SSL Security Error: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
No edit summary
 
(mentioned deleting cert8.db, added "See Also")
(39 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Tbsuite}}
''This article applies to Firefox, Thunderbird, Mozilla Suite and SeaMonkey.''


Thunderbird will display "Security Error: Domain Name Mismatch" if you make a secure connection to a server and the servers domain does not match the domain name in the SSL or TLS certificate. This occurs when a email provider changes thier domain name but didn't buy a certificate for the new domain. It will display "Server certificate expired" if the SSL or TLS certificate is expired. In both cases you can can continue after getting rid of the alert.
__NOTOC__


Thunderbird doesn't provide a way to disable security alerts. However, you can prevent both of these security alerts using the Remember mismatched domains extension. It adds a “Don’t warn me again about this certificate for this domain" checkbox to the Domain Name Mismatch and Expired Certificate warning windows.
A security exception is a way to tell Thunderbird that you understand that there is something wrong with the SSL certificate but you've decided that you're willing to take the risk, so Thunderbird should make the secure connection anyways and not bother you about it anymore (unless it gets a different bad certificate later on). If you add a permanent security exception and keep getting prompted to add the same  security exception again and again, the certificate store may be corrupt. Use Help -> Troubleshooting Information -> Show Folder to open Windows Explorer (your file manager) at your [[Profile_folder_-_Thunderbird | profile]], exit Thunderbird, and then delete the cert8.db file. It stores the security certificates. When you restart Thunderbird it should create a new "certificate store" with default values (certificates). A side effect of this is that you will lose any certificates or security exceptions that you had added. [http://forums.mozillazine.org/viewtopic.php?f=39&t=3026822&p=14729736#p14729736]


==External links==
==Domain Name Mismatch or Server Certificate Expired==
[http://www.andrewlucking.com/code/ff-extensions/remember-mismatch.xpi Download link]
"Security Error: Domain Name Mismatch" occurs if you make a secure connection to a server whose domain does not match the domain name in the certificate that it returned. This means that the web site/server you are using may not be the one you wanted. It can also occur when they change their domain but don't buy a certificate for the new domain.


