No Support for XMPP Self Signed Certificate

RESOLVED FIXED in Thunderbird 29.0

Status

Thunderbird
Instant Messaging
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: asai, Assigned: clokep)

Tracking

17 Branch
Thunderbird 29.0

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 obsolete attachment)

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

In Instantbird there is a configuration setting which can turn off certificate checks, as in the case of self-signed certs.  This doesn't seem to be present in Thunderbird's implementation.


Actual results:

Tried to set up an account to XMPP server with self-signed cert.  It won't connect.


Expected results:

Should have connected.

Comment 1

6 years ago
I suppose the setting will also make TB connect with a server with an expired certificate, which is probably the issue I have. (I do not see any error but 'the server disconnected', it would help if a detailed description would be added to the TB error console.)

Comment 2

6 years ago
I agree, disabling certificate verification altogether would throw away almost all of the protection you get from having an encrypted connection.

Really, the correct solution would be to import the certificate.  I imported my server's certificate and got the same problem.  That may be due to the fact that I didn't import the CA certificate along with it.

So if the reason that the application isn't connecting is due to an unrecognized server certificate, then the actual bug here is that the error message is incorrect.

It would also be good if the certificate could be imported from the certificates dialog by URL (same as it does for HTTPS urls).

With that said, in my case the connection attempt simply fails with "Server closed connection".  I tried importing my server's certificate and got the same behavior.

Comment 3

6 years ago
I would say that to not add discrepancies, and to still give the best options for the user, the most straight forward way would be to do the same as for regular email accounts where the certificates aren't what they should, even reusing the same dialog.

That dialog allows you, as far as I can remember (was a few months since I saw it last time), to disregard that the certificate does not seem to be all right, have a look at the certificate to verify it "manually" yourself, or to simply not connect at all.
Hi,

i seem to have the same trouble : connecting with TB make me unable to connect to eJabberd, but when using Pidgin, it works.
Also when using no encryption, it use TLS.

http://pastebin.com/eNrcs6tG (when login in with TB).

i also have wireshark capture with both TB and pidgin.

PS : self signed certificate, when installing ejabber with apt-get.
Created attachment 656407 [details]
must_delete

Updated

6 years ago
Attachment #656407 - Attachment description: capture login with thunderbird → must_delete
Attachment #656407 - Attachment is obsolete: true
(In reply to bosco from comment #5)
> Created attachment 656407 [details]
> must_delete

Do you want the attachement to not be visible ?
attachement is a wireshark capure, and not shown as a downloadable file here. So it's useless ;)
(Assignee)

Comment 8

6 years ago
(In reply to bosco from comment #4)
> i seem to have the same trouble : connecting with TB make me unable to
> connect to eJabberd, but when using Pidgin, it works.
Pidgin doesn't check certs AFAIK: http://lxr.instantbird.org/pidgin2.6.3/source/libpurple/plugins/ssl/ssl-nss.c#159

(In reply to Patrik Thunström from comment #3)
> I would say that to not add discrepancies, and to still give the best
> options for the user, the most straight forward way would be to do the same
> as for regular email accounts where the certificates aren't what they
> should, even reusing the same dialog.
Right, that's the idea behind https://bugzilla.instantbird.org/show_bug.cgi?id=1100, but no one has had time/interest to work on it. That also has the workarounds suggested in here: import the cert manually or disabling cert checking. (I wouldn't recommend the latter.)
Depends on: 792046
(Reporter)

Comment 9

5 years ago
If I may chime in here, I thought Instantbird already had a mechanism whereby you could disable cert checking.  Isn't the TB chat build on top of the Instantbird code?  If so, can't you just turn off cert checking?  There are many use cases where self-signed certs are used within organizations that don't want to be bothered with purchasing a cert.  Disabling cert checking would be a very simple way to solve this problem for the admin who knows what they're doing.
(Assignee)

Comment 10

5 years ago
(In reply to asai from comment #9)
> If I may chime in here, I thought Instantbird already had a mechanism
> whereby you could disable cert checking.  Isn't the TB chat build on top of
> the Instantbird code?
Yes, but Instantbird uses libpurple for it's XMPP code because there isn't support for DNS SRV yet in Thunderbird.

> If so, can't you just turn off cert checking?  There
> are many use cases where self-signed certs are used within organizations
> that don't want to be bothered with purchasing a cert.  Disabling cert
> checking would be a very simple way to solve this problem for the admin who
> knows what they're doing.
The appropriate solution is to pop up the cert UI that Firefox/Thunderbird uses. This is much more reasonable than totally disabling cert checking.
(In reply to asai from comment #9)
> Disabling cert
> checking would be a very simple way to solve this problem for the admin who
> knows what they're doing.

The admin who "knows what they're doing" doesn't want to disable cert checking, they want to import the self-signed certificate that they want to trust (and that's already possible; just not as easy as we would like).

Comment 12

5 years ago
hi, you an try this problem to connect to chatme.im XMPP server
This issue prevents me from using the jabberpl.org server correctly.

Why is this unconfirmed yet? Still happens in Thunderbird 17.0.2.
Status: UNCONFIRMED → NEW
Ever confirmed: true

Updated

5 years ago
OS: Windows 7 → All
Hardware: x86_64 → All
Version: 15 → 17
(In reply to Radosław Szkodziński from comment #13)
> This issue prevents me from using the jabberpl.org server correctly.

It shouldn't prevent you from connecting, it just makes it a little bit more painful.

> Why is this unconfirmed yet? Still happens in Thunderbird 17.0.2.

The real work to improve the situation here is happening in https://bugzilla.instantbird.org/show_bug.cgi?id=1100
That server requires TLS, this is why it's preventing usage..

Added the depend.
Depends on: 1100
No longer depends on: 792046
Ah, sorry, seems instantbird isn't tracked here. Sorry about the spam.
No longer depends on: 1100
(Assignee)

Comment 17

5 years ago
This is already fixed in Instantbird nightlies [1] and should be included in the next uplift, it will require some changes to the Thunderbird account UI (to match the Instantbird changes).
(Assignee)

Updated

5 years ago
Duplicate of this bug: 862318

Comment 19

5 years ago
Is there ongoing work on this bug? 
I can't connect to my own prosody XMPP server from TB (self-signed certificate). In the mean time pidgin is a decent fallback, but is there any chance this could be fixed?

I expect being able to add an exception when TB's XMPP client encounters a self-signed certificate, is this what this bug is about?

Thanks
(Assignee)

Comment 20

5 years ago
(In reply to nodiscc from comment #19)
> Is there ongoing work on this bug?
As comment 17 says, this is supported in the newest chat/ backend, but has not yet been synchronized with Thunderbird yet. Once that's done, some minor updates to the interface will be required.

> I can't connect to my own prosody XMPP server from TB (self-signed
> certificate).
You can always just import the certificate:
(In reply to https://bugzilla.instantbird.org/show_bug.cgi?id=1100#c3)
> You can do this in Preferences -> Advanced -> Encryption -> View
> Certificates by selecting the right tab (Server or Authority, usually) and
> clicking "Import".

> but is there any chance this could be fixed?
Yes, this will be fixed.

> I expect being able to add an exception when TB's XMPP client encounters a
> self-signed certificate, is this what this bug is about?
Yes.
(Assignee)

Comment 21

4 years ago
This will be ported in bug 920801.
Depends on: 920801
(Assignee)

Updated

4 years ago
Duplicate of this bug: 952829
(Assignee)

Comment 23

4 years ago
This was fixed as part of bug 920801.
Assignee: nobody → clokep
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 29.0
You need to log in before you can comment on or make changes to this bug.