X
Tik hier voor de mobiele versie van de website.

Ondersteuningsforum

Deze conversatie is gearchiveerd. Stel een nieuwe vraag als u hulp nodig hebt.

SSL error in Thunderbird 31.0

Geplaatst

After today's Thunderbird upgrade to 31.0, it sopped working with Dovecot altogether. It can't use TLS connection any more (it worked fine prior to 31.0).

Record from IMAP sever log file:

Jul 23 11:24:00 mailserver dovecot: imap-login: Disconnected (no auth attempts): rip=10.y.y.y, lip=10.x.x.x, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42

IMAP sever uses CA root certificate generated for intranet. All other certificates, including the one used by mailserver, refer to that CA.

All other services work fine with this setup, save Thunderbird 31.0. I had to disable SSL/TLS for it entirely, since Thunderbird waited forever on "Receiving mail server configuration..." phase.

No other configuration are changes. Firewall doesn't block communication. I would appreciate any reasonable pieces of advices, save downgrading to the closes to 31.0 version, which didn't resulted in this error.

After today's Thunderbird upgrade to 31.0, it sopped working with Dovecot altogether. It can't use TLS connection any more (it worked fine prior to 31.0). Record from IMAP sever log file: Jul 23 11:24:00 mailserver dovecot: imap-login: Disconnected (no auth attempts): rip=10.y.y.y, lip=10.x.x.x, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42 IMAP sever uses CA root certificate generated for intranet. All other certificates, including the one used by mailserver, refer to that CA. All other services work fine with this setup, save Thunderbird 31.0. I had to disable SSL/TLS for it entirely, since Thunderbird waited forever on "Receiving mail server configuration..." phase. No other configuration are changes. Firewall doesn't block communication. I would appreciate any reasonable pieces of advices, save downgrading to the closes to 31.0 version, which didn't resulted in this error.

Gekozen oplossing

I have this problem too. Everything used to work and then the same problem after upgrade to 31.0.

And I also tried to remove then re-import my self signed CA certificate, it did not work.

The walk-around is: remove the self-signed CA certificate, and accept the server certificate as exceptions. Or manually add server certificates at Preference => View certificates (certificate manager) => Servers

Although it works for this moment, I wish the bug will be fixed asap.

Dit antwoord in context lezen 5

Aanvullende systeemdetails

Toepassing

  • Useragent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36

Meer informatie

iamjayakumars 479 oplossingen 5878 antwoorden

SSL error happens only, when your certificate is not-available or expired.

for more

SSL error happens only, when your certificate is not-available or expired. for more *https://support.mozilla.org/en-US/kb/add-security-exception

Nuttig antwoord

Certificate is both available and non-expired. Any more suggestions?

Note: it worked without any problems prior to 31.0. It must be something that changed in 31.

Certificate is both available and non-expired. Any more suggestions? Note: it worked without any problems prior to 31.0. It must be something that changed in 31.
kionez 0 oplossingen 1 antwoorden

Same here, I have self-signed certs (cacert.org) and Thunderbird refuses to authenticate. Everything works fine for other SSL account (i.e.: gmail ones). With Thunderbird 30.0 everything was ok, after update I have this problem (ArchLinux x86_64 version)

I fixed it removing certificates in Edit --> Preferences --> Advanced --> Certificates (I'm translating from italian, so I'm not sure they are the correct words ;) ) and then re-adding them again.

Hope it helps!

k.

Same here, I have self-signed certs (cacert.org) and Thunderbird refuses to authenticate. Everything works fine for other SSL account (i.e.: gmail ones). With Thunderbird 30.0 everything was ok, after update I have this problem (ArchLinux x86_64 version) I fixed it removing certificates in Edit --> Preferences --> Advanced --> Certificates (I'm translating from italian, so I'm not sure they are the correct words ;) ) and then re-adding them again. Hope it helps! k.

Bewerkt door kionez op

Vraageigenaar

@kionez Correspondingly, I use Ubuntu x86_64 12.04, all updates installed. I'll check your approach ASAP. Thank you!

My advice to Thunderbird developers is to test for such things prior to publishing updates. It's really annoying to waste time on someone's poor work instead of doing something useful.

@kionez Correspondingly, I use Ubuntu x86_64 12.04, all updates installed. I'll check your approach ASAP. Thank you! My advice to Thunderbird developers is to test for such things prior to publishing updates. It's really annoying to waste time on someone's poor work instead of doing something useful.

Nuttig antwoord

@kionez, replacing CA root/sever certificate didn't help, in whatever order I tried that. I still appreciate your piece of advice. Thanks.

This is a regression bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1036338

and it's extremely annoying. Looks like no thorough testing is performed in Thunderbird project. In 31 version SSL processing logic has been changed, but no one even attempted to check how that affects all types of certificates.

@kionez, replacing CA root/sever certificate didn't help, in whatever order I tried that. I still appreciate your piece of advice. Thanks. This is a regression bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1036338 and it's extremely annoying. Looks like no thorough testing is performed in Thunderbird project. In 31 version SSL processing logic has been changed, but no one even attempted to check how that affects all types of certificates.

