Closed Bug 354525 Opened 19 years ago Closed 19 years ago

Thunderbird has issues when trying to retireve user certificates from LDAP server. TB does not always find the certificates. TB did not consistently ask for the certificate.

Categories

(MailNews Core :: Security: S/MIME, defect)

Product:
MailNews Core
Component:
Security: S/MIME
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: jdones, Assigned: KaiE)

References

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 (CK-MITLL) Firefox/1.5.0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 (CK-MITLL) Firefox/1.5.0.7 We use Thunderbird as our email client and currently beta testing using smart cards for email encryption. We are experiencing an issue with Thunderbird when trying to retireve user certificates from our ldap server. TB does not always find the certificates. We ran a trace and got mixed results. TB did not consistently ask for the certificate (see trace results below). According to this KB article: http://kb.mozillazine.org/Getting_an_SMIME_certificate/ Thunderbird does not support retrieving a users S/MIME certificate from an LDAP server. Is this true and will it be supported anytime soon? This should be working. Reproducible: Sometimes Steps to Reproduce: 1.Compose email, type in name 2.LDAP displays results of users with similar attributes 3.Click on Security to find user certificate to encrypt email Actual Results: User certificates not always found, trace results show that Thunderbird did not always ask for user binary certificate Expected Results: Thunderbird should have found the user certificates in LDAP to allow email encryption. Trace results when TB found user certificate from LDAP: LDAPMessage searchResEntry(2) "cn=XXXXXXX,ou=XXXXXX,o=XXXXXXXX,c=XX" [2 results] messageID: 2 protocolOp: searchResEntry (4) searchResEntry objectName: cn=cn=XXXXXXX,ou=XXXXXX,o=XXXXXXXX,c=XX attributes: 1 item Item usercertificate;binary type: usercertificate;binary vals: 1 item Item: 308203843082026CA00302010202043EC3F26D300D06092A... Response To: 14 Time: 0.949704000 seconds Trace results when TB did not find user certificate in LDAP: LDAPMessage searchResEntry(2) "cn=XXXXXXXXXX,ou=XXXXX,o=XXXXXXXXXXXXX,c=XX" [2 results] messageID: 2 protocolOp: searchResEntry (4) searchResEntry objectName: cn=XXXXXXX,ou=XXXXXX,o=XXXXXXXX,c=XX attributes: 2 items Item mail type: mail vals: 1 item XXXXXX@XXX.XXX.XXX Item cn type: cn vals: 1 item XXXXX X. XXXXXXX Response To: 2029 Time: 1.075632000 seconds
obviously we do try to fetch certificates from an ldap server, as your log shows :-) That KB article may be referring to fetching a personal cert for yourself - we only fetch other user's certs for encrypted e-mail. As far as I know, we'll try to fetch a cert if we don't think we have the cert: http://lxr.mozilla.org/seamonkey/source/mail/extensions/smime/content/msgCompSMIMEOverlay.js#355 We do this at send time, when the message is sent...
Component: Build Config → Security
Assignee: mscott → dveditz
QA Contact: build → thunderbird
really an s/mime issue
Component: Security → Security: S/MIME
Product: Thunderbird → Core
Version: unspecified → Trunk
reassigning to Kaie for now.
Could this be an LDAP issue?
Kaie, In the response from David Bienvenu states "As far as I know, we'll try to fetch a cert if we don't think we have the cert: http://lxr.mozilla.org/seamonkey/source/mail/extensions/smime/content/msgCompSMIMEOverlay.js#355 We do this at send time, when the message is sent..." The issue which we are dealing with is when you try to retrieve a certificate before sending the email. Some times this works and sometimes it does not work. Example: I select "Write" to compose a message to another employee. I enter the address which is retrieved from the LDAP server. I select the "Security" tab. In the window I should see the certificate which is in the LDAP server on the users usercertificate;binary. In the status filed it shows "Not Found". Thunderbird is not asking the LDAP server for the certificate so the LDAP server is not sending it. This is intermittent. Questions: Is there a setting in Thunderbird where I can set the client to ALWAYS ask for the certificate when I select the Security button? If Thunderbird obtains the certificate when I send the mail then why can it not always obtain the certificate when I ask it to? Will Thunderbird Digitally Sign/Encrypt or both the message every time? Thanks.
David obviously wanted to assign this bug to me, but probably something went wrong. Bug activity shows this was never assigned to me. I think I did not read this bug nor comment 5 before today. Is this fixed by now, now that bug 332483 has been checked in?
