Closed
Bug 445113
Opened 16 years ago
Closed 16 years ago
Thunderbird prompts for certificate validation on any secure server when personal certificate is installed
Categories
(Thunderbird :: Security, enhancement)
Thunderbird
Security
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 437683
People
(Reporter: lavagolemking, Unassigned)
Details
Attachments
(4 files)
Screenshot of error message, after selecting my certificate
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015 Firefox/3.0 Build Identifier: 2.0.0.14, Ubuntu 8.04 Any attempt to connect to an IMAP server with SSL enabled, as of the time I installed it, will result in Thunderbird attempting to use my certificate to establish the connection. While I don't know a lot about how these protocols work, I'm quite confident this is a bug because I've never needed a certificate before, and installed mine because I felt like it. Now it asks me to select one of my certificates to identify myself to the server, my school's server (imap.service.ohio-state.edu), which requires an SSL connection. If I select one, the connection fails (code -12195). If I hit cancel, the connection will proceed as normal. Thus, I'm able to connect, but I get annoyed by a bogus certificate prompt each time I click on a folder for my school's e-mail. An additional note, my ISP (brescobroadband.com) uses a secure SMTP server. Sending e-mail through it from any account. Like with the IMAP server, this only started after installing my personal certificates. For some reason, when you have a certificate installed for a given account and attempt to establish a secure connection, Thunderbird is trying to use your certificate before anything else, rather than simply connecting through the site's own certificate. If you hit cancel in the certificate selection prompt, you'll be able to connect, but otherwise the connection will fail. Screenshots coming... Reproducible: Always Steps to Reproduce: 1. Find an e-mail provider with SSL access over IMAP, and an ISP with an SMTP server that uses TLS. 2. Find/Create and install a personal e-mail certificate for the account(s) using the SSL IMAP server. 3. Send yourself an e-mail using encryption/signatures, and verify the certificate is loading. 4. Restart Thunderbird (not sure if this is required). Actual Results: If you attempt any secure connection, Thunderbird will prompt you to select a certificate to identify yourself. If you select one the connection will fail, but if you hit cancel, it will succeed. Expected Results: All of these connections worked fine for me until immediately after I installed the certificates. Thunderbird should not be asking me to select one of them to connect to said servers (not giving their respective certificates as options), which use their own certificates. I am moving out in a week, to a place where I will not have my own internet access (and am unsubscribing from this ISP). The library blocks SMTP access, so the only way I'll have SMTP is by tunneling connections into my school, which uses an unencrypted SMTP server.
|
Reporter | |
Comment 1•16 years ago
|
||
Here I was told to select a certificate to identify myself to imap.service.ohio-state.edu, which requires SSL connections. Only 2 certificates are given as options: the 2 I have private keys for. Hitting cancel will result in a successful connection.
|
|
Reporter | |
Comment 2•16 years ago
|
||
|
|
Reporter | |
Comment 3•16 years ago
|
||
All e-mail sent here will inappropriately prompt me to select a certificate.
|
|
Reporter | |
Comment 4•16 years ago
|
||
|
||
Updated•16 years ago
|
Component: General → Security
QA Contact: general → thunderbird
|
||
Comment 5•16 years ago
|
||
Comment on attachment 329410 [details] Screenshot of error message, after selecting my certificate See http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html#1042994 for an explanation of that error number. In short, the server rejected your certificate, and did not allow you to continue the connection and try to use password authentication. This is a server bug.
|
|
||
Comment 6•16 years ago
|
||
I don't know why Eddy asked you to file this bug. It doesn't identify any new issue that is not already identified in numerous others. It identifies a misbehaving server. As such it is not a client bug, at all, per se'. Have you tried clicking cancel when it asks you to choose a certificate?
|
|
Reporter | |
Comment 7•16 years ago
|
||
That is exactly what I did, and what I have to do each time I click on a folder, for each time I start Thunderbird. Anything other than that will kill the connection, and it's very annoying to go through this repetitive dialogue, knowing that it's not going to accomplish anything, but being unable to turn it off.
|
|
Reporter | |
Comment 8•16 years ago
|
||
It would be nice to turn off the ability to authenticate with a certificate, for servers that don't properly implement it.
Severity: normal → enhancement
OS: Linux → All
|
|
||
Updated•16 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
|
||
Comment 10•16 years ago
|
||
(In reply to comment #6) Well, if canceling the client certificate allows the connection to the server nevertheless, than why does the server supposedly ask for a client certificate in first place. The observation which was made with this bug is similar to my experience, which means that I never configured any SMTP/IMAP/POP3 server to request client certificate authentication. Still, the minute SSL capabilities are turned on at the server(s), Thunderbird wants to send a client certificate. Can it be that three different servers suddenly ask for client cert auth, just to continue without it when canceled? I'm not claiming that server implementations might not be correct, but there might be some more into it than you might know/admit... For example I have a two different mail servers with two completely different IMAP servers. TB appears to send client certs in both cases. The same is true for SMTP and POP3. Not even sure if the server does anything with it (there are no apparent indications in the log files). At least TB ask for the password of the software security device (and smart card devices) and asks to choose a certificate. I suggest we should make some rigorous testing before ruling out a misbehavior of TB.
