If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Yahoo's POP3S mail server misconfigured for client certificate authentication

NEW
Unassigned

Status

Tech Evangelism Graveyard
Other
8 years ago
3 years ago

People

(Reporter: Usul, Unassigned)

Tracking

(Blocks: 1 bug)

Details

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
Created attachment 400685 [details]
openssl s_client -connect pop.mail.yahoo.com:pop3s log

While trying to set up a new Yahoo pop account an issue occured while verifying the certificate on the server.
Either we miss something in our cert chain or Yahoo's emails servers are miss-configured. As we provide ssl config by default , all our users willing to read yahoo mail will choke on this.

Attaching the log I got using OpenSSL and putting Nelson in cc as my knowledge of certs is limited. 

I'm pretty sure this is not the right component to put the bug in - but it's the best place under Thunderbird
There are a number of problems here, but I'm pretty sure that the problem is
NOT that thunderbird fails to verify the server's certificate.  The openssl program's successes and failures at verifying a host's certificate have absolutely nothing to do with Thunderbird's successes or failures at that.

The real problem has not been reported here.  There are at least two possible
reasons for that, which include:

1) Thunderbird reported a precise error code and/or error string, which was 
not copied down into this bug report, or 

2) (More likely, IMO) Thunderbird ignored the specific error code reported 
by NSS, and simply told the user that "an issue" occurred, without any details 
whatsoever about what issue it was.  

Now, even though the actual error code was not reported here, There's a pretty good chance that this bug is another slightly-different manifestation of these other bugs that involve SSL and Yahoo's mail servers:

bug 313012 
Secure SSL communication problem to IMAP server when using certificate
bug 437683 
Select SSL client certificate in account/identity configuration
bug 456590 
Yahoo and AT&T SMTP SSL change fails with Thunderbird
bug 456593 
Yahoo and AT&T POP SSL change causes bad behavior with Thunderbird 

I predict this bug will get fixed no more (or less) quickly than those others.
(Reporter)

Comment 2

8 years ago
(In reply to comment #1)

> 1) Thunderbird reported a precise error code and/or error string, which was 
> not copied down into this bug report, or 

Peer does not recognize and trust the CA that issued your certificate.

Error code : ssl_error_unknown_ca_alert. Which according to http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html is -12195
 
> 2) (More likely, IMO) Thunderbird ignored the specific error code reported 
> by NSS, and simply told the user that "an issue" occurred, without any details 
> whatsoever about what issue it was.  
> 
> Now, even though the actual error code was not reported here, There's a pretty
> good chance that this bug is another slightly-different manifestation of these
> other bugs that involve SSL and Yahoo's mail servers:
> 
> bug 313012 
> Secure SSL communication problem to IMAP server when using certificate

Indeed same issue as https://bugzilla.mozilla.org/show_bug.cgi?id=313012#c6 

> I predict this bug will get fixed no more (or less) quickly than those others.

sorry again for not providing the error message in the first place.
(Reporter)

Comment 3

8 years ago
Adding roland so he knows the issue when we release 3.0
Assignee: nobody → other
Component: Security → Other
Product: Thunderbird → Tech Evangelism
QA Contact: thunderbird → other
Summary: Yahoo's email cert can't be verified by thunderbird → Yahoo's POP3S mail server misconfigured for client certificate authentication
Version: Trunk → unspecified
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.