP and POP3. Regardless of which of those email protocols uses it, that dialog lets you choose between these choices (in order) 1) IMAP/SMTP/POP3 without SSL, 2) IMAP/SMTP/POP3 that negotiates the use of SSL 3.x in the middle of the IMAP/SMTP/POP3 protocol. The protocol starts out with IMAP/SMTP/POP3 "in the clear" on the normal port for that protocol, and then attempts to switch to using IMAP/SMTP/POP3 over SSL 3.x, on that same connection, after it gets started. With this second choice, if the server does not offer SSL 3.x, IMAP/SMTP/POP3 continues on "in the clear" without SSL. 3) This choice is like the second choice, except that if the server does not offer SSL 3.x, the client terminates the connection. 4) IMAP/SMTP/POP3 over SSL. This is on a separate port (not the normal port for the protocol). On this port, SSL is used FIRST, and then only if it succeeds does IMAP/SMTP/POP3 begin. As you can see, the difference is not the choice of SSL 3.0 vs SSL 3.1 (TLS) at all, but rather is the choice of whether to start SSL first and then SMTP or to start SMTP first and then SSL. Your client doesn't prompt you for to choose a certificate unless ALL of the following are true: a) The server requests that your client authenticate itself to the server with a certificate, and b) your client has a certificate (that identifies you). and c) your certificate can be used for SSL client authentication, and d) your certificate was either - issued by one of the issuers named by the server, or - the server says "I accept certs from all issuers". The server you are using always asked for a certificate. Before you had a cert of your own, your client didn't ask you to choose one (because you had none to choose from). But when you got (or created) a cert, and your cert appeared to be issued by an issuer that is acceptable to the server, your client began to ask you to choose it. It's that simple. Your client is doing exactly what it was intended to do. The fact that your server requests your cert, then rejects it, and does not allow you to then "fall back" to using a password is all under the control of the server, and needs to be corrected by the server administrator.
In reply to comment 31, > the smtpd actually seems to send a list of authorities that it does accept, > so should'nt thunderbird try to authenticate with a certificate only if > it was on the list? Yes. The client should only try to authenticate if the user has a cert that was issued, directly or indirectly, by an issuer named by the server. An empty list of issuer names from the server is understood to mean "any issuer". If the user has a cert with a chain such as A -> B -> C -> D (where A is the root and D is the user's cert), and the server names any of A, B or C among its acceptable issuers, or sends an empty list of acceptable issuers. then the client will include D among the certs from which it asks the user to choose.
Then why does it only give me a list of certificates that I own to choose from? Using the server's own certificate isn't an option, so unless I hit cancel in each prompt (which happens each time I click on something), the connection will fail.
In reply to comment 35, > why does it only give me a list of certificates that I own to choose from? Because the server is asking you to identify YOURSELF. The server doesn't want you to identify the server to itself. The server sends you its certificate so that the server can be identified to you (the client), the server also wants you to send YOUR certificate to IT, so that you (the client) can be identified to the server. That's the whole point of the server's request. It's asking you to use a certificate that identifies YOU, instead of a password that identifies YOU. You're unhappy about this, but understand, you're unhappy about a decision that the server administrator has made, to use a feature of SSL that is rarely used, a feature for identifying clients to servers with client certificates. Unfortunately, it appears to have been setup incorrectly at the server.
Ok, then my bug is more of a request, in that I should be able to turn that off. I don't forsee that feature working for a LONG time, since they only use a centralized password system for authentication (which is done on all their servers).
Assignee: mscott → nobody
> You're unhappy about this, but understand, you're unhappy about a decision > that the server administrator has made, to use a feature of SSL that is > rarely used, a feature for identifying clients to servers with client > certificates. Unfortunately, it appears to have been setup incorrectly > at the server. Nelson, you've explained this problem very well, thank you, but how can I explain it to my ISP (ATT, who subcontract their email out to yahoo.com) so they don't dismiss me as a crank? (And you know they will :-) You are obviously expert in this area and perhaps yahoo's mail admin would listen to an expert rather than a mere paying customer. Is there a website somewhere that I could refer them to, maybe? If not, would you write one? Thanks!
This protocol trace shows OSU's IMAPS server requesting client auth without specifying the names of any trusted issuers (implying that all issuers are trusted). This is nearly always a misconfiguration.
The situation for this server was quite different. This server sends out a list of 60 (!) names of CAs that it trusts to issue client certificates, including one belonging to Red Hat. I doubt that's accidental. If you ask them about it, they might actually know what you're asking about.
This is my manual openssl session with an smtp server, but pop3 gives the same result. I did not attempt to send mail here, so every verification error must refer to the *server's* cert, not mine (i.e. I didn't tell openssl to send my cert). This makes me wonder who is refusing who's certificate, anyway. Thunderbird is telling me that yahoo is sending an unknown_ca error about *my* certificate -- could thunderbird be getting that error message backwards?
Like OSU, smtp.att.yahoo.com:465 is requesting client authentication but is sending an empty list of trusted CA names, typically a sign of server misconfiguration.
Question: Why is this bug marked Depends on: 437683 437685? Please see comments #48 and #49 of 437683. It appears that this bug, 313012, may be resolved with a config change, adding an option to an existing config item: set security.default_personal_cert to Send no certificate (not a per account configuration) This bug is not assigned. Is there anyone who will work on adding the config option to Thunderbird 3? Thanks everyone. Please forgive my ignorance of how Depends on: is used.
(In reply to comment #42) > Created an attachment (id=356579) [details] > SSL protocol trace for smtp.att.yahoo.com:465 > > Like OSU, smtp.att.yahoo.com:465 is requesting client authentication but > is sending an empty list of trusted CA names, typically a sign of server > misconfiguration. Is it OK to mark this bug as INVALID?
The bottom line for this bug is: some of the nation's very biggest mail service providers continue to run misconfigured mail servers, and users of Thunderbird who have email certificates CANNOT use those servers unless and until either a) those servers are fixed or b) TBird gets some sort of per-server client-auth cert configuration that allows the user to say "don't send a client cert to this server, no matter how hard it begs". That last item should be pretty easy and would make Tbird a lot more useful to users who're trying to use SMIME certs with Yahoo, most of the DSL ISPs, etc.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to comment #45) > The bottom line for this bug is: some of the nation's very biggest mail > service providers continue to run misconfigured mail servers, and users > of Thunderbird who have email certificates CANNOT use those servers > unless and until either > a) those servers are fixed or > b) TBird gets some sort of per-server client-auth cert configuration that > allows the user to say "don't send a client cert to this server, no matter > how hard it begs". Is there a Tech Evangelism bug to track these broken servers? If not, would you be able to open one?
Whiteboard: [brokenserver]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: