433904 - SSL connection on POP3 server displays prompt for client certificate (which doesn't exists)

Status: RESOLVED WORKSFORME

(Core :: Security: PSM, defect)

Description

[Matevz]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; sl; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Build Identifier: 2.0.0.14 (20080421)

Before version 2.0.0.14 all my attempts to establish SSL connection with ARNES mail server failed with some kind of error -12271. Now, the Thunderbird displays the dialog that propmts user (me) to select the client certificate (as mentioned in bug 431819).
Problem is, that server DOESN'T require client certificate at all! So, if I select one of my own certificates, the connection drops and the Thunderbird gives me the error -12271. But if I cancel the dialog (select no certificate), the connection is successfully established and communication is continued under SSL or TLS encryption.
If I change the security.default_personal_cert setting from Ask every time to Choose automaticaly, the client certificate is chosen and the connection fails with an error, described above.
Same problem was already reported on some german forum (http://www.thunderbird-mail.de/forum/viewtopic.php?f=32&t=33586), but I couldn't find it in the Bugzilla database.

Reproducible: Always

Steps to Reproduce:
1. have some kind of personal (client) certificate installed in Thunderbird
2. use TLS or SSL connection with mail.arnes.si (ARNES - Academic and Research network of Slovenia)
Actual Results:  
Client certificate selection dialog appears causing auto-check-for-mails to fail loading e-mails.

Expected Results:  
Server requires no client certificate (as I know, it distributes some kind of public key TO the user and NOT FROM the user).

Comment 1

[Phil Ringnalda (:philor)]

From my little understanding (mostly from http://wiki.mozilla.org/PSM:CertPrompt) that sounds like the server is requesting (rather than requiring) client auth, it includes your personal cert's issuer in its list of acceptable issuers, but it doesn't actually know you from your cert, so Select Automatically (or you manually selecting) fails, but canceling from the Always Ask prompt works, since that way you don't send the acceptable-but-not-authenticating-you cert.

Comment 2

[Kai Engert [:KaiE:]]

So while the situation is not perfect, if I understand correctly, our switch to "always ask" has at least helped you to get a connection to your mail server.

There is a separate bug 431819 which discusses the issue of repeating prompts.

Comment 3

[Matevz]

@Kai Engert
Yes, the change helped me to figure out what is going on at all.
It would be nice if there would be a possibility to check some kind of 'No client certificate needed' option in settings and Thunderbird wouldn't show this dialog for selected server at all.

Comment 4

[Matevz]

I upgraded today to Thunderbird 2.0.0.16. A check box to remember the choice awaited me on this annoying dialog. Thank you!

Comment 5

[Ludovic Hirlimann [:Usul]]

(In reply to comment #4)
> I upgraded today to Thunderbird 2.0.0.16. A check box to remember the choice
> awaited me on this annoying dialog. Thank you!

Do you mean by that that the issue is fixed for you ?

Comment 6

[Matevz]

(In reply to comment #5)
> (In reply to comment #4)
> > I upgraded today to Thunderbird 2.0.0.16. A check box to remember the choice
> > awaited me on this annoying dialog. Thank you!
> 
> Do you mean by that that the issue is fixed for you ?

Yes, for me, the issue is fixed.

Comment 7

[Kai Engert [:KaiE:]]

reassign bug owner.
mass-update-kaie-20120918

Comment 8

[Dana Keeler (she/her) [:keeler]]

(In reply to Matevz from comment #6)
> (In reply to comment #5)
> > (In reply to comment #4)
> > > I upgraded today to Thunderbird 2.0.0.16. A check box to remember the choice
> > > awaited me on this annoying dialog. Thank you!
> > 
> > Do you mean by that that the issue is fixed for you ?
> 
> Yes, for me, the issue is fixed.