Closed
Bug 713714
Opened 13 years ago
Closed 3 years ago
Incorrect Error message when using new account setup wizard to setup a server with self signed or revoked SSL certificates - bad cert listener is blocked
Categories
(Thunderbird :: Account Manager, defect)
Thunderbird
Account Manager
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: mike, Unassigned)
References
(Depends on 1 open bug)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Build ID: 20111220165912 Steps to reproduce: I was unknowingly trying to create a new account against an IMAPs server that had a revoked certificate. There are actually two problems: 1) The new account creation tool doesn't tell you the certificate is revoked; it just tells you that your password is invalid. 2) I'd been happily using that same IMAP server (with revoked cert) in a profile that existed *before* the certificate was revoked. It's possible I got a certificate error and ignored it, I don't recall. Actual results: Every time I tried to test the account, it would seem to spin for a while, then just sit there (no network traffic confirmed with tcpdump on target server). Eventually it returned with "invalid password." Expected results: The account creation tool should have told me that the certificate was revoked, not that my password was invalid. I believe Thunderbird should be more naggy for certificates which have been revoked, vs those which simply have unknown CAs or have expired.
I'll try to reproduce. For what it's worth, I use CACert certificates. My original was a wildcard for my domain, I revoked that and generated one for just specific hostnames in my domain.
|
||
Comment 2•13 years ago
|
||
(In reply to Mike from comment #1) This is a valid complaint. In the meantime, can you check this addon: https://addons.mozilla.org/en-US/thunderbird/addon/certificate-patrol/
|
||
Comment 3•13 years ago
|
||
(In reply to Mike from comment #1) > I'll try to reproduce. For what it's worth, I use CACert certificates. My > original was a wildcard for my domain, I revoked that and generated one for > just specific hostnames in my domain. Did you reproduce ?
(In reply to Ludovic Hirlimann [:Usul] from comment #3) > Did you reproduce ? No, I haven't taken the time. It requires a live mailserver with a valid cert, then for that cert to be revoked, and a new account created. Doing the revocation properly is irritating, so I haven't done it.
|
||
Comment 5•12 years ago
|
||
Because of bug 739563, PSM will not call the bad cert listener for non-overridable certificate errors. Revoked certificates are one such case. Once bug 739563 is fixed, then Thunderbird will show the cert override dialog box for revoked certificates, but the user will not actually be able to override the cert error, because revocation is a non-overridable error.
Depends on: 739563
|
||
Updated•11 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Mac OS X → All
Hardware: x86 → All
Version: 9 → Trunk
|
|
||
Updated•11 years ago
|
Summary: Issues creating accounts on servers with revoked SSL certificates → Incorrect Error message when using new account setup wizard to setup a server with self signed or revoked SSL certificates - bad cert listener is blocked
|
||
Comment 10•11 years ago
|
||
I only want to say, that I have the same issue.
It seems that it works, if the user does not enter a password, most likely
because the verification then ignores some errors. I think I will try a patch
which disables password settings even if it is entered in the "wizard".
I will try to remove the password setting in file:
mailnews/base/prefs/content/accountcreation/accountConfig.js
//if (password) {
// account.incoming.password = password;
// account.outgoing.password = password;
//}
At least if I do not enter a password the issue with the ceritificate
does not appear and the "verification" is happy to.
|
||
Comment 11•10 years ago
|
||
i have the same with TB Beta (33.0b1) - TB Stable (31.2.0) works great!! (this bug) André Verwijs
|
||
Comment 12•9 years ago
|
||
TB 31.6.0 My certificate wasn't revoked but had expired and TB would give me connection and/or bad password errors in a couple places such as account create and first time checking messages instead of popping up a certificate warning and choice to accept the certificate or not check the account for email. Sorry I can't be more specific, but I noticed certificate errors in general are not shown to the user and when TB can't verify the cert thing just fail and the user is left wondering why.
|
||
Comment 13•3 years ago
|
||
Actively revoked certificates are not overridable errors. https://searchfox.org/mozilla-central/rev/2c06b16a0c15ae340a0532e319cbf89ef9d21b68/security/manager/ssl/NSSErrorsService.cpp#136
The guessing process would not include them, and I don't think it should.
ATM we have bug 1681960 open to handle more cases with better feedback. I think we can close this bug now.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•