Closed
Bug 800876
Opened 13 years ago
Closed 8 years ago
Thunderbird 16.0.1 not recognizing cert
Categories
(Thunderbird :: Security, defect)
Tracking
(thunderbird17?)
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| thunderbird17 | ? | --- |
People
(Reporter: jwatt, Unassigned)
References
Details
(Keywords: regression, regressionwindow-wanted, Whiteboard: [regression:TB16?])
Attachments
(2 files)
The certificate confirmation I get
I just updated to 16.0.1 and on restart I keep getting the dialog:
You are about to override how Thunderbird identifies this site.
...
blah, blah
...
Confirm Security Exception
every time TB tries to fetch my mail using POP from sub3.homie.mail.dreamhost.com:955 over SSL/TLS.
I've uninstalled and reinstalled the Dreamhost cert authority, making sure to allow it to identify sites and mail users:
http://wiki.dreamhost.com/NDN_Certificate
But still the mail server cert (which appears to originate with that cert authority cert) is not accepted by TB.
|
||
Updated•13 years ago
|
Keywords: regression,
regressionwindow-wanted
|
||
Updated•13 years ago
|
tracking-thunderbird17:
--- → ?
|
||
Comment 1•13 years ago
|
||
Works fine on 15.0.1. Testing 16.0.1...
|
|
||
Comment 2•13 years ago
|
||
I installed 16.0.1 on linux on a test user (so I didn't update, I directly installed) and configured my dreamhost account. I had to confirm the security exception once, but otherwise setting up the account was done actually with email address and password alone. I haven't seen the error you describe using IMAP. I have it all set up. Is there anything else I can test for you guys?
|
Reporter | |
Comment 3•13 years ago
|
||
Hi Miquel. It's not IMAP, but rather POP3 that I have a problems with. (Actually, IMAP may be a problem too, but I haven't got as far as trying that just yet.)
Regarding your testing, yes, after accepting the certificate in 16.0.1 you won't be prompted to again. The issue is that you shouldn't be prompted to accept it at all.
Can you try this:
Delete your Thunderbird profile and delete Thunderbird 16.0.1. Install 15.0.1 instead, and install the certificate authority cert as detailed on the wiki page linked to in comment 0. Now create your test email account in Thunderbird and try to check your mail over POP3 with SSL/TLS. Do you get prompted now? If so, accept the certificate. Next, update to 16.0.1 and try checking your email again. Do you get prompted now?
|
|
Reporter | |
Comment 4•13 years ago
|
||
To be clear, what is primarily of interest here is whether a cert that is installed and accepted in a Thunderbird profile in 15 stops being accepted when you install 16 and use it with that same TB account.
|
||
Comment 5•13 years ago
|
||
From http://wiki.dreamhost.com/NDN_Certificate:
"Not quite standards compliant
Now, however some astute readers have alerted me to the fact that this new certificate isn’t actually X.509 specification compliant. We’re going to stick with it, since it does help a subset of our users, and will consider some alternatives for the future!"
|
|
||
Comment 6•13 years ago
|
||
Jwatt could you try with a new profile ?
|
|
||
Comment 7•13 years ago
|
||
Hi,
This is not happening to me when upgrading a functional imaps config with dreamhost from Thunderbird 15.0.1 to 16.0.1 with OSX 10.8.2
|
||
Comment 8•13 years ago
|
||
I wonder if this isn't the same that I reported as https://bugs.launchpad.net/thunderbird/+bug/1066585 Sounds a lot like it, 15 worked fine and 16 drops the ball.
|
|
||
Updated•13 years ago
|
See Also: → https://launchpad.net/bugs/1066585
Happening here; the issue is not that I can't work around it with a security exception, but that it should not require a security exception. The remote server is presenting a valid certificate signed by a CA certificate I have installed, there is no security exception to be made. I'm certainly not about to start adding invalid security exceptions!
Have downgraded to 15 to work-around for now.
|
|
||
Comment 10•13 years ago
|
||
Can someone chase the regression window for those of you who have and see the issue ?
|
|
||
Comment 11•13 years ago
|
||
|
|
||
Comment 12•13 years ago
|
||
|
|
||
Comment 13•13 years ago
|
||
I've added screenshots of the confirmation requests I get for the dreamhost certificate. I _do not know_ if this is the problem you are all referring to.
