Thunderbird gives no error message when OCSP query fails



7 years ago
4 years ago


(Reporter: m, Unassigned)


13 Branch

Firefox Tracking Flags

(Not tracked)




7 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11

Steps to reproduce:

For two days I noticed, that I could not connect to my mailserver anymore. The server uses a StartSSL certificate and it seems that StartSSL does not answer OCSP queries at present.
My client is configured to do OCSP validation and to consider the certificate as invalid when the OCSP query fails.

Actual results:

Thunderbird seems to try to connect to the mail server for about 20 seconds. After this time it just looks as I never tried to fetch my mail from the server. The status bar at the bottom becomes empty.

Expected results:

I would have expected, that I get an error message. That message should tell me, that the OCSP query to the CA has failed, and that the certificate is considered invalid because of that.
Because Thunderbird does not tell me what is going on, I had not clue at the beginning why I don't get any new mails. If I would not have known, that there is new e-mail in my INBOX, I could even have considered, that I do not get any mail.
Component: Mail Window Front End → Security

Thanks for the report. When you say it seems to try to connect, can you tell if thunderbird isactually contacting the remote server, or just silently failing on the cert?

Comment 2

7 years ago
Yes it connects to my mail server. I can see this in the log files of the server:

Jul 11 22:30:13 eder imapd: Connection, ip=[2001:6f8:117d:0:226:8ff:fedb:d968]
Jul 11 22:30:24 eder imapd: couriertls: read: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Jul 11 22:30:24 eder imapd: Disconnected, ip=[2001:6f8:117d:0:226:8ff:fedb:d968], time=11, starttls=1

The starttls=1 in the logs even confirm, that the client started to send commands to the server. But when the client got the server's certificate it tries to check whether the certificate is revoked by querying the OCSP responder of the CA that signed the certificate.
As StartSSL's OCSP responder had been done, it rejected the certificate and considered the certificate to be invalid. (That's also what I configured in the OCSP settings of thunderbird.)
That Thunderbird rejected the certificate can also be seen in the second line of the log file quote: "alert bad certificate" is a SSL message that my server received from the client.

I think it's completely correct that Thunderbird rejected the certificate. That's what I want it to do, if it cannot verify the state of the certificate using the OCSP protocol. What I consider a bug is, that Thunderbird does not inform me, that it rejected the certificate.

The only thing I see in GUI of Thunderbird is the following:
- I click on "Receive" (left most button in the tool bar)
- The icon in the tab changes from a folder to a rotating spinner (that's when I get the first log message in the mail server's log, that there is a new connection)
- In the status bar of Thunderbird it tells me that it is connecting to the server, that its getting the server's capabilities and so on
- The spinner keeps spinning for some seconds
- The spinner vanishes in the tab and I get back the folder, the status bar is getting empty (that is when I get the second and third log message in my mail server, telling me that the client rejected the server's certificate and that it disconnected)

Thunderbird neither tells me that the OCSP query failed nor that it considers the certificate invalid (because of this).
(In reply to Matthias Wimmer from comment #2)

> I think it's completely correct that Thunderbird rejected the certificate.
> That's what I want it to do, if it cannot verify the state of the
> certificate using the OCSP protocol. What I consider a bug is, that
> Thunderbird does not inform me, that it rejected the certificate.

You're totally right. I'm actually on the Security team, not the Thunderbird dev team, so that's what I was hoping to confirm. Thanks for the helpful report and diagnostics!

Comment 4

6 years ago
Is there a more appropriate routing for this bug so that it gets picked up by somebody?

I keep hitting this frustrating issue when trying to send outbound SMTP/TLS, where I have checked "when an OCSP server connection fails, treat the certificate as invalid" and the OCSP server isn't responding.  I get a generic "Thunderbird has failed to send the message" dialog, which doesn't let me know whether OCSP timeout was the cause or if the server connection is otherwise failing.  I have to resort to Wireshark to troubleshoot what's actually going on.
Confirming that this is still a problem, I noticed it in 24.5.0 on Windows and OpenBSD and spent half the day diagnosing what I thought was either a broken CA-signed certificate or a bug in the SSL library on the mail server.

With SMTP+TLS at least it displays a failure message of some kind, even if it's a bit misleading, with IMAP+TLS Thunderbird just silently doesn't load the mailbox. For the typical user without access to mail server debug logs, there is basically no way to diagnose this failure mode.
Did you look in the error console?
See also the lack of notification on a failed cert, when viewing a remote image.
bug 1007646

I can't check the error console until I have another certificate to get signed to test with - the one I was using was added to the CA's OCSP server shortly after I worked out what was going on (and while I know how to setup a basic private CA for testing, I don't where I'd start to setup a test ocsp responder).
There is nothing in the error console when this error occurs.
I was affected by this as well, in Thunderbird 31.4.0. I confirm that nothing shows up in the error console, and similar messages do in the IMAP server’s logs. The root cause is bug 1006479, but Thunderbird should be better at reporting the error to the user. When the same certificate (recently issued by StartSSL, that the OCSP server doesn’t know about yet) is used for HTTPS, Firefox does show an error message.
OS: Mac OS X → All
Hardware: x86 → All
In bug 1119529 we hope to add a C++-accessible method to log errors to console. At the very least, this issue should generate a message to the error log so that sophisticated users could diagnose their problem without resorting to wireshark.
Ever confirmed: true

Comment 11

4 years ago
Problem still exists in Thunderbird 31.6.0. What is really annoying is the fact that Thunderbird gives NOWHERE any hint to the user that something is going wrong: NOT in the GUI, NOT in the Error Console, and even NOT in the debugging output using NSPR_LOG_MODULES.
You need to log in before you can comment on or make changes to this bug.