No possibility to make certificate exceptions

NEW
Unassigned

Status

Thunderbird
Security
8 years ago
5 months ago

People

(Reporter: Tuomo Tikkanen, Unassigned)

Tracking

Bug Flags:
wanted-thunderbird +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(6 attachments)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.9.1.5) Gecko/20091103 Firefox/3.5.5
Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.9.1.4pre) Gecko/20090925 Thunderbird/3.0b4

In our company MS domain controllers are used as LDAP servers for email clients. There is an alias "a.system.in.our.intra.net" that is the address that is configured to be the LDAP server. But because this is an alias, it means the actual system behind the alias name changes every time TB makes LDAP connection. For this reason I have been using exceptions (as well as "Remember Mismatched Domains" add-on on Windows [1]) in TB1.5/2.0 to avoid mismatched system names in certificate.

I decided to try out TB3.0b4 where this issue should have totally corrected by new certificate exception handling system  according the author of the "Remember Mismatched Domains" add-on. Unfortunately I found out that the case is just made even worse. There is no way to make permanent exception or even temporally make exception to continue secured LDAP usage in case the certificate is not 100% perfect. For example if certificate is self-signed or if the machine name does not match exactly like in our case is.

In TB1.5/2.0 the dialog box "TB_untrusted_cert_ed.png" used to have a OK button to make exception. This is now missing as you can see from the attachment. If the exception is now meant to be made via "View Certificate" button, that dialog is missing "exception" button too. As a whole this current implementation makes it quite impossible to get email addresses from LDAP server in our environment.

I wish this is corrected before TB3.0 is released, because otherwise I really must go back to TB2.0. This is really a show stopper to me.

[1] https://addons.mozilla.org/fi/thunderbird/addon/2131

Reproducible: Always

Steps to Reproduce:
1.Add any LDAP server which has for example self-signed-cert
2.Use it either via message composer or address book
3.Get the message box like "TB_untrusted_cert_ed.png"
Actual Results:  
LDAP does not find any matches because it is not possible to make certificate exception. (Message composer error <LDAP server search problem>

Expected Results:  
Possibility to make exception for bad certificate directly from message box.

Tested that the very same bug exists also in Windows version of TB3.0b4.
(Reporter)

Comment 1

8 years ago
Created attachment 412584 [details]
Earlier versions used to have OK button here to make exception
(Reporter)

Comment 2

8 years ago
Created attachment 412585 [details]
No exception button here either
(Reporter)

Comment 3

8 years ago
Created attachment 412586 [details]
No exception button here either
(Reporter)

Comment 4

8 years ago
Created attachment 412587 [details]
After cancel LDAP server is not used because of "failed connection"
What version of TB were you using in 2.x , the latest 2.0.0.23 or an earlier one ?
Component: Message Compose Window → Security
QA Contact: message-compose → thunderbird
(Reporter)

Comment 6

8 years ago
(In reply to comment #5)
> What version of TB were you using in 2.x , the latest 2.0.0.23 or an earlier
> one ?

I have used multiple versions of 2.x. The 2.0.0.22 was/is the latest version I have used though.
(In reply to comment #6)
> (In reply to comment #5)
> > What version of TB were you using in 2.x , the latest 2.0.0.23 or an earlier
> > one ?
> 
> I have used multiple versions of 2.x. The 2.0.0.22 was/is the latest version I
> have used though.

If you could test with 0.23 I would be surprised if it worked, and if it did then something else than what I'm thinking of is going on.
(Reporter)

Comment 8

8 years ago
(In reply to comment #7)
.....
> If you could test with 0.23 I would be surprised if it worked, and if it did
> then something else than what I'm thinking of is going on.

