Client SSL certificate not presented



13 years ago
13 years ago


(Reporter: airuike, Assigned: dveditz)


Windows XP

Firefox Tracking Flags

(Not tracked)




13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5


I have been trying to get tbird to use a client SSL certificate, but I haven't had any luck.  When I check the logs on my courier-imap server, I see this:

SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

Here is how I set my machines up:

1) generated my own CA with openssl misc/
2) generated certificate for courier imap ssl server, signed with my CA
3) generated certificate for my email user, signed with my CA
4) converted email user cert to PKCS12 with something like this:
openssl pkcs12 -export -in blah.pem -keyin blah-key.pem -cacert cacert.pem -name 'Eric' -out eric.p12
5) imported CA, server and client certificates into tbird
6) set trusts on certs/CA (client,server,software)
7) set TLS_VERIFYPEER=REQUIREPEER in my couier config

With those sseetings, I am only able to use the imap server when I turn off REQUIREPEER (set it to NONE/PEER).  Otherwise, I get an alert like this when i hit "get mail": has received an incorrect or unexpected message.  Error Code: -12227

It appears that my personal certificate is only useful for signing and encrypting emails, and not for use in SSL connections (the pkcs12 one that shows up in "your certificates").  I have tried setting security.default_personal_cert to "Ask Every Time" and I haven't had any luck.  Am I doing something wrong, or does tbird not support client SSL certificates like Firefox does?

Thanks for the help.

Reproducible: Always

Thunderbird 1.5

Comment 1

13 years ago
Kaie, I added you to the CC because someone on IRC said you might know about this.
Version: unspecified → 1.5

Comment 2

13 years ago
I'm sorry but I can not give support for setting up your own PKI environment.

I recommend you get a free email or server certs from a supplier and that you start by using those certificates in your client and on your server. You can use this "known as good" certs to set up your server and client correctly. Once that works, you can try with your own certs and if it doesn't work, you'll know that you created incorrect certs.

Please let us know if you find a problem in Mozilla applications with known-as-good certs.
Last Resolved: 13 years ago
Resolution: --- → INVALID

Comment 3

13 years ago
I figured it out.. my imap daemon just needed the root certificates placed in a certain directory.

I also tried upon your suggestion, nice stuff :)
You need to log in before you can comment on or make changes to this bug.