Open Bug 803975 Opened 8 years ago Updated 4 years ago

Thunderbird promises to remember certificate selection, but doesn't

Categories

(Thunderbird :: Security, defect)

15 Branch
x86_64
Windows 7
defect
Not set
normal

Tracking

(Not tracked)

REOPENED

People

(Reporter: tlhackque, Unassigned)

References

Details

(Whiteboard: dupme)

User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPDTDF; .NET4.0C; .NET4.0E)

Steps to reproduce:

Open TB and let it connect to IMAP servers that request a client X.509 certificate.   (I have several valid client certificates installed, though not all work with all servers.  I also use several servers.)

Under "Options->Advanced->Certificates", I have "ask me every time" selected, because the servers don't all send accurate "acceptable CAs" lists with their requests.



Actual results:

TB asks which certificate should be sent.  In some cases, I select a certificate for that server.  In others, I don't want a certificate sent, so I click Cancel.   (The server doesn't like the ones I have, but doesn't insist on receiving one).

In all cases, I check the "Remember this decision box".

TB does what it's told, BUT the next time I open TB, I get the certificate selection dialog again for each server.


Expected results:

a) TB should have remembered my choice -- including the "Cancel" choice to send no certificate -- across TB sessions.  An explicit "remember this decision for this server" checkbox should take priority over a general "ask every time".

b) It might be clearer if the dialog had an explicit "Don't send a certificate to this server" option, rather than "Cancel".

c) Once TB remembers these decisions, there needs to be a way (under account options server settings or security) to view and change/revoke them.
This still happens with TB 16.0.1
I have seen this situation when multiple servers are used behind a single DNS-name (for loadbalancing reasons), but some of them have different certificates installed.
Whiteboard: dupme
In my case, one IMAP server is on my LAN - it provides the same certificate every time.  My SMTP server also has exactly one server and one certificate.  It also re-prompts once/session.

Another IMAP server exhibiting this is a corporate IMAP server that only talks to me if I click "Cancel"; a certificate is optional, but if provided must be one that it likes (and I don't have on the TB machine).

In the case that Jo mentioned, the different server certificates would each have to cover the DNS name.  (E.G. be wildcard or have alternative names).  I think that TB should remember my decision based on the DNS name - either I want to provide a client certificate to that *server* or I don't.  I shouldn't have to re-specify when the server's certificate is replaced (when it expires, or is revoked or upgraded or...)  

But even if TB remembers decisions based on the certificate of the requesting server, TB should actually remember my decision.  It currently does not - even in the simple case of the servers on my LAN, where there is no load-balancing or other trickery...
do you still see this
Component: Untriaged → Security
Flags: needinfo?(tlhackque)
I last saw this about 6 months ago.  I stopped using the corporate server at that time.  All my local servers use the same (user) certificate.  So it's possible that the issue arises when one has multiple servers, some of which share a (user) certificate and at least one other has a unique certificate requirement.

If that's the case, it would indicate that the certificate choice is somehow held per-user rather than per-server.  That would explain the multiple prompts.

In my case, the corporate server wanted a corporate-issued certificate; my local servers wanted a locally-issued one.  The corporate server requested, but didn't require a certificate.  My "cancel" decision wasn't remembered.

At the moment I don't have the ability to reproduce the previous environment.

I hope this helps.
> Under "Options->Advanced->Certificates", I have "ask me every time"
> selected, because the servers don't all send accurate "acceptable CAs" lists
> with their requests.
> 
> [...]
> 
> In all cases, I check the "Remember this decision box".
> 
> TB does what it's told, BUT the next time I open TB, I get the certificate
> selection dialog again for each server.
> 
> 
> Expected results:
> 
> a) TB should have remembered my choice -- including the "Cancel" choice to
> send no certificate -- across TB sessions.  An explicit "remember this
> decision for this server" checkbox should take priority over a general "ask
> every time".

I would guess that this dialog is inherited from the browser context.

When "Ask me every time" is checked (as a preference), does the Remember box (in the popup dialog) mean "Remember for this session"? That might make some sense in the browser context, and would justify that it is checked by default (which otherwise it shouldn't be), although note that passwords (in both browser and e-mail contexts) are ALWAYS remembered for the session.

What does it mean if "Ask me every time" is not checked?

Perhaps the wording of the Remember box (and even its existence in the "Ask me every time" case) should be reconsidered.

Should the scope of this bug be increased beyond Thunderbird?

> b) It might be clearer if the dialog had an explicit "Don't send a
> certificate to this server" option, rather than "Cancel".

Yes. I would be stronger: as a rule of interface semantics, the effect of Cancel should never depend on what selections have been made in the cancelled dialog; in particular, the Remember box should have no effect if Cancel is pressed; but we might want to remember the choice of no certificate.

> c) Once TB remembers these decisions, there needs to be a way (under account
> options server settings or security) to view and change/revoke them.

Again, is this also true beyond Thunderbird?
If the questions are directed to me, I don't have many answers.

I experienced the issue with thunderbird.  I don't know about its internals.

It seems to me that "I don't want to send a cert to this server" is something that I ought to be able to specify.  Permanently, or "just this time".

That capability doesn't seem to be there today.  I don't have a strong opinion on exactly how it should be offered in the UI; just that it should be possible.

As I noted, I no longer use the server that was giving me grief.

This ought to be fixed, but until some other server exhibits the behavior it's no longer impacting me.

As for "beyond thunderbird"; I could imagine a webserver behaving the same way ("Cert optional", user doesn't have an acceptable one).  I don't have a concrete example at hand.  If this is common code, yes, browsers should have the same capability.
Flags: needinfo?(tlhackque)
Can you test the behaviour with "Ask me every time" deselected?
Thanks for filing the bug. It looks like the requests here are already filed, so I'm going to make this bug a dupe of Bug 634697.

(In reply to tlhackque from comment #0)
> a) TB should have remembered my choice -- including the "Cancel" choice to
> send no certificate -- across TB sessions.

The component responsible for remembering client certs is shared, so the core issue being reported here affects e.g. Firefox as well (see Bug 634697).

> b) It might be clearer if the dialog had an explicit "Don't send a
> certificate to this server" option, rather than "Cancel".

I think I saw a bug filed for this somewhere already. I can't find it right now, sorry.

> c) Once TB remembers these decisions, there needs to be a way (under account
> options server settings or security) to view and change/revoke them.

Seems to already be filed as Bug 1074830.
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 634697
Thanks for finding this.

I think for Thunderbird purposes it will help to keep this open until the core issue is fixed. Marking dependency.
Status: RESOLVED → REOPENED
Depends on: 634697
Ever confirmed: true
Resolution: DUPLICATE → ---
I'm seeing this on OSX Daily 48.0a1 (2016-03-28).

"ask me every time" selected

Platform -> All?
You need to log in before you can comment on or make changes to this bug.