"Security Error: Server Certificate Expired" occurs if the certificate expiration date is later than your system date. This may be caused by your system having the incorrect time (perhaps you are traveling and are in a different time zone) , or the certificate is too old (it expired).
'''In both cases, you need to decide whether or not you think you are actually connected to whatever you tried to connect to'''. Usually it is due to an oversight or an error (an admin installed the wrong SSL certificate when they replaced a expired certificate) and it gets fixed in a couple of days. Sometimes it is due to somebody being too cheap to replace a SSL certificate when they change domains. Unfortunately it could also be due to somebody trying to capture your username/password when you login, or your credit card number when you buy something on a web site.
If you are using your ISP as your email provider don't guess, call their help desk and find out if they already know about your problem. If they give you any pushback about Thunderbird not being an officially supported email client try to duplicate the problem using Firefox to log into webmail. If you can't call your email provider, try browsing their support forums to see if other people have the same problem.
If you decide its nothing to worry about, check the checkbox to create a security exception so that it stops warning you. Obsolete versions may not support adding a security exception. In that case install the Remember Mismatched Domains extension for [https://addons.mozilla.org/firefox/2131/ Firefox], [https://addons.mozilla.org/en-US/thunderbird/addon/2131 Thunderbird 2.x], or [https://addons.mozilla.org/en-US/seamonkey/addon/2131 SeaMonkey]. It adds a "Don’t warn me again about this certificate for this domain" checkbox to the Domain Name Mismatch and Server Certificate Expired warning windows.
==Issuer Certificate Unknown or Site certified by an Unknown Authority==
If you get an error message stating that the certificate is not trusted because the issuer certificate is unknown or the web site is certified by an unknown authority it is complaining that it can't find the Certificate Authority (CA) certificate for that SSL certificate. Press the View Certificate button, look at the certificate, and find out who who is the Certificate Authority by looking at the ''Organization'' listed in ''Issued By''. You might also want to make a secure connection to webmail (a web page provided by your email provider that is used to read/send mail) using Firefox, click on the icon in the address bar, and then press the "more information" button to view the details of its certificate. Frequently the same SSL certificate is used in both Thunderbird and Firefox.
Use Tools -> Account Settings -> an_account_name -> Security -> View Certificates -> Authorities in Thunderbird and look for a certificate for that CA. If you find it check that its still valid. If you can't find one try to find a CA certificate that you can import. For example, if the SSL certificate uses "Symantec Class 3 Secure Server SHA256 SSL CA" as the CA you can download that CA certificate from the [https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=SO26896 Symantec Intermediate CA (ICA) Certificates] web site and then import it using the Thunderbird certificate manager (Tools -> Account Settings -> an_account_name -> Security -> View certificates -> Import). [http://forums.mozillazine.org/viewtopic.php?f=39&t=3018785]
If its invalid check that the date on your computer is correct. It sounds unlikely but sometimes its set for the wrong year, which might cause the CA certificate to become invalid. If the CA certificate looks valid you can add a security exception for your email providers SSL certificate using Tools -> Account Settings -> an_account_name -> Security -> View Certificates -> Servers -> Add Exception to get rid of the error messages. However, its recommended that you contact your email provider to try to find out why that problem is happening. [http://forums.mozillazine.org/viewtopic.php?f=39&t=1988315]
'''If you are using Avast!, upgraded from an earlier version of Avast to Avast 2014, and didn't disable the "mail shield"''' the error can be caused by Avast! rooting your certificates in order to scan email sent over a SSL connection (a benign [https://en.wikipedia.org/wiki/Man-in-the-middle_attack man in the middle attack]). Try [http://www.avast.com/en-eu/faq.php?article=AVKB91#artTitle importing a mail shield certificate] to workaround that problem. [http://forums.mozillazine.org/viewtopic.php?p=13824695#p13824695]
==Revoked Certificate==
If you get an error message about the certificate being revoked (sec_error_revoked_certificate) that means that its invalid and should not be used.
Older versions of Thunderbird never checked whether the certificate was revoked. However, Thunderbird 3.1.2 and later do, so you may find when you upgraded all of a sudden your secure connection failed. You can disable checking whether its revoked by setting '''security.OCSP.enabled''' to '''0''' using the [[Modify_Thunderbird_settings | Config editor]]. It typically defaults to 1. Since its your email provider that marked it as invalid, yet they're still using it, contact them and find out whats going on.
==Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature==
Usually this means you need to import a certificate for the Certificate Authority (CA) used by the SSL certificate. However, Thunderbird 16 and later considers any certificates that use a MD5 hash invalid. You can override this by setting security.enable_md5_signatures true using the config editor, though the real solution is for your email provider to use a secure hash. [https://bugzilla.mozilla.org/show_bug.cgi?id=802699]
==Incorrect use of wild cards in certificate==
This problem occurs if your email provider uses a load balancing router to automatically select one of several mail servers, and doesn't use the right syntax to specify that the certificate applies to more than one host.
Thunderbird 2.* had a bug where it accepted a wild card for more than one atom in the hostname in a certificate. i.e. *.mail.dreamhost.com was accepted for a a1.postal.mail.dreamhost.com host, when it really should have specified *.postal.mail.dreamhost.com. Thunderbird 3 is stricter and rejects that as a invalid hostname. You can workaround this by
setting the environmental variable NSS_USE_SHEXP_IN_CERT_NAME to 1 before starting Thunderbird, and use the Remember Mismatched Domains add-on to avoid getting prompted every time. [http://getsatisfaction.com/mozilla_messaging/topics/thunderbird_2_0_0_23_breaks_dreamhost_email_over_ssl]
==Thunderbird SSL/TLS bug fix exposes bugs in many protocol implementations==
Thunderbird 10.0 has a bug fix [https://bugzilla.mozilla.org/show_bug.cgi?id=665814] in its SSL/TLS implementation that is compliant with all versions of the SSL/TLS protocols and compatible with other SSL implementations (such as OpenSSL). However, many products have bugs in their SMTP, IMAP, POP, LDAP, and/or HTTP code in how they parse what the client sends them. Those bugs used to be hidden until this bug fix. An example is using Merak IceWarp version 10.3.5 as a IMAP server. [https://bugzilla.mozilla.org/show_bug.cgi?id=723109#c32]
A temporary workaround until your mail servers are updated is to : ''Temporarily put NSS_SSL_CBC_RANDOM_IV=0 in the environment on their local machine. (The best way to do this would be to create a batch file that sets NSS_SSL_CBC_RANDOM_IV=0 and then runs Thunderbird, because this limits the scope of the workaround to just Thunderbird. However, if that is too difficult, you can change the environment for all software you run. On Windows 7 (and probably Vista), you can do this through the UI you can find by typing "Edit environment variables for your account" into the Start Menu's search box.''
==Ports==
SSL certificates are normally only used with certain ports. If you get this error for a port that is normally used by a different protocol or a insecure connection, be suspicious.
{| border="2" cellpadding="8" cellspacing="0" style="margin: 1em 1em 0; background: #fcfcfc; border: 1px #aaa solid; border-collapse: collapse;"
! Port
! Protocol
! Secure connection
|-
| 25
| SMTP
| No*
|-
| 80
| HTTP
| No
|-
| 110
| POP
| No*
|-
| 143
| IMAP
| No*
|-
| 389
| LDAP
| No
|-
| 443
| HTTP
| Yes
|-
| 465
| SMTP
| Yes
|-
| 587
| SMTP
| Yes
|-
| 636
| LDAP
| Yes
|-
| 993
| IMAP
| Yes
|-
| 995
| POP
| Yes
|}
'''*Note''': These ports can be "upgraded" to secure connections after initially being established as insecure, using the STARTTLS protocol.
==Related bugs==
* [https://bugzilla.mozilla.org/show_bug.cgi?id=387480  Support network-fetched cert import in Servers tab of Cert Mgr ("Add Exception" dialog)]
* [https://bugzilla.mozilla.org/show_bug.cgi?id=533744 Add security exception" dialog is useless] talks about the security exception not working due to a missing realhostname, and how you can get it to work by adding it.
==See Also==
* [[CA certificate]]
* [[Known vulnerabilities]]
* [[Secure_connections_-_Thunderbird | Secure Connections]]
==External Links==
* [http://kuix.de/fosdem2012/fosdem-2012-talk-kaie.pdf A useful talk about how SSL certificates work, why CA's are a problem, and a evaluation of some alternatives]
* [http://www.mozilla.org/projects/security/pki/nss/ Network Security Services (NSS)]
* [http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html#1040263 SSL error codes]
* [http://blog.thoughtcrime.org/ssl-and-the-future-of-authenticity SSL And The Future Of Authenticity]
* [https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.0.pdf SSL/TLS deployment best practices]
* The Qualys [https://www.ssllabs.com/ssldb/ SSL Server Test] performs a deep analysis of the configuration of any SSL web server. While it tests the web server, the mail server is typically configured the same way.
[[Category:Issues (Firefox)]]
[[Category:Issues (Thunderbird)]]
[[Category:Issues (Thunderbird)]]
[[Category:Privacy and security (Thunderbird)]]
[[Category:Issues (Mozilla Suite)]]
[[Category:Privacy and security]]
[[Category:Websites]]

