Closed Bug 802699 Opened 12 years ago Closed 12 years ago

SSL certificate no longer trusted

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
16 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: buchholz, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Build ID: 20121010144125 Steps to reproduce: Upgraded from 15.0.1 to 16.0 (and/or 16.0.1). Actual results: When connecting to mail server I am now presented with an "Add Security Exception" window. Contents read: You are about to override how Thunderbird identifies this site. Legitimate banks, stores, and other public sites will not ask you to do this. Server Location: xxxx.xxxxx.com:993 Certificate Status This site attempts to identify itself with invalid information. Unknown Identity Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature. Expected results: The system should've connected without warning. Setup (1) Server is Dovecot server with certificate issued by in-house CA. (2) Connections are via SSL-secured IMAP and/or POP3 (ports 993 and 995). (3) CA's certificate is loaded in "Authorities" list. (4) Setup has worked since 2011 with Thunderbird versions 6.x - 15.0.1, and is still working with Outlook (versions 2003, 2007, and 2010), iPhone mail clients, Android K-9 mail client, ... (5) Uninstalling 16.x and re-installing 15.0.1 resolves the problem. Apparently the user base is just blindly clicking on "Permanently store this exception" ...
Please open about:config in Thunderbird :http://kb.mozillazine.org/About:config#Opening_about:config and change "security.enable_md5_signatures" from "false" to "true" MD5 is no longer accepted as has algorithm (bug 650355). Is it possibly your issue with your CA certificate ?
(In reply to Matthias Versen (Matti) from comment #1) > Please open about:config in Thunderbird > :http://kb.mozillazine.org/About:config#Opening_about:config > > and change > "security.enable_md5_signatures" from "false" to "true" > > MD5 is no longer accepted as has algorithm (bug 650355). Is it possibly your > issue with your CA certificate ? It is OK to test out setting security.enable_md5_signatures = false. However, if this "solves" the problem, it means that the server is using an certificate that is not secure, and for security reasons the certificate needs to be replaced. We should make sure we advise users about this when we ask them to test out the security.enable_md5_signatures setting. Another way to see if the certificate is using MD5 is to: 1. Click the "View Certificate" button. 2. Go to the Details tab. 3. Scroll down the "Certificate Fields" tree to the end. 4. Click on "Certificate Signature Algorithm" The "Field value" box should say one of the following: * PKCS #1 SHA-1 With RSA Encryption (this is most likely) * PKCS #1 SHA-256 With RSA Encryption * PKCS #1 SHA-384 With RSA Encryption * PKCS #1 SHA-512 With RSA Encryption If the "Field Value" box instead says: * PKCS #1 MD5 With RSA Encryption then the server's certificate should be replaced.
The CA Certificate uses an MD5 hash. Changing "security.enable_md5_signatures" to "true" solved the immediate problem. New CA Certificates (using a secure hash) will be issued to the user base soon. Sorry about the false alarm. Thanks for the help.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.