|
|
||
Comment 11•16 years ago
|
||
Canceling the client cert selection dialog causes the client to tell the server "I have no certificate with which to authenticate to you", and then attempt go on with the SSL handshake. The evidence shows that if the client says "I have no cert", the server is happy to go on, but if the client says "I have a cert", then the server rejects the client's cert and drops the connection. That's a server issue. Yes, it's entirely believable that numerous server products are implemented such that requests for client authentication are on by default when SSL is enabled, and that the receipt of any cert that is not accepted causes the connection to fail. The irrefutable fact is: - the user only gets a cert selection dialog when the server has requested an authentication cert from the client. Any server that requests client authentication certs, when it is unprepared to do anything useful with them, is misconfigured or buggy or both.
|
|
||
Comment 12•16 years ago
|
||
(In reply to comment #11) > Canceling the client cert selection dialog causes the client to tell the > server "I have no certificate with which to authenticate to you", and then > attempt go on with the SSL handshake. This goes counter to the expected behavior. Specially when comparing to the HTTP(s) implementations, the connection FAILS when no certificate is presented by the client (Firefox browser in this case). This is what I'd expect to happen with any other underlying protocol as well in case client auth was requested. > > The evidence shows that if the client says "I have no cert", the server is > happy to go on, but if the client says "I have a cert", then the server > rejects the client's cert and drops the connection. That's a server issue. I'm not convinced at all that the server(s) sends such a request in first place. I'll be glad to facilitate the server for testing purpose (and sniffing out any client auth request). > > Yes, it's entirely believable that numerous server products are implemented > such that requests for client authentication are on by default when SSL is > enabled, All of them? No matter which protocol? But all of that happens with TB? > > The irrefutable fact is: > - the user only gets a cert selection dialog when the server has requested > an authentication cert from the client. That's not correct. The user gets a cert selection dialog when the connection to the server is over SSL/TLS *and* only if a client certificate exists in the security device. But than it happens every time. Again borrowing from the HTTP world, an empty certificate dialog should be presented to the user in case the server requested client auth. Why should TB decide on its own to popup the certificate dialog only in case a client certificate is present in the security device and otherwise continue silently. The only facts are right now that when the connection is over SSL/TLS and a client certificate exists in TB, the dialog comes up. There were no facts presented (from you) that the server requested client auth in first place. You need to provide this fact first (in some way). The claims have been many, that NO client auth was configured at those vastly different servers (Sendmail, Postfix, Dovecot, Cyrus etc) on different protocols and ports (via STARTTLS, TLS, SSL on SMTP, IMAP, POP3). All of the servers have only one thing in common, that they function over SSL/TLS and that the client is Thunderbird.
|
|
||
Comment 13•16 years ago
|
||
(In reply to comment #12) > This goes counter to the expected behavior. Specially when comparing to the > HTTP(s) implementations, the connection FAILS when no certificate is > presented by the client (Firefox browser in this case). That's entirely up to the server. The client responds to the server's request with either (a) a cert chain, or (b) an "I have no cert" message. What the server does with that is up to the server. There are many servers that do not drop the connection at that point. Any server that wants to offer a fallback to some other form of authentication must not drop the connection at that point. >> The evidence shows that if the client says "I have no cert", the server is >> happy to go on, but if the client says "I have a cert", then the server >> rejects the client's cert and drops the connection. That's a server issue. > > I'm not convinced at all that the server(s) sends such a request in first > place. I'll be glad to facilitate the server for testing purpose (and > sniffing out any client auth request). You have everything you need, a server, a client, and tools. I suggest you try ssltap or ssldump. > The user gets a cert selection dialog when the connection to the server is > over SSL/TLS *and* only if a client certificate exists in the > security device. But than it happens every time. You're asserting that the user is asked to select a cert even when the server does not request it. ALL the SMTP, POP3 and IMAP servers that I use daily with my email client (and I use many) use SSL/TLS, and I have MANY personal certs that are quite valid for SSL client auth, yet *I do not get prompted to choose any SSL client certs* because the servers I use DO NOT REQUEST client certs.
|
|
||
Comment 14•16 years ago
|
||
(In reply to comment #13) > > You have everything you need, a server, a client, and tools. > I suggest you try ssltap or ssldump. > A pity I don't have the time to tinker with it... > > ALL the SMTP, POP3 and IMAP servers that I use daily with my email client > (and I use many) use SSL/TLS, and I have MANY personal certs that are quite > valid for SSL client auth, > yet *I do not get prompted to choose any SSL client certs* > because the servers I use DO NOT REQUEST client certs. > And what are your settings of the mail client (amusing this to be Thunderbird)? I also worked around this problem with the configuration.
You need to log in
before you can comment on or make changes to this bug.
Description
•