X
Tap here to go to the mobile version of the site.

Support Forum

Self-signed certificate problem after upgrade to TB 68.4.1

Posted

After upgrading to TB 68.4.1 I could not read/write e-mails anymore. The error message is "The IMAP server does not support the selected authentication method". The log file shows

[(null) 18264: Unnamed thread 23287970]: D/IMAP try to log in [(null) 18264: Unnamed thread 23287970]: D/IMAP IMAP auth: server caps 0x4484421, pref 0x1006, failed 0x0, avail caps 0x0 [(null) 18264: Unnamed thread 23287970]: D/IMAP (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, MSN = 0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style IMAP login = 0x4, auth external IMAP login = 0x20000000, OAUTH2 = 0x800000000) [(null) 18264: Unnamed thread 23287970]: D/IMAP no remaining auth method [(null) 18264: Unnamed thread 23287970]: E/IMAP login failed entirely

So, no authentication method was even selected.

I have created a new appdata Thunderbird folder. Now I can define an exception for my certificate in the settings - without specifying the port. The downloaded certificate has the wrong port number however (should be 143 but is 443). When reading e-mails another certificate with the correct port is downloaded which I can confirm, and the e-mails are read correctly. However when restarting Thunderbird the above error message comes again and I have to repeat the procedure by first deleting the certificate and then defining an exception for it.

My questions: - How can I tell Thunderbird to accept my certificate without defining an exception in the settings? This was not required before the update. - How can I define the certificate exception in a way to get the correct port that persists after restarting Thunderbird?

After upgrading to TB 68.4.1 I could not read/write e-mails anymore. The error message is "The IMAP server does not support the selected authentication method". The log file shows [(null) 18264: Unnamed thread 23287970]: D/IMAP try to log in [(null) 18264: Unnamed thread 23287970]: D/IMAP IMAP auth: server caps 0x4484421, pref 0x1006, failed 0x0, avail caps 0x0 [(null) 18264: Unnamed thread 23287970]: D/IMAP (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, MSN = 0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style IMAP login = 0x4, auth external IMAP login = 0x20000000, OAUTH2 = 0x800000000) [(null) 18264: Unnamed thread 23287970]: D/IMAP no remaining auth method [(null) 18264: Unnamed thread 23287970]: E/IMAP login failed entirely So, no authentication method was even selected. I have created a new appdata Thunderbird folder. Now I can define an exception for my certificate in the settings - without specifying the port. The downloaded certificate has the wrong port number however (should be 143 but is 443). When reading e-mails another certificate with the correct port is downloaded which I can confirm, and the e-mails are read correctly. However when restarting Thunderbird the above error message comes again and I have to repeat the procedure by first deleting the certificate and then defining an exception for it. My questions: - How can I tell Thunderbird to accept my certificate without defining an exception in the settings? This was not required before the update. - How can I define the certificate exception in a way to get the correct port that persists after restarting Thunderbird?

Chosen solution

Has you certificate store been changed by an anti virus? security.enterprise_roots.enabled in the Config Editor set to true.

Does your server support TLS V 1.0 and 1.1 only?

I got an email today advising it is disabled in the 73 beta, I would expect that to show up is Thunderbird 68.5 so it should not yet be an issue.

If you are talking about the distrusting of the Symantec certificates in the V68 release notes (your link is broken) they have been phased out over a long time. and as your certificate is self signed not relevant

Read this answer in context 0
Quote

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36

More Information

Matt
  • Top 10 Contributor
  • Moderator
3393 solutions 23501 answers

How about just using a real certificate? We are going away from self signed certificates if I read the last changes to actually mean anything.

But no remaining auth methods usually means that the server is not running a new enough version of TLS, or the key size is not large enough, not that the certificate is invalid. (that should get an error in the user interface of it's own)

How about just using a real certificate? We are going away from self signed certificates if I read the last changes to actually mean anything. But no remaining auth methods usually means that the server is not running a new enough version of TLS, or the key size is not large enough, not that the certificate is invalid. (that should get an error in the user interface of it's own)
Was this helpful to you?
Quote

Question owner

Thank you for the quick reply!

