Well Well Well. You certainly have all of my least favorite things going on there.

Comcast. Sadly troubled organization with customer support issues. They truly are good, half way round the world I know they are troubled.

Symantec. One of the worst anti virus products for those using mail clients, only one I think is worse is McAfee. Both products went to the pack after their original developers sold them. This is quite probably the root cause of your issue . Even when you turn it off in it's settings, it lies and stays active.

Yahoo, and AOL. AOL is now Yahoo, and both are owner by Verizon, so that makes for a sad situation where a failing internet company that apparently does not understand either email or it's users is flailing around making all sorts of illogical decisions and failing to communicate them. The owner, Verizon, just writes a few more hundreds of million off their purchase as they devalue Yahoo.

So lets try and navigate these deep and horrible waters.

First, yahoo requires you to use oAuith2.0 Authentication unless you set the less secure apps in account settings on their web site. https://login.yahoo.com/account/security?.scrumb=s4s%2FuJ93aw4 That should work until march.

At this time only IMAP accounts and SMTP can use oAuth in Thunderbird. I hope things are different when the march deadline arrives.

The only way I know of to reliably "disable" Norton products short of using their special uninstaller program that you download from their web site to test if they are the problem is to use safe mode with Networking.

To restart the operating system in safe mode with Networking. This loads only the very basics needed to start your computer while enabling an Internet connection. Click on your operating system for instructions on how to start in safe mode: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP, OSX

Finally the OSCP server is a certificate server(I had to Google it) so that failure could be anywhere really. yahoo dropping the ball or Norton loosing the ball are the two most likely.

Matt, thank you for taking the time to detail out some of the challenges.

Yes, Verizon, Yahoo, AOL, Comcast, and Symantec all have had their own biases, pushes, support structures (for masses), and yet not being able to disruptive and innovative for the masses and/or technologists.

With all of the trials of putting out the limits put on my Thunderbird setup, it is still not clearing out the 'block' being put somewhere on all of my 6 email accounts setup in Thunderbird.

I have looked through the Logs in Thunderbird also under Troubleshooting information and even though I do not know how to read all of it, there are no pointers to the "ports being blocked" or "config setups" that might be pointing to the OSCP error code.

Any other ideas would be highly appreciated and receptive since others might start to run into it also.

Thanks.

Ken

Seriously what was your result in windows safe mode with networking. it is a PITA to do, but it often reveals much.

Matt, you were on the right track and if I was not using a locked up machine by IT, I would be able to see what they have done with AV program and setup.

So, here is the resolution. And, it just popped up at me with the new version of Thunderbird.

Revoked Certificate If you get an error message about the certificate being revoked (sec_error_revoked_certificate) that means that its invalid and should not be used.

Older versions of Thunderbird never checked whether the certificate was revoked. However, Thunderbird 3.1.2 and later do, so you may find when you upgraded all of a sudden your secure connection failed. You can disable checking whether its revoked by setting security.OCSP.enabled to 0 using the Config editor. It typically defaults to 1. Since its your email provider that marked it as invalid, yet they're still using it, contact them and find out whats going on.

More details are available at http://kb.mozillazine.org/SSL_Security_Error

Lots of situations can occur, and as soon as I went into the ConfigEditor (follow the direction "exactly" for others reading this answer) and flipped the OSCP checks to "0" and the next setup was TRUE or False and set it to False. I did not have to restart Thunderbird and it automatically got away with the error.

In addition, in checking for POP and IMAP setup, everything told me to reset the settings back to gmail.com whereas sometime ago I had to reset it to googlemail.com inside Thunderbird.

So, did all of this, and finally from 12/27 to 1/20/2020 I had to go to yahoo.com and gmail.com to read my email, and it was the pits as opposed to my beautiful Thunderbird, and finally rejoicing tonight with hundreds of emails downloading.

Thanks Matt for ALL of your encouragement and help. Hope this answer helps lots of other people also.

Kenny

Who exactly issued the certificate, or is it another one of the bodgy anti virus program ones that the user is supposed to break their security so the anti virus can hack their communications to scan stuff. I notice some of them are even changing the certificate store Thunderbird uses to the windows one, because they have not spent the money to get the audits to prove they are entitled to issues root certificates, so they are using the less secure windows one because they can insert their certificates into it and "declare them valid"

Matt, there is no certificate as such identified or expired. I checked all of them and there were expirations in Nov 2018 and Dec 2020, but none in 2019 and none when this event occured.

So, either an antivirus / antimalware program brought it in, but it is surprising that the OSCP error is no where on the Mozilla support site, and i found it while I was trying to set it up on another computer, and it was situated with the language along with how the Thunderbird setup works.

If Thunderbird is using Certificates, then it should abandon it if it is not going to pay for it, or watch its expiration. Or make the switch of using or not using in the Preferences and Options, but what do I know about programming or building an application!

Either way, but by passing the check in the about:config it took 5 seconds to resolve, like any other issue when one finds the solution. It only took me 3 weeks of trials, and learned a LOT LOT LOT about programs, setups, configurations, and also about Thunderbird.

Hope all this discussion helps others also.

<<<<<<< PROBLEM COMPLETELY RESOLVED >>>>>>>>

Ken

what did you change? I think that is really the question. I have no idea, so if it does not help me, I doubt anyone else will get anything from it.

There are lots of certificate settings in the certificate manager. I just wonder why you are using the config editor at all?

Matt, see answer on 1/20/2020. That is what helped me change it, where Thunderbird will ignore the OSCP lookup and therefore will not create the 'wall' to not allow me to connect.

Does this help?

Thanks.

Ken

There is a reason mozillaZine is finally winding down. one of them is the disasters some to their fixes created in the wrong hands. In this case if you did not want OCSP the setting is on the so perhaps you should have used the user interface Options > advanced > certificates querying OCSP servers for the validity of the certificate is one of oply two options there.

However using revoked certificates would indicate that there are issues, people do not revoke them because they are in a mood.

So you have disabled validation of certificates. You still have no idea why the certificate was invalid. Or do you?

What I would say for your fix is you might as well consider your connections to be in plain text for anyone to read.

You never answered the question about who issued the certificate, which would have made an acceptable solution fairly obvious. But you are happy. Just don't complain of you mail ends up being hacked.

Matt, I did answer the Certificate question. Let me quote it here:

"Matt, there is no certificate as such identified or expired. I checked all of them and there were expirations in Nov 2018 and Dec 2020, but none in 2019 and none when this event occured."

I wish I can find out which certificate had expired, since I have a slew of them on the machine. I wish there is a way to find out, but from the Expiration Dates, none of them seem to be showing up in any expired state in Dec'2019 when the OSCP issue first occured.

Lets look at it the opposite way. Is there a certificate that you or others use that I should be invoking/using, and if there is one, how do I link / enable it with Thunderbird? It would be good to know since I am just an average Joe user that does not know or understand how to set the Certificate Authorities on my user profile to enable or even disable or for that matter, renew it.

Any help would be appreciated so that my emails are no in clear text and hackable as a result.

Ken