I have now tested 2.0.0.23 and there it works just like it worked on 2.0.0.22. No problem there. I can make an exception and most importantly there is an OK button to allow "bad certificate" (I'll attach a screenshot). With "Remember
Mismatched Domains" add-on I can make TB 2.0.0.23 to remember this permanently (on Windows, is not available for Solaris) so that there is no need to press OK button every time.
(Reporter)

Comment 9

8 years ago
Created attachment 412812 [details]
Domain Name Mismatch dialog in TB 2.0.0.23

Note that in TB1.5/2.0 Domain Name Mismatch dialog has OK button to accept "bad certificate". TB3.0 is missing this.
(Reporter)

Comment 11

8 years ago
I have now find out how to add an exception for a server using Cerificate Manager and thus partially overcome the problem. However this is not perfect solution because one exception per server name is only allowed. It is also too complicated to use.

Basically what you can do is:
1) Open AddressBook or start to write adderss to To: field (with LDAP servers set)
2) You'll get error message telling that certificate is not valid because it is selfsigned and/or does not  belong to ldap.domain.net
3) You can view the certificate and select from certificate view the tab "Detailed".
4) Export the certificate to a file
5) Open Edit->Preferences... and select Advanced/Certificates tab and push "View Certificates" button.
6) From Certificate Manager press "Import..." button and select the file you used to export the certificate in phase 4).
7) Now press "Add Exception..." button from Certificate Manager
8) Write your ldap server alias the Location" field as "ldaps:ldap.my.domain.net:636" to get the certificate to which you want to add an exception
9) Press "Confirm Security Exception" and you'll get exception for the server that currently happens to be your LDAP server.

This works as long as the alias ldap.my.domain.net points to the server it used to point at the time the addition is made. However as soon as it changes to point to another one, you need to add exceptio via Certificate Manager. This is also very annoying.

I just today happened to read from TB  3.0rc1 Release Notes that 

"
If using SSL or TLS, and the certificate that comes from the server is self-signed, expired, or has a domain that does not match the server domain, a dialog will be shown asking if Thunderbird should permanently make an exception for the cert. This should only be done if the error is understood.
" [1]

This was in "Known Issues" part of the Release Notes, but seems not be valid for address book (ldaps) case. Perhaps it is true for IMAPS? I can not test that.

[1] http://www.mozillamessaging.com/en-US/thunderbird/3.0rc1/releasenotes/#issues
OS: Solaris → All
Hardware: Sun → All
Version: unspecified → 3.0
(Reporter)

Comment 12

8 years ago
Created attachment 415138 [details]
Exception added for ldaps://xx.yy.net:636 server
(Reporter)

Comment 13

8 years ago
Comment on attachment 415138 [details]
Exception added for ldaps://xx.yy.net:636 server 

Exception for a xx.yy.net:636 ldaps server can be only for one real server a time (in this picture only for 003 server). However because it is an alias the actual server can be any other server from range 001-999 in our case. Because the addition of the ldaps-server certificate exceptions is so cumbersome I have here added only 004, 007 and 010 in addition to "current" active one 003.

Exection for ldaps://xx.yy.net:636 should be possible to made for all the servers. And directly from the warning dialog / certificate viewer user gets when the "bad" certificate is first time seen.
Attachment #415138 - Attachment description: Exception added for ldaps//]:xx.yy.net:636 server → Exception added for ldaps://xx.yy.net:636 server
Duplicate of this bug: 539617
Duplicate of this bug: 496705
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-thunderbird3.1?

Updated

8 years ago
blocking-thunderbird3.1: --- → beta2+
Flags: blocking-thunderbird3.1?

Updated

8 years ago
Duplicate of this bug: 531509
It feels like this is likely to need strings, so I think we need to understand the options here sooner rather than later.  Standard8, can you have a look at this and summarize?
Assignee: nobody → bugzilla
Note that I think we need to have this fixed for the general case (or at least LDAP, IMAP, and POP) for 3.1, not just LDAP.  I DUPed at least one other bug into this one based on that assumption.  Feel free to unDUP if that was the wrong thing to do.
We're resetting the blocking flag for 3.1 on this bug and instead setting the wanted-thunderbird+ flag. We have too many blocking-3.1 bugs, to the point where it doesn't mean much, and managing the list is making it hard to actually work on closing bugs, which helps no one.

