Thunderbird 16.0.1 not recognizing cert

RESOLVED WORKSFORME

Status

RESOLVED WORKSFORME
6 years ago
a year ago

People

(Reporter: jwatt, Unassigned)

Tracking

({regression, regressionwindow-wanted})

unspecified
x86
Mac OS X
regression, regressionwindow-wanted

Thunderbird Tracking Flags

(thunderbird17?)

Details

(Whiteboard: [regression:TB16?])

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
I just updated to 16.0.1 and on restart I keep getting the dialog:

  You are about to override how Thunderbird identifies this site.
  ...
  blah, blah
  ...
  Confirm Security Exception

every time TB tries to fetch my mail using POP from sub3.homie.mail.dreamhost.com:955 over SSL/TLS.

I've uninstalled and reinstalled the Dreamhost cert authority, making sure to allow it to identify sites and mail users:

http://wiki.dreamhost.com/NDN_Certificate

But still the mail server cert (which appears to originate with that cert authority cert) is not accepted by TB.
Keywords: regression, regressionwindow-wanted
tracking-thunderbird17: --- → ?

Comment 1

6 years ago
Works fine on 15.0.1. Testing 16.0.1...

Comment 2

6 years ago
I installed 16.0.1 on linux on a test user (so I didn't update, I directly installed) and configured my dreamhost account. I had to confirm the security exception once, but otherwise setting up the account was done actually with email address and password alone. I haven't seen the error you describe using IMAP. I have it all set up. Is there anything else I can test for you guys?
(Reporter)

Comment 3

6 years ago
Hi Miquel. It's not IMAP, but rather POP3 that I have a problems with. (Actually, IMAP may be a problem too, but I haven't got as far as trying that just yet.)

Regarding your testing, yes, after accepting the certificate in 16.0.1 you won't be prompted to again. The issue is that you shouldn't be prompted to accept it at all.

Can you try this:

Delete your Thunderbird profile and delete Thunderbird 16.0.1. Install 15.0.1 instead, and install the certificate authority cert as detailed on the wiki page linked to in comment 0. Now create your test email account in Thunderbird and try to check your mail over POP3 with SSL/TLS. Do you get prompted now? If so, accept the certificate. Next, update to 16.0.1 and try checking your email again. Do you get prompted now?
(Reporter)

Comment 4

6 years ago
To be clear, what is primarily of interest here is whether a cert that is installed and accepted in a Thunderbird profile in 15 stops being accepted when you install 16 and use it with that same TB account.
From http://wiki.dreamhost.com/NDN_Certificate:

"Not quite standards compliant

Now, however some astute readers have alerted me to the fact that this new certificate isn’t actually X.509 specification compliant. We’re going to stick with it, since it does help a subset of our users, and will consider some alternatives for the future!"
Jwatt could you try with a new profile ?

Comment 7

6 years ago
Hi,
This is not happening to me when upgrading a functional imaps config with dreamhost from Thunderbird 15.0.1 to 16.0.1 with OSX 10.8.2

Comment 8

6 years ago
I wonder if this isn't the same that I reported as https://bugs.launchpad.net/thunderbird/+bug/1066585  Sounds a lot like it, 15 worked fine and 16 drops the ball.

Updated

6 years ago

Comment 9

6 years ago
Happening here; the issue is not that I can't work around it with a security exception, but that it should not require a security exception. The remote server is presenting a valid certificate signed by a CA certificate I have installed, there is no security exception to be made. I'm certainly not about to start adding invalid security exceptions!

Have downgraded to 15 to work-around for now.
Can someone chase the regression window for those of you who have and see the issue ?

Comment 11

6 years ago
Created attachment 672204 [details]
The certificate confirmation I get

Comment 12

6 years ago
Created attachment 672205 [details]
The certificate for which confirmation is requested

Comment 13

6 years ago
I've added screenshots of the confirmation requests I get for the dreamhost certificate. I _do not know_ if this is the problem you are all referring to.

My domain name is mail.miquelmartin.org and I'm using the default SSL support from dreamhost, which means the certificate I get from them has a CN of *.mail.dreamhost.com.

Naturally, mail.miquelmartin.org is not included in *.mail.dreamhost.com, so I rightfully get a "Wrong Site" warning which I have to confirm.

This is _not_ a bug, though. Maybe I'm looking at the wrong stuff.

Comment 14

6 years ago
*.mail.dreamhost.com has md5 as signature algorithm. Maybe OP got hit by https://bugzilla.mozilla.org/show_bug.cgi?id=650355 ?

Comment 15

6 years ago
After change from md5 to sha1 as signature algorithm in my CA certificate, the TB problems with certificates signed by my CA has gone.
Jwatt does it solve it for you too ?

Comment 17

6 years ago
How do I check and change the signature algorithm for an existing certificate?

Comment 18

6 years ago
You can't. CA should reissue certificate with sha1 instead of md5.

Comment 19

6 years ago
#18, thank you for your comment.  The first step would be to verify that indeed certificate X uses md5, no? How did you do this in comment #14?
Flags: needinfo?(bugzillamozilla)
(In reply to Rolf Leggewie from comment #19)
> #18, thank you for your comment.  The first step would be to verify that
> indeed certificate X uses md5, no? How did you do this in comment #14?

See bug 802699 comment 2 (https://bugzilla.mozilla.org/show_bug.cgi?id=802699#c2) for the step-by-step instructions for how to do this. Let me know if you have trouble.

Comment 21

6 years ago
bsmith said how you can verify if certificate uses md5 or sha1. Change to sha1 should do the trick and the problem will be solved.
Flags: needinfo?(bugzillamozilla)

Comment 22

6 years ago
I am still affected by this problem in TB17 and going by #20 the certificate I use is not md5: PKCS #1 SHA-1 With RSA Encryption

Ludovic, how can I provide the information you were requesting?
Flags: needinfo?(ludovic)
(In reply to Rolf Leggewie from comment #22)
> I am still affected by this problem in TB17 and going by #20 the certificate
> I use is not md5: PKCS #1 SHA-1 With RSA Encryption
> 
> Ludovic, how can I provide the information you were requesting?

for thr regression window see http://www.rumblingedge.com/2009/02/24/howto-find-regression-windows-through-manual-binary-search/

sorry for the delay the email got lost somehow.
Flags: needinfo?(ludovic)

Comment 24

3 years ago
Is this still an issue? 
If not, please post to let us know so we can close
If it is, please see ...

(In reply to Ludovic Hirlimann [:Usul] from comment #23)
> (In reply to Rolf Leggewie from comment #22)
> > I am still affected by this problem in TB17 and going by #20 the certificate
> > I use is not md5: PKCS #1 SHA-1 With RSA Encryption
> > 
> > Ludovic, how can I provide the information you were requesting?
> 
> for thr regression window see
> http://www.rumblingedge.com/2009/02/24/howto-find-regression-windows-through-
> manual-binary-search/
> 
> sorry for the delay the email got lost somehow.
Flags: needinfo?(bugzilla)
Flags: needinfo?(bugzilla.mozilla.org)
Whiteboard: [regression:TB16?]

Comment 25

3 years ago
I will test this in the next few days and report back

Comment 26

a year ago
I believe secure communication has been working fine for me
Flags: needinfo?(bugzilla.mozilla.org)
Thanks for checking
Status: NEW → RESOLVED
Last Resolved: a year ago
Flags: needinfo?(bugzilla)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.