(In reply to comment #6) > David obviously wanted to assign this bug to me, but probably something went > wrong. Bug activity shows this was never assigned to me. I think I did not read > this bug nor comment 5 before today. > > Is this fixed by now, now that bug 332483 has been checked in? > I tested against Thunderbird 2.0a on two separate machines and got the same result. The trace on the certificate fetch against LDAP shows that the usercertificate;binary is being requested by the mail client in this version but when I try to view the Security Information, I get a status "Not Found" and still prevents encryption and signing of email. Capture: LDAPMessage searchRequest(2) "ou=xxxx,o=xxxx,c=xxxxx " wholeSubtree messageID: 2 protocolOp: searchRequest (3) searchRequest baseObject: ou=xxxx, o=xxxx,c=xx scope: wholeSubtree (2) derefAliases: neverDerefAliases (0) sizeLimit: 2 timeLimit: 0 typesOnly: False Filter: (mail=xxx@xxxxx.xxx) equalityMatch attributes: 1 item Item: usercertificate;binary [Response In: 93] LDAPMessage searchResEntry(2) "cn=xxxx x xxxxxxx,ou=xxxx,o=xxxx,c=xx" [1 result] messageID: 2 protocolOp: searchResEntry (4) searchResEntry objectName: cn=xxxx x xxxxxxx,ou=xxxx,o=xxxx,c=xx attributes: 1 item Item usercertificate;binary type: usercertificate;binary vals: 1 item Item: 30Z8203863081026EA019010202043EC4034D300D06092A... [Response To: 91]
(In reply to comment #5) > Is there a setting in Thunderbird where I can set the client to ALWAYS ask for > the certificate when I select the Security button? If you have encryption enabled (either by default, or individually for the message you are composing), clicking the security button should trigger the request. I assume if a previous attempt did not find a good cert to import, it will be tried again each time you click that button. Are you sure the certificate you are attempting to import is a valid cert? Your example listed in comment 8 suggests, the LDAP server did send a reply containing a certificate. If you still get a "not found" error message, maybe the cert is invalid? (like expired or not trusted). Only if the certificate is valid it will get imported. > If Thunderbird obtains the certificate when I send the mail then why can it > not always obtain the certificate when I ask it to? It should always try to obtain it when you click the security button - and encryption is enabled. > Will Thunderbird Digitally Sign/Encrypt or both the message every time? I am not sure I understand this question. Thunderbird will do what is configured globally (in the prefs) or individually selected in the compose window for the message.
Assignee: dveditz → kengert
(In reply to comment #8) > (In reply to comment #5) > > Is there a setting in Thunderbird where I can set the client to ALWAYS ask for > > the certificate when I select the Security button? > > If you have encryption enabled (either by default, or individually for the > message you are composing), clicking the security button should trigger the > request. > > I assume if a previous attempt did not find a good cert to import, it will be > tried again each time you click that button. > > Are you sure the certificate you are attempting to import is a valid cert? I checked the certificate and they are all valid. When I click the security button TB is supposed to retrieve the certificate. It does not. Working request: attributes: 1 item Item usercertificate;binary type: usercertificate;binary vals: 1 item Item: 308203843082026CA00302010202043EC3F26D300D06092A... Response To: 14 Non working request: LDAPMessage searchResEntry(2) "cn=XXXXXXXXXX,ou=XXXXX,o=XXXXXXXXXXXXX,c=XX" [2 results] messageID: 2 protocolOp: searchResEntry (4) searchResEntry objectName: cn=XXXXXXX,ou=XXXXXX,o=XXXXXXXX,c=XX attributes: 2 items Item mail type: mail vals: 1 item XXXXXX@XXX.XXX.XXX Item cn type: cn vals: 1 item XXXXX X. XXXXXXX As you can see in the second trace TB is not requesting the certificate. > > Your example listed in comment 8 suggests, the LDAP server did send a reply > containing a certificate. > > If you still get a "not found" error message, maybe the cert is invalid? (like > expired or not trusted). > > Only if the certificate is valid it will get imported. > > > > If Thunderbird obtains the certificate when I send the mail then why can it > > not always obtain the certificate when I ask it to? > > It should always try to obtain it when you click the security button - and > encryption is enabled. > > > > Will Thunderbird Digitally Sign/Encrypt or both the message every time? > > I am not sure I understand this question. > Thunderbird will do what is configured globally (in the prefs) or individually > selected in the compose window for the message. > My frustration with this is that TB is not requesting the certificate every time I select the security button. There are 3 other bugs similar to this one: https://bugzilla.mozilla.org/show_bug.cgi?id=332483 https://bugzilla.mozilla.org/show_bug.cgi?id=294457 https://bugzilla.mozilla.org/show_bug.cgi?id=294457 Claude