Thunderbird 3.1's primary purpose is to allow us to offer a prompted major update to Thunderbird 2 users, to ensure their continued ability to safely use Thunderbird.  Thunderbird 2 is built on an outdated version of Gecko, and our long-term ability to maintain the users' safety for Thunderbird 2 users is limited.

If you think this bug meets the requirements below, please renominate with a detailed explanation of how it meets the following two criteria, and we will reconsider.  To qualify, this bug must either:

a) make the upgrade experience from TB2 very painful for a large number of users

or

b) be a new, reproducible, severe quality issue (eg dataloss, frequent crashes)

Just because this bug doesn't block TB3.1 doesn't mean it can't or won't make the release.  Once they're done with their blockers (if any), we encourage developers to keep working on non-blocking bugs, and to try to land them as early in the cycle as possible, as non-blocking bugs will become increasingly difficult to land in the later stages of the cycle.
blocking-thunderbird3.1: beta2+ → ---
Flags: wanted-thunderbird+
Duplicate of this bug: 602170
Duplicate of this bug: 596154
Duplicate of this bug: 465702

Updated

7 years ago
Duplicate of this bug: 574619

Updated

7 years ago
Duplicate of this bug: 560233
Duplicate of this bug: 608920
Version: 3.0 → Trunk

Comment 26

7 years ago
I understand this issue has been been around for almost a year. Is it clear in which release this will be patched? I cannot open any emails from my bank anymore because of the not trusted certificate issue - see Bug 608920 - which will force me to use a secondary e-mail program (Mail) just for that. I love Thunderbird and prefer to use one program only..
Blocks: 497488
Bug 493980 may hold the key to this.

Updated

7 years ago
Duplicate of this bug: 628076

Updated

7 years ago
Duplicate of this bug: 531549

Updated

6 years ago
Duplicate of this bug: 756712

Comment 31

6 years ago
This bug, or something very similar, appears to still be present in Thunderbird 12.0.

The "Add security exception" window appears when it should. But the "Permanently store this exception" checkbox has no effect; the warning returns on every startup.

Manually adding exceptions (in Tools > Options > View Certificates > Add Exception) works, but again, they aren't always persistent even when the "permanently store" checkbox is ticked. The last time this happened, it took five or six tries before Thunderbird stored it correctly.
Assignee: mbanner → nobody

Comment 32

5 years ago
This just started affecting me.  I'm at Thunderbird 17.0.4.  A mail server that I had established an exception for (which has worked fine for a long time) now produces the "Add Security Exception" popup up with "Certificate Status: This site attempts to identify itself with invalid information."

The option to "Permanently store this exception" is ineffective.

Comment 33

5 years ago
Just started affecting me too. Recently updated & now on 17.0.6. It seems to check mail successfully for some arbitrary amount of time after adding the exception, and then brings up the dialog again.

Comment 34

5 years ago
This bug is also affecting me. I'm on Windows 8, running Thunderbird 17.0.7.

I love Thunderbird, but this is just silly.

Comment 35

5 years ago
This started affecting me recently, too. Currently-installed version is 17.0.7.

As others have stated, I tell Thunderbird to accept the certificate permanently, and the warnings disappear for a while (I don't know how long, exactly -- maybe a couple of hours), but then they return for no discernible reason.

Navigating to Tools -> Options -> Advanced -> Certificates -> View Certificates reveals a possible clue: in the Certificate Name column, I see all of the certificates that should be exempt from displaying warnings and they are all grouped under "(Unknown)" and have the value "(Not Stored)" for the Certificate Name. "Not Stored" would certainly explain why the warning messages keep coming back.

Why are the certificates not being stored?

For whatever it's worth, the same exact thing happens in Firefox, version 22.0.

Did some shared certificate component that both applications use undergo changes recently that could have caused this, I wonder?

