Closed
Bug 465702
Opened 16 years ago
Closed 14 years ago
can't add permanent exception for server that uses alternating certificates
Categories
(Thunderbird :: Security, defect)
Thunderbird
Security
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 528922
People
(Reporter: matp75zilla, Unassigned)
References
Details
(Keywords: regression)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 Build Identifier: Thunderbird 3.0b1pre : Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1b2pre) Gecko/20081113 Lightning/1.0pre Shredder/3.0b1pre One of my mail accounts works like this : - IMAP over SSL - server is on a lan but may be accessible from Internet via a reverse SSL proxy. - using only a single name in thunderbird configuration With thunderbird 2 (+ remember mismatched domains extension 1.6), I can move from internal lan to Internet and come back. I can always read my mails. When I am on internal lan, I access the server with it's ssl port, which use one certificate. When I am on Internet, I access the reverse ssl server which connect to the real server. The reverse ssl server uses another certificate. Both certificates are self-signed, one is expired, and both present a wrong hostname.(because there are aliases on the servers and only one works both from internal and external, which is required to have thunderbird work all the time without changing the configuration when moving networks) But as I trust them, I wan't to be able to add a exception for them. (Note : I don't manage the servers...) With thunderbird 3.0b1pre, functionality regressed : it no longer works. Following instruction in thunderbird bug 429843, I added manual exception (bug 399174 comment #3) I resetted all certificates exception related to this server. Then I added the exception with https://servername.domain:993 It works initially but then : - I move from internal lan to external network - certificate presented is not the same -> I add another exception. - It doesn't work as it seems the new exception removes by itself the fist exception... I tried it both way (starting by removing everything from internal lan, and the the same from Internet) without success. (Another major pain is that the invalid prompt blocks other ssl communication in thunderbird, which then say it timeout with my other accounts (and there's no "disable temporarily this account" feature so it's a pain)) thunderbird 3 looks great but this bug is really a pain. Looking into bugzilla, I think may be this thunderbird bug is related to a underlying bug 427983, which affect firefox. Reproducible: Always
Depends on: 427983
Keywords: regression
|
||
Updated•16 years ago
|
Component: General → Security
QA Contact: general → thunderbird
|
||
Comment 1•16 years ago
|
||
Might be related to bug 468664.
|
||
Comment 2•15 years ago
|
||
Kaie do you think this bug is related to 427983 ?
|
||
Comment 3•15 years ago
|
||
I don't have a good solution for this bug currently. I assume, when you connect to your server, you always use the same hostname (mail server hostname configured in mail), regardless of your current location (intranet or internet). Our "certificate exception" system is currently bound to a single hostname. Yes, as soon as you add a new exception for the same hostname, you will overwrite your old exception. The fact that your server identifies using a different cert, depending on your location, is really a mess. I wish your server admins could change that, to at least introduce some consistency. I can not think of an easy solution right now. I wouldn't want to store multiple valid certificates for a single target server, your configuration is really not something that should be encouraged. I hope you can put some pressure on the server admins to get it at least consistent. So, I'm tempted to resolve this bug as WONTFIX because your environment is pretty much against the idea of the identification ideas of using SSL. Here is a proposal that might help you: - use a different hostname for the mail server depending on your location - each time you switch location, edit mail accounts and change the server name - you could use an entry in your "hosts file" to help achieve two host names that point to the same server - TB will keep the exception for each hostname independently
|
|
||
Comment 4•15 years ago
|
||
(In reply to comment #2) > Kaie do you think this bug is related to 427983 ? No
|
|
||
Comment 5•15 years ago
|
||
Changing summary from current Thunderbird 3 no longer works in a reverse SSL configuration with manual certificate exceptions to can't add permanent exception for server that uses alternating certificates
Summary: Thunderbird 3 no longer works in a reverse SSL configuration with manual certificate exceptions → can't add permanent exception for server that uses alternating certificates
|
|
||
Comment 6•15 years ago
|
||
(In reply to comment #1) > Might be related to bug 468664. I think those are different bugs.
(In reply to comment #3) > I don't have a good solution for this bug currently. that's unfortunate. > > I assume, when you connect to your server, you always use the same hostname > (mail server hostname configured in mail), regardless of your current location > (intranet or internet). you have to use the same name in thunderbird. If you use ip or change the name, thunderbird believes you have change of server and folders and will redownload all your stuff, which is very painful... > > Our "certificate exception" system is currently bound to a single hostname. > Yes, as soon as you add a new exception for the same hostname, you will > overwrite your old exception. > > The fact that your server identifies using a different cert, depending on your > location, is really a mess. I wish your server admins could change that, to at > least introduce some consistency. From a pure ssl point of view, I agree. From a network point of view, it's kind of logic to have different certificates... the real server is a exchange server in an internal lan. So the ssl certificate was created probably using ms tools. when connecting from Internet, the reverse proxy on a dmz has a different security level (probably a linux box) and is less trusted than the internal server -> you don't wan't to copy the certificate key of the internal server to the dmz server. I think a good workaround would be to always connect to the reverse proxy even from inside and use a name for it valid both from inside and outside (which would change the ip to an internal one, which doesn't affect the ssl certificate) I still think it's a functionality regression as thunderbird use to work in this kind of configuration, even if it's by far not the best solution... It should be possible to tweak thunderbird to allow having several exception for the same hostname.(because I choose to trust both certificates as valid) > > I can not think of an easy solution right now. > I wouldn't want to store multiple valid certificates for a single target > server, your configuration is really not something that should be encouraged. I > hope you can put some pressure on the server admins to get it at least > consistent. > > So, I'm tempted to resolve this bug as WONTFIX because your environment is > pretty much against the idea of the identification ideas of using SSL. > > Here is a proposal that might help you: > - use a different hostname for the mail server depending on your location > - each time you switch location, edit mail accounts and change the server name > - you could use an entry in your "hosts file" to help achieve two host names > that point to the same server > - TB will keep the exception for each hostname independently that's unrealistic because : - I move my laptop from home to work once a day. - changing the server address mess up thunderbird, causing pain (folders redownloaded, ...)
|
|
||
Updated•14 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•