Open Bug 429187 Opened 13 years ago Updated 11 years ago

no UI to add exception for self-signed or other type of incorrect certificate for pop3s, imaps and smtps

Categories

(SeaMonkey :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

(Not tracked)

People

(Reporter: iav, Unassigned)

Details

(Whiteboard: [psm-cert-errors])

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008041502 SeaMonkey/2.0a1pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008041502 SeaMonkey/2.0a1pre

There is no UI to add exception for self-signed certificate for pop3s, imaps and smtps. 

Reproducible: Always
I uses:
Edit-(Legacy Prefwindow)-Privacy and Security-Certificates-button Manage Certificates-panel Servers-button Add Exception
It's not a solution, because of cert file is missing.
Assignee: mail → nobody
Component: MailNews: Main Mail Window → Security
QA Contact: seamonkey
Version: unspecified → Trunk
Igor,
can you give more details about what is happening (wrong),
or how you would want it to happen ?
If I set imap or pop3 over ssl, or tls, with self-signed certificate, I got window with message about bad certificate, because of it is self-signed, and "ok" button. There is no way to set up account to work - it's bad.
Now I can't add new mail account for private server.

Right behavior:
I think previous release and actual https wrong cert handler have right startegy: after some warning about of "how bad is this certificate" there shows cert attributes, there hilights what's really wrong (self-signed, untrusted signer, adress mismach, etc.), fingerprint, and button to add this cert to exclusion list, or reject it.
This is ultimately supposed to be part of the account creation UI, and there are bugs filed on it.
Whiteboard: DUPEME
(In reply to comment #5)
> This is ultimately supposed to be part of the account creation UI, and there
> are bugs filed on it.

This doesn't work for migrated profiles, though.  Error dialogs look like:

mail.example.com:143 uses an invalid security certificate.
The certificate is not trusted because it is self signed.
(Error code: sec_error_ca_cert_invalid)
Status: UNCONFIRMED → NEW
Ever confirmed: true
There can be more that one way to get not correct certificate for already existing account: change server name; add ssl to unsecured account; certificate expiration; changing certificate to other, not complete sutable (different server name, or expiration date, or something else).
Yes, and as in many similar cases (server name or port change, adding SSL as you mention) users will have to go into Account Setup to make adjustments. If that's where the UI _is_ then this is just another similar account change.

But if you want to track later edits separately from initial creation UI then I guess that's fine. Personally I think splitting the bugs is just splitting attention.
Flags: blocking-seamonkey2.0a1?
Whiteboard: DUPEME
It depend on realization insides.
I don't know, is there one piece of code, or not. I can only point to differences between new account creation and existed account modification. 
If this tasks performs by one code - dupe of this bug is right solution. If it is different processes with different handlers (I suppose it is) - let this bug live independently.
FYI, Thunderbird 3 has the same issue, AFAIK, so they are probably as interested in a solution as us.
Summary: no UI to add exception for self-signed certificate for pop3s, imaps and smtps → no UI to add exception for self-signed or other type of incorrect certificate for pop3s, imaps and smtps
please accept self signed certificates as older versions!
For Alpha testing, people can go through the cert manager, so not blocking the Alpha on this. We should look to have a better solution for final though.
Flags: blocking-seamonkey2?
Flags: blocking-seamonkey2.0a1?
Flags: blocking-seamonkey2.0a1-
Trying to enter an exception is a problem, as the pref pane for that function checks to host for the cert - and tacks on port 443 (HTTPS) in looking for the cert. Is there a way to get it to query the IMAPS port with the right protocol? Currently, the exception that gets entered has the incorrect port (443) tagged onto it.

Also, a similar bug for TBird is bug 430512
It works if you enter host:port into the exception dialog, e.g. mail.myisp.com:993
(In reply to comment #14)
> It works if you enter host:port into the exception dialog, e.g.
> mail.myisp.com:993

My bad - somehow my first couple attempts didn't work. I was able to add the exception for port 993 and that seems to have worked. Not the most user friendly, though.
(In reply to comment #15)
> (In reply to comment #14)
> > It works if you enter host:port into the exception dialog, e.g.
> > mail.myisp.com:993
> 
> My bad - somehow my first couple attempts didn't work. I was able to add the
> exception for port 993 and that seems to have worked. Not the most user
> friendly, though.

Apparently, you have to first attempt to connect to the server using the standard methods, and get the error dialog. Only then can you add the exception.
(In reply to comment #16)
> (In reply to comment #15)
> > My bad - somehow my first couple attempts didn't work. I was able to add the
> > exception for port 993 and that seems to have worked. Not the most user
> > friendly, though.
> 
> Apparently, you have to first attempt to connect to the server using the
> standard methods, and get the error dialog. Only then can you add the
> exception.

This is happening because the add exception first checks in the recent certificate store. If the certificate is found here, it is simply returned otherwise getting the certificate from the server fails. It attempts to get the certificate using an XmlHttpRequest using GET method which fails in multiple ways:

1) The default protocol assigned is "https". Somehow, using this protocol pops, imaps and smtps ports are all blocked ports (part of the default block port list). So the request fails without retrieving the certificate. A user can add "465,993,995" values to "network.security.ports.banned.override" setting to address this.

2) If the connection to the server succeeds (because of already existing certificate exception or because of valid certificate from the server), then a HTTP GET request is made to the server. The server, understandably upset, may not close the connection and the get request does not finish and certificate retrieval process just hangs (perhaps not until the connection times out).
Cancelling my blocker request, as the last few times I saw such errors, the dialog for exceptions came right up - do other people see that fixed as well in SeaMonkey 2.0 Beta 2 or later?
I vaguely remember a fix there, but not sure what bug it was on.
Flags: blocking-seamonkey2.0?
It works at least for new account. I check for imap-ssl and smtp-tls. Exceptions dialog opens and allow to make changes.
Bad is I can't check cert change for existing account.
Attached patch Possible patchSplinter Review
Note: this makes all servers log in on startup, see bug 493478.
Strange, but today I try with Mozilla/5.0 (Windows; U; Windows NT 5.2; rv:1.9.3a1pre) Gecko/20091123 SeaMonkey/2.1a1pre smtp ssl:465, and see a dead and from the beginning. I not use that pc from september, and can't remember if that fork for this acccount or no.

Regression?
Whiteboard: [psm-cert-errors]
You need to log in before you can comment on or make changes to this bug.