My domain name is mail.miquelmartin.org and I'm using the default SSL support from dreamhost, which means the certificate I get from them has a CN of *.mail.dreamhost.com.
Naturally, mail.miquelmartin.org is not included in *.mail.dreamhost.com, so I rightfully get a "Wrong Site" warning which I have to confirm.
This is _not_ a bug, though. Maybe I'm looking at the wrong stuff.
|
||
Comment 14•13 years ago
|
||
*.mail.dreamhost.com has md5 as signature algorithm. Maybe OP got hit by https://bugzilla.mozilla.org/show_bug.cgi?id=650355 ?
|
||
Comment 15•13 years ago
|
||
After change from md5 to sha1 as signature algorithm in my CA certificate, the TB problems with certificates signed by my CA has gone.
|
|
||
Comment 16•13 years ago
|
||
Jwatt does it solve it for you too ?
|
|
||
Comment 17•13 years ago
|
||
How do I check and change the signature algorithm for an existing certificate?
|
|
||
Comment 18•13 years ago
|
||
You can't. CA should reissue certificate with sha1 instead of md5.
|
|
||
Comment 19•13 years ago
|
||
#18, thank you for your comment. The first step would be to verify that indeed certificate X uses md5, no? How did you do this in comment #14?
Flags: needinfo?(bugzillamozilla)
|
|
||
Comment 20•13 years ago
|
||
(In reply to Rolf Leggewie from comment #19)
> #18, thank you for your comment. The first step would be to verify that
> indeed certificate X uses md5, no? How did you do this in comment #14?
See bug 802699 comment 2 (https://bugzilla.mozilla.org/show_bug.cgi?id=802699#c2) for the step-by-step instructions for how to do this. Let me know if you have trouble.
|
|
||
Comment 21•12 years ago
|
||
bsmith said how you can verify if certificate uses md5 or sha1. Change to sha1 should do the trick and the problem will be solved.
Flags: needinfo?(bugzillamozilla)
|
|
||
Comment 22•12 years ago
|
||
I am still affected by this problem in TB17 and going by #20 the certificate I use is not md5: PKCS #1 SHA-1 With RSA Encryption
Ludovic, how can I provide the information you were requesting?
Flags: needinfo?(ludovic)
|
|
||
Comment 23•12 years ago
|
||
(In reply to Rolf Leggewie from comment #22)
> I am still affected by this problem in TB17 and going by #20 the certificate
> I use is not md5: PKCS #1 SHA-1 With RSA Encryption
>
> Ludovic, how can I provide the information you were requesting?
for thr regression window see http://www.rumblingedge.com/2009/02/24/howto-find-regression-windows-through-manual-binary-search/
sorry for the delay the email got lost somehow.
Flags: needinfo?(ludovic)
|
||
Comment 24•9 years ago
|
||
Is this still an issue?
If not, please post to let us know so we can close
If it is, please see ...
(In reply to Ludovic Hirlimann [:Usul] from comment #23)
> (In reply to Rolf Leggewie from comment #22)
> > I am still affected by this problem in TB17 and going by #20 the certificate
> > I use is not md5: PKCS #1 SHA-1 With RSA Encryption
> >
> > Ludovic, how can I provide the information you were requesting?
>
> for thr regression window see
> http://www.rumblingedge.com/2009/02/24/howto-find-regression-windows-through-
> manual-binary-search/
>
> sorry for the delay the email got lost somehow.
Flags: needinfo?(bugzilla)
Flags: needinfo?(bugzilla.mozilla.org)
Whiteboard: [regression:TB16?]
|
|
||
Comment 25•9 years ago
|
||
I will test this in the next few days and report back
|
|
||
Comment 26•8 years ago
|
||
I believe secure communication has been working fine for me
Flags: needinfo?(bugzilla.mozilla.org)
|
|
||
Comment 27•8 years ago
|
||
Thanks for checking
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(bugzilla)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•