It seems to be a specific problem of the Thunderbird instance on my Windows computer. I have tried to repeat the same steps in a virtual machine on my computer, and everything works as expected: 1. Created a new account with my account settings (STARTTLS, ingoing port 143, outgoing port 587) in the Thunderbird instance of my virtual machine 2. After confirmation Thunderbird comes up with the expected certificate warning (with the correct port 143) and lets me accept the certificate permanently 3. E-Mails are downloaded

In my local Thunderbird however I do not get the certificate warning in step 2 but the error message "The IMAP server does not support the selected authentication method" mentioned in my previous post. My impression is that the download request is done with the wrong port number (should be 143 for STARTTLS but is 443 for HTTPS).

What I have tried but did not help: - Reinstalled Thunderbird - Deleted appdata Thunderbird folder to let Thunderbird recreate all data including profiles - Temporarily deactivated Symantec Endpoint Protection to avoid some magic port forwarding

Any ideas? Are there any registry settings that might cause the problem? Any chance to increase debugging level to get more detailed information?

Thank you for the quick reply! It seems to be a specific problem of the Thunderbird instance on my Windows computer. I have tried to repeat the same steps in a virtual machine on my computer, and everything works as expected: 1. Created a new account with my account settings (STARTTLS, ingoing port 143, outgoing port 587) in the Thunderbird instance of my virtual machine 2. After confirmation Thunderbird comes up with the expected certificate warning (with the correct port 143) and lets me accept the certificate permanently 3. E-Mails are downloaded In my local Thunderbird however I do not get the certificate warning in step 2 but the error message "The IMAP server does not support the selected authentication method" mentioned in my previous post. My impression is that the download request is done with the wrong port number (should be 143 for STARTTLS but is 443 for HTTPS). What I have tried but did not help: - Reinstalled Thunderbird - Deleted appdata Thunderbird folder to let Thunderbird recreate all data including profiles - Temporarily deactivated Symantec Endpoint Protection to avoid some magic port forwarding Any ideas? Are there any registry settings that might cause the problem? Any chance to increase debugging level to get more detailed information?
Was this helpful to you?
Quote

Question owner

I went back to TB 60.9.1 (using the existing profile) and - tata... - everything works fine again! So the problem must have to do with TB 68.4.1.

In the release notes I read that TB 68 has stricter certificate checks: https://www.thunderbird.net/en-US/thund ... easenotes/

Maybe the problem has to do with it. For now I will have to stay with TB 60...

I went back to TB 60.9.1 (using the existing profile) and - tata... - everything works fine again! So the problem must have to do with TB 68.4.1. In the release notes I read that TB 68 has stricter certificate checks: https://www.thunderbird.net/en-US/thund ... easenotes/ Maybe the problem has to do with it. For now I will have to stay with TB 60...
Was this helpful to you?
Quote
Matt
  • Top 10 Contributor
  • Moderator
3393 solutions 23501 answers

Chosen Solution

Has you certificate store been changed by an anti virus? security.enterprise_roots.enabled in the Config Editor set to true.

Does your server support TLS V 1.0 and 1.1 only?

I got an email today advising it is disabled in the 73 beta, I would expect that to show up is Thunderbird 68.5 so it should not yet be an issue.

If you are talking about the distrusting of the Symantec certificates in the V68 release notes (your link is broken) they have been phased out over a long time. and as your certificate is self signed not relevant

Has you certificate store been changed by an anti virus? security.enterprise_roots.enabled in the [[config editor]] set to true. Does your server support TLS V 1.0 and 1.1 only? I got an email today advising it is disabled in the 73 beta, I would expect that to show up is Thunderbird 68.5 so it should not yet be an issue. If you are talking about the distrusting of the Symantec certificates in the V68 release notes (your link is broken) they have been phased out over a long time. and as your certificate is self signed not relevant

Modified by Matt

Was this helpful to you?
Quote

Question owner

That was it! In TB 60 security.enterprise_roots.enabled was set to false. I updated to TB 68.4.2. and security.enterprise_roots.enabled was modified to true. I changed it back to false, and now e-mails are working as before.

I would not have found this solution. Thank you so much for your help!

That was it! In TB 60 security.enterprise_roots.enabled was set to false. I updated to TB 68.4.2. and security.enterprise_roots.enabled was modified to true. I changed it back to false, and now e-mails are working as before. I would not have found this solution. Thank you so much for your help!
Was this helpful to you?
Quote
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.