Comment 36

5 years ago
Same problem here. TB 17.0.8 using kubuntu 12.04.
Manual addition of exception does not work.

Comment 37

4 years ago
I am also seeing this start to happen recently. With the death of my machine I used to use outlook on I am using thunderbird more and more for all my domain name's mailboxes.

The cert the server presents is the default parallels panel one, so the name doesn't match mail.mydomain.com and I get a warning. No matter how many times I choose to permanently store the exception, it doesn't. As it happens once on every connection to the mail server, and I have about 8 accounts on it in thunderbird, I will often come back to the PC with an endless stream of this dialog to either dismiss, or I have to end task thunderbird and open it again.

The option should work, and it should also not keep creating dialog after dialog once it has being confirmed once.

Comment 38

4 years ago
Still not fixed in TB 24 :(

Comment 39

4 years ago
Still not fixed at TB 26/0 beta :(

Comment 40

4 years ago
When TB opens up, I get all these Certificate warnings, I can tick "[ ] Permanently store this exception" but they come back again.
In Security/View Certificates/Add Exception, I can enter the Server Location and Get Certificate, but "[ ] Permanently store this exception" remains greyed out.
This is on Linux/Kubuntu. Could it be a rights issue, some file somewhere needs to be chmod'ed?

Comment 41

3 years ago
will that annoying issue be ever sorted-out ??,
anther two years gone and still can't TB because I use UTM as transparent ssl-proxy(AV)..

is TB to be used by users or developers only ?

Comment 42

2 years ago
Security exceptions are still ignored or not stored in 38.3.0. I really wish this would be looked at since it's been 6 years now.

Comment 43

2 years ago
Confirming this behavior on both Windows 7 and Windows 8.1 - 2 different machines, same host, different domains on different servers.

Host uses a wildcard cert *.server.ext

The issue just started about a week ago.

Tried creating a new profile and setting up everything fresh.

The issues still persists.

One thing to note, the server is mail.server.ext, the cert url shows mail.server.ext:143 (port number).  Removing the port allows me to retrieve the cert and save exception.  However, I am still repeatedly prompted to accept the exception.

Comment 44

2 years ago
For anyone interested, I fought with the same issue in bug 1262932 . A possible workaround for those who suffer the "add exception" loop is to manually extract the authority certificate used to sign the certs served by two different servers, and add it to edit->preferences->advanced->certificates->View Certificates->Authorities, then edit it and check "This certificate can identify websites" box.

If the mail server returns the root cert as a part of SSL response, then it can be extracted by dumping all certs, and cutting it out from the output to a .crt file.

openssl s_client -connect your.server:993 -showcerts < /dev/null

The .crt file should look like this:

-----BEGIN CERTIFICATE-----
MIIG6jCCBdKgAwIBAgIKZxwIdQAAAACArjANBgkqhkiG9w0BAQUFADB0MRMwEQYK
...
-----END CERTIFICATE-----

Updated

a year ago
Duplicate of this bug: 669124

Comment 46

5 months ago
I'm having the same issue. Trying to use the global catalog of our AD(samba4) as address list. it just don't work. the error console says:
'yourserver.com:3269 uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
Error code: <a id="errorCode" title="SEC_ERROR_UNKNOWN_ISSUER">SEC_ERROR_UNKNOWN_ISSUER</a>'

if I try to add the CA certificate (self signed) to Thunderbird it throws another error :
'An error occurred during a connection to yourserver.com:3269.

You have received an invalid certificate.  Please contact the server administrator or email correspondent and give them the following information:

Your certificate contains the same serial number as another certificate issued by the certificate authority.  Please get a new certificate containing a unique serial number.

Error code: <a id="errorCode" title="SEC_ERROR_REUSED_ISSUER_AND_SERIAL">SEC_ERROR_REUSED_ISSUER_AND_SERIAL</a>'

There's no way i can add an exception and therefor i cant use the AD address list.
You need to log in before you can comment on or make changes to this bug.