(In reply to comment #8) > If you have encryption enabled (either by default, or individually for the > message you are composing), clicking the security button should trigger the > request. > > I assume if a previous attempt did not find a good cert to import, it will be > tried again each time you click that button. > > Are you sure the certificate you are attempting to import is a valid cert? > > Your example listed in comment 8 suggests, the LDAP server did send a reply > containing a certificate. > > If you still get a "not found" error message, maybe the cert is invalid? (like > expired or not trusted). > > Only if the certificate is valid it will get imported. Kai, The certificates are valid. We have tested fetching certificates with Adobe and Entrust with no issues.
We have several issues around importing email certs. We are trying to get these resolved shortly. Please see bug 360525, 360526, 360528. However, you quoted this bug with version 1.8.0. Bug 360525 is trunk regression only. Bug 360526 is only about a missing informational prompt. Bug 360528 is 1.8 branch (FF 2) and trunk regression only. So these still do not explain why you see a problem with Firefox 1.5, which I believe should work correctly. I propose we get the above mentioned bugs fixed very soon, and then I'd like to ask you to retest. Thanks.
Depends on: 360525, 360526, 360528
Thanks for the pointer to the other bug report. I have no idea why this is not working in 1.5. It woorks <10% of the time. When I use Adobe Acrobat it finds and retrieves the certificate 100% of the time. If this were related to the LDAP server(s) then iut should no0t work with any application, not just TB. Regards, ClaudeThanks for the pointer to the other bug report. I have no idea why this is not working in 1.5. It works <10% of the time. When I use Adobe Acrobat it finds and retrieves the certificate 100% of the time. If this were related to the LDAP server(s) then it should not work with any application, not just TB. Regards, Claude (In reply to comment #11) > We have several issues around importing email certs. > > We are trying to get these resolved shortly. > Please see bug 360525, 360526, 360528. > > However, you quoted this bug with version 1.8.0. > Bug 360525 is trunk regression only. > Bug 360526 is only about a missing informational prompt. > Bug 360528 is 1.8 branch (FF 2) and trunk regression only. > > So these still do not explain why you see a problem with Firefox 1.5, which I > believe should work correctly. > > I propose we get the above mentioned bugs fixed very soon, and then I'd like to > ask you to retest. Thanks. >
Can you please retest the trunk using tomorrow's nightly build? Thanks
We found another issue that might potentially have been a cause of your problem. Are you using LDAP+SSL? We just fixed bug 355409. Did you have any chance to retest the nightly trunk builds yet? Thanks
Depends on: 355409
(In reply to comment #14) > We found another issue that might potentially have been a cause of your > problem. Are you using LDAP+SSL? We just fixed bug 355409. > > Did you have any chance to retest the nightly trunk builds yet? > Thanks > Kai, We do not use LDAP+SSL. I tested TB 2.0b1 from the nightly build posted December 7th. The tests results were the same. I could not find the user certificates when encrypting email even though the trace revealed that TB was asking for the cert and obtaining it from LDAP. The "Security Info" reveals otherwise, status "Not Found". I will obtain the latest nightly trunk build (3.0a1) and re-test. Thanks. Trace: Lightweight-Directory-Access-Protocol LDAPMessage searchResEntry(2) "cn=***** *****,ou=*****,o=*** ***** *********,c=US" [1 result] messageID: 2 protocolOp: searchResEntry (4) searchResEntry objectName: cn=***** *****,ou=*****,o=*** ***** *********,c=US attributes: 1 item Item usercertificate;binary type: usercertificate;binary vals: 1 item Item: 3072038B30820273APF302010202043EC3F2B2400D06092A... [Response To: 152] [Time: 0.946838000 seconds] No. Time Source Destination Protocol Info 155 37.118455 ***.***.***.*** ***.***.***.*** TCP 1214 > ldap [ACK] Seq=133 Ack=1040 Win=64496 [TCP CHECKSUM INCORRECT] Len=0
Kai, The cert fetch worked with no issues in my initial testing of the recent nightly build 3.0a1. I was able to find all the user certificates and encrypt the emails successfully. I will continue to test on other systems and report back if I find any other bugs. When can we expect this fix to be incorporated into TB? Thank you, John
John, thanks for testing and glad to hear it finally works. The final release of TB 2 will contain all the fixes that made this work on the trunk. Starting tomorrow you should be able to verify it works with a nightly build from the latest-mozilla1.8 directory. Resolving as WORKSFORME based on John's comment.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Product: Core → MailNews Core
QA Contact: thunderbird → s.mime
You need to log in before you can comment on or make changes to this bug.