Open Bug 947593 Opened 11 years ago Updated 3 years ago

Thunderbird tries client certificate authentication although not requested by server and not configured

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
24 Branch
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: mozilla, Unassigned)

Details

Attachments

(1 file)

A1-2.pcapng
9.37 KB, application/x-pcapng
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release) Build ID: 2013102400 Steps to reproduce: I use a Cyrus IMAP server with TLS. Cyrus is configured to NOT request client certificate authentication: tls_imap_require_cert: false tls_pop3_require_cert: false tls_lmtp_require_cert: false tls_sieve_require_cert: false Thunderbird is configured for TLS with plain text password authentication in account settings. I use a smartcard for S/MIME signing. Actual results: On startup, Thunderbird asks which certificate to use for authenticating to the IMAP server. When clicking "cancel", the connection to the IMAP server is done properly. When I write an email, at some point, Thunderbird asks for the smartcard pin to sign the email and save it to drafts. As soon as the PIN is entered, Thunderbird switches sometimes (not always) from plain text password to certificate authentication and tries to authenticate with the IMAP server via the smardcard certificate. All following IMAP transactions fail consequently. Expected results: - If not requested by the server, Thunderbird should not ask which certificate to use for authentication - If authentication is set to plain text password in account settings, Thunderbird should not switch to certificate authentication when smartcard is inserted and authenticated. A test account for developers with my IMAP server can be set up on request.
Severity: normal → major
Stefan, Do you still see this when using version 31?
Component: Untriaged → Security
Flags: needinfo?(mozilla)
Stefan writes "I tried IMAPS but TCP/993 is blocked in many Finnish mobile networks, so TB became kinda useless to me. Now using KMail or Roundcube."
Flags: needinfo?(mozilla)
I confirm this bug for 38.2.0 (and earlier). I fact, I keep noticing this for quite a long time (years) now. Setup: Cyrus Imap 2.4.17, configured as above, i.e. not requesting ssl client auth. TB prompts for a certificate to use on startup/connect, if it is configured to do so (i.e. "Ask every time" is set in Advanced->Certificates). If it is set to select one automatically, it just uses the first one, and then fails silently if the server rejects the certificate. No error message is displayed directly, only the error console shows that the server has rejected the ssl auth. Very annoying, hardly understandable. This apparently got worse in 38.x, where this behaviour totally breaks existing setups. I'm not 100% sure about this, but it would seem that in earlier versions TB only tried ssl auth if it had a certificate from a CA whose name was on the list of acceptable client CAs sent from the server. Now (38.x) it ALWAYS tries ssl auth, even if it does not have ANY matching certificates installed AND the server does not request ssl auth.

The bug description surprises me.

In my understanding of the SSL/TLS handshake protocol, a client client cannot send a client cert, unless the server has explicitly requested it.

You claim that the server is configured to NOT ask for a client cert. I'd like to suggest to use a packet sniffer like Wireshark to confirm that claim. I think it's very likely there's a bug on the server side, where the server requests the client auth, despite you believing it has been disabled.

Severity: major → normal

The bug seems to be still present in Thunderbird 68.7.0.

Setup: TB is configured to contact mailserver "securemail.a1.net" via SSL port 995, authentication mode is set to "plaintext password", certificate policy is set to "Ask Every Time". Mail provider does neither offer nor require certificate authentication.

Result: When polling new mail from the server the user is prompted to choose one of his certificates. Actually choosing one lets TB fail silently. Cancelling the prompt leads to a successful connection as described previously by Markus. Setting the server authentication mode to "plaintext password" obviously does not prevent TB from performing SSL client certificate authentication. The only solution I found was to delete ALL personal certificates from the certificate store. Leaving one behind - even one that is not containing the email address in question - triggers the bug again.

Still present in Thunderbird 68.11.0.

Still present in Thunderbird 78.7.0

i use imap with office365.

please add option for "no cert", or much better, when auth method "password, normal" is set, ask not for a certificate

Exactly the same as Frank wrote here!
"Setup: TB is configured to contact mailserver "securemail.a1.net" via SSL port 995, authentication mode is set to "plaintext password", certificate policy is set to "Ask Every Time". Mail provider does neither offer nor require certificate authentication........."

I have to cancel the request to get my mail.
Before version 78 I had to do this once at the start of TB, after entering my TB PWD.
Now I get this request every time, TB automatically should get mails from different (including the mentioned) account.

Attached file A1-2.pcapng
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: