505329 - several problems with imported personal certificates

Status: RESOLVED INVALID

(Thunderbird :: Security, defect)

Description

[pete]

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1) Gecko/20090630 Fedora/3.5-1.fc11 Firefox/3.5
Build Identifier: 2.0.0.22 (downloaded 2009/07/19)

1. Vista import of private ca certificate to thunderbird sometimes does not check some uses (like introduce mail users!!).
2. Vista import of downloaded cert shows in manager but cannot be used.  There is a workaround published in the thawte forums (install in firefox in xp compatibility mode, backup then import that backup into thunderbird) which allows use for encrypt/sign but still will not present the cert to the sending smtp server for authentication.  The "send" click does ask which cert to present then doesn't actually do so.  This function works in bsd, linux, xp so the problem appears unique in vista.


Reproducible: Always

Steps to Reproduce:
1.import a personal certificate (using workaround if necessary)
2.try to send mail to a smtp server that requires a client cert for auth.
3.(This happens with either tls/587 or ssl/465)
Actual Results:  
client cert is not presented to smtp server during sending.  Server (properly) rejects the send attempt.

Expected Results:  
mail doesn't get sent

Comment 1

[Ludovic Hirlimann [:Usul]]

Thank you for reporting issues to US.

If I read you correctly  you are describing Three issues :

1) You can't import some certificates and you need to go through Ff to do it.
2) Authentication on an smtp server using cert fails.
3) and the third one that I don't understand (your point number 1)

With three issues reported in one there is noway - that we can fix the issue. The rule is one issue per bug. Can you please open 3 different bugs and add ludovic@mozillamessaging on the cc list of those bugs. In the meanwhile I'm going to close this one as INVALID as three issue in one bug is not going to lead us anywhere.

https://bugzilla.mozilla.org/page.cgi?id=bug-writing.html

Comment 2

[Ludovic Hirlimann [:Usul]]

After a few emails pete thinks i

> Well I think you could file two bugs . One about the import failling 
> > - and we will probably need some data there.
I still think they are all the same bug:

Actually the import doesn't fail - the use of the imported cert fails. 

(import cert directly from ca saved file.  Shows in cert manager.  Try
select a cert for signing, cert doesn't show in browse.  Still shows in
that ui's copy of cert manager too.)  This happens with my private ca
and also with thawte's freemail cert auth.

Somehow doing a backup from firefox when the cert was imported with
firefox running in xp compat mode causes thunderbird to do the import in
such a way that sign and encrypt now work, but smtp session auth still
doesn't.)

Imported ca cert works but sometimes one or more of the "use"s doesn't
get checked.

That is why I think that all 3 of my issues are related to the cert
store, which must be somehow different in vista from all the other OS's
you support.
> >
> > The other one about the smtp issue. I understood from reading the bug
> > that you had sucessfuly imported your cert but had issues using it -
> > for me it's a second bug.
Same here.  The import works but the use fails.  Regarding the first I
can send you to a couple of forum threads pointed to off of thawte's
personal cert website.  After using that workaround the cert still
wouldn't work for sending.
> >
> > I'm as clueless as you are - that's why I would prefer to have two
> > issues. Storing the cert is mozilla specific - we don't use to my
> > knowledge any specific apis for that.
Maybe the x509 parser (famous asn.1) is different in vista? 
> >
> > Ludo

> > I'm as clueless as you are - that's why I would prefer to have two
> > issues. Storing the cert is mozilla specific - we don't use to my
> > knowledge any specific apis for that.
Wow...  I googled some more and found that this is a general problem
with vista clients, not yet fixed a year after the ga release.  In
various forums including at least 2 microsoft forums with some messages
going back to late 2007, it shows up with:
ie7 accessing an exchange server configured to require client certs (but
supposedly firefox works though some features (like calendar
integration) don't!!).  This is microsquash software on both ends...
I see it with thunderbird and claws mail both.
ie7 and ie8 accessing iis.  Also microsoft at both ends.

Apparently somehow vista messes with an ssl handshake with client cert. 
server cert works fine.  So it might or might not be a thunderbird
problem though a fix might be to use openssl and not ms's ssl library (I
don't know which you guys use...)
On both thunderbird and claws mail it fails with starttls on port 587
*and* ssl on port 465.  My imap server isn't configured for client certs
so this doesn't get tested for that end.  Also it is independent of ipv4
or ipv6 for the connection (I have both available here and on both servers).

These two vista machines both got sp2 today (off-cycle release since
criticals are usually released on the second tuesday and this is the
third) and the problem still happens in both thunderbird and claws
mail.  (claws mail doesn't have a cert store; it uses the pfx file
directly, so is pretty simple.  Does let you specify a different client
cert for the imap and smtp server).

I haven't installed much on the vista system yet, may just blow it away
and "downgrade" to xp pro. (which at least works :-)  Can't do that to
Carol's new computer though.  (I don't really care about factory
software support but she is clueless about computers...)  And I normally
do my email in either linux or freebsd in preference to windoze anyway. 
Both of those thunderbirds work just fine.

-- Pete

Comment 3

[Bob Lord]

I am unable to understand this bug report.  My best guess is similar to comment 1:

1. There was a bug with the way Thawte's User Agent sniffer worked. That bug prevented FF on Vista from getting certs.  That's their bug, and as an aside, they closed down their free cert program. Either way, it's not a TB bug.

2. SSL/SMTP with client-certs is broken. If that's true, that would be a real bug and we should fix it. In this case, please open a bug report for that issue and include very detailed information showing how we can reproduce the bug.  Assume nothing since even a simple variation can mean we don't see the bug. Also, please include a copy of the CA cert and an example of a user cert. (Not the private keys, just the public cert). 

FYI:
>That is why I think that all 3 of my issues are related to the cert store, which must be somehow different in vista from all the other OS's you support.
The TB codebase is the same across all platforms, with some minor differences here and there. 

Marking Invalid for now, but please please please open a new bug if SSL/SMTP with client-auth is somehow broken in TB3. 

Thank you!