Vraageigenaar

Also, as final note: is it possible to downgrade Thunderbird to its pre-31 release that existed in 12.04 repositories?

Also, as final note: is it possible to downgrade Thunderbird to its pre-31 release that existed in 12.04 repositories?
christ1
  • Top 10 Contributor
1733 oplossingen 12424 antwoorden

Does your self-signed cert have a basicConstraints extension with the value CA: TRUE?

If so, have you tried the workaround as described in comment 8 of bug 1036338?

Does your self-signed cert have a basicConstraints extension with the value CA: TRUE? If so, have you tried the workaround as described in [https://bugzilla.mozilla.org/show_bug.cgi?id=1036338#c8 comment 8] of bug 1036338?

Bewerkt door christ1 op

Vraageigenaar

@chris1 I think I have answered that already.

Yes, it's set to CA:TRUE No, the workaround doesn't help.

@chris1 I think I have answered that already. Yes, it's set to CA:TRUE No, the workaround doesn't help.
bingtimren 1 oplossingen 1 antwoorden

Gekozen oplossing

I have this problem too. Everything used to work and then the same problem after upgrade to 31.0.

And I also tried to remove then re-import my self signed CA certificate, it did not work.

The walk-around is: remove the self-signed CA certificate, and accept the server certificate as exceptions. Or manually add server certificates at Preference => View certificates (certificate manager) => Servers

Although it works for this moment, I wish the bug will be fixed asap.

I have this problem too. Everything used to work and then the same problem after upgrade to 31.0. And I also tried to remove then re-import my self signed CA certificate, it did not work. The walk-around is: remove the self-signed CA certificate, and accept the server certificate as exceptions. Or manually add server certificates at Preference => View certificates (certificate manager) => Servers Although it works for this moment, I wish the bug will be fixed asap.

Bewerkt door bingtimren op

Vraageigenaar

@bingtimren, thanks for the advice. I have heard it did help to some of people I know. Personally, I downgraded TB to 24.6, and will wait for correction to 31.

@bingtimren, thanks for the advice. I have heard it did help to some of people I know. Personally, I downgraded TB to 24.6, and will wait for correction to 31.
rchatham 0 oplossingen 3 antwoorden

We have experienced the same exact problem. The software auto-updated to version 31 and now no one can access their inbox.

Anyone have a link to where I can access 24.6? I spent over an hour futzing around with the certificate settings but I just don't know what it wants from me and I'd rather hide in my turtle shell until this gets resolved.

Thanks,

Rick

We have experienced the same exact problem. The software auto-updated to version 31 and now no one can access their inbox. Anyone have a link to where I can access 24.6? I spent over an hour futzing around with the certificate settings but I just don't know what it wants from me and I'd rather hide in my turtle shell until this gets resolved. Thanks, Rick

Vraageigenaar

@rchatham I believe you can download all the binary distributions here:

http://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/

and Debian/Ubuntu packages here:

http://sourceforge.net/projects/ubuntuzilla/files/mozilla/apt/pool/main/t/thunderbird-mozilla-build/

@rchatham I believe you can download all the binary distributions here: http://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/ and Debian/Ubuntu packages here: http://sourceforge.net/projects/ubuntuzilla/files/mozilla/apt/pool/main/t/thunderbird-mozilla-build/
rchatham 0 oplossingen 3 antwoorden

Thanks for the sources Konstantin. We've rolled back our windows users and downgraded our Linux users for now. Hopefully we don't have to start shopping for another e-mail client.

-Rick

Thanks for the sources Konstantin. We've rolled back our windows users and downgraded our Linux users for now. Hopefully we don't have to start shopping for another e-mail client. -Rick

Vraageigenaar

@rick, you are welcome. While waiting for the fix, I would advise to turn off automatic upgrade in Windows clients (turned on by default, AFAIK), to avoid re-installing it repeatedly.

@rick, you are welcome. While waiting for the fix, I would advise to turn off automatic upgrade in Windows clients (turned on by default, AFAIK), to avoid re-installing it repeatedly.
AxelM 0 oplossingen 2 antwoorden

That's also my way of dealing with the issue.

My question is: When will the issue be fixed?

That's also my way of dealing with the issue. My question is: When will the issue be fixed?

Vraageigenaar

@AxelM, see link above on bug report at Mozilla. I think it's worth asking that in comments to that bug.

At the moment it's voted for as 'major', but remains unassigned.

@AxelM, see link above on bug report at Mozilla. I think it's worth asking that in comments to that bug. At the moment it's voted for as 'major', but remains unassigned.
AxelM 0 oplossingen 2 antwoorden

@Konstantin.Boyandin: Yes, I will do that. Thanks.

@Konstantin.Boyandin: Yes, I will do that. Thanks.
rchatham 0 oplossingen 3 antwoorden

I just upvoted it too. Wish I could put 100 votes on it!!! Thanks for the help @Konstantin.

I just upvoted it too. Wish I could put 100 votes on it!!! Thanks for the help @Konstantin.