If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Expired certificates conflicts prevent message encryption



MailNews Core
Security: S/MIME
8 years ago
a year ago


(Reporter: Huu Da, Unassigned)


1.8 Branch

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [psm-smime])



8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20090824 Firefox/3.5.3
Build Identifier: version (20090812)

When importing a new certificate from one person, it is not possible to encrypt any message to that person unless we delete all expired certificates from that person. I can delete those expired certificates, restart TB, open a message with the latest unexpired certificate and I can encrypt emails to that person.

This is ok, but it becomes a problem if that person is myself, or one of the other email address I have.

I cannot send an encrypted email to another of my emails if I have expired certificates. I cannot delete those expired certificates since I need them to decrypt old crypted emails.

Reproducible: Always

Steps to Reproduce:
1. Have an expired certificatte for your email.
2. Import a new certificate with the same email.
3. Compose
4. Type your email
5. Click on "Security" -> "View Security Info".
Actual Results:  
Recipient shows "your email".
Status: Not found

Expected Results:  
Show "Found", Issued date and expires date.
Assignee: nobody → kaie
Component: Message Compose Window → Security: PSM
Product: Thunderbird → Core
QA Contact: message-compose → psm
Version: unspecified → 1.8 Branch

Comment 1

7 years ago
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody.
Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody

Comment 2

7 years ago
This problem may be related to the "hidden S/Mime profile".

Each time you display and read a signed S/Mime message from the same sender email address, the NSS database will remember the preferred encryption certificate which has been listed inside the signed message.

Simply importing a certificate into cert manager will not update that hidden profile.

Try to send a signed email to yourself, using the new preferred cert, this might enable you to send an encrypted message afterwards. Does this work for you?
Whiteboard: [psm-smime]

Comment 3

7 years ago
I am not sure what you are asking me to do...

I can:
 - send signed email from A@B.C to X@Y.Z
 - send signed and encrypted email from A@B.C to X@Y.Z
 - read signed email on X@Y.Z from A@B.C
 - read signed and encrypted on X@Y.Z from A@B.C
 - send signed email from X@Y.Z to A@B.C

I cannot (even if I can read signed email from A@B.C to X@Y.Z):
 - send signed and encrypted email from X@Y.Z to A@B.C
 - send encrypted email from X@Y.Z to A@B.C
 - send signed and encrypted email from X@Y.Z to X@Y.Z

If not any of these combination, can you specify to me what order you want me to test?

I have tested with TB 3.0.5, and just downloaded and tested with 3.1. Same results.

Also, funny thing, I just noticed that this also prevent me from saving to draft if I've checked Encrypt

Comment 4

7 years ago
I can confirm this bug also exists in TB 3.0.6. (Linux)

It does not help,
Send a signed (with the new, valid certificate) eMail to force the sender to use the new certifcate.

Comment 5

7 years ago
Confirmed here too.


7 years ago
Ever confirmed: true

Comment 6

7 years ago
I have exactly same problem here. We are migrating from one CA to another. 

Users have certs from the old one and from new one CA. But Thunderbird always choose the first known certificate. Even if this certificate is expired (the one from old CA).  

Only known workaround is to delete expired certificates from certificate store. This is very painfull because users are exchanging certificates as they expires... 

I belive this is duplicate of #495655 and #531073

I tested this with Thunderbird 3.1.6 on Linux.

Comment 7

6 years ago
I can confirm that behaviour for Thunderbird 3.1.4 to 3.1.6 on Windows as well. Seems to be platform independent.
Component: Security: PSM → Security: S/MIME
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.