Revision as of 05:26, 26 January 2017

This article applies to Firefox, Thunderbird, Mozilla Suite and SeaMonkey.


A security exception is a way to tell Thunderbird that you understand that there is something wrong with the SSL certificate but you've decided that you're willing to take the risk, so Thunderbird should make the secure connection anyways and not bother you about it anymore (unless it gets a different bad certificate later on). If you add a permanent security exception and keep getting prompted to add the same security exception again and again, the certificate store may be corrupt. Use Help -> Troubleshooting Information -> Show Folder to open Windows Explorer (your file manager) at your profile, exit Thunderbird, and then delete the cert8.db file. It stores the security certificates. When you restart Thunderbird it should create a new "certificate store" with default values (certificates). A side effect of this is that you will lose any certificates or security exceptions that you had added. [1]

Domain Name Mismatch or Server Certificate Expired

"Security Error: Domain Name Mismatch" occurs if you make a secure connection to a server whose domain does not match the domain name in the certificate that it returned. This means that the web site/server you are using may not be the one you wanted. It can also occur when they change their domain but don't buy a certificate for the new domain.

"Security Error: Server Certificate Expired" occurs if the certificate expiration date is later than your system date. This may be caused by your system having the incorrect time (perhaps you are traveling and are in a different time zone) , or the certificate is too old (it expired).

In both cases, you need to decide whether or not you think you are actually connected to whatever you tried to connect to. Usually it is due to an oversight or an error (an admin installed the wrong SSL certificate when they replaced a expired certificate) and it gets fixed in a couple of days. Sometimes it is due to somebody being too cheap to replace a SSL certificate when they change domains. Unfortunately it could also be due to somebody trying to capture your username/password when you login, or your credit card number when you buy something on a web site.

If you are using your ISP as your email provider don't guess, call their help desk and find out if they already know about your problem. If they give you any pushback about Thunderbird not being an officially supported email client try to duplicate the problem using Firefox to log into webmail. If you can't call your email provider, try browsing their support forums to see if other people have the same problem.

If you decide its nothing to worry about, check the checkbox to create a security exception so that it stops warning you. Obsolete versions may not support adding a security exception. In that case install the Remember Mismatched Domains extension for Firefox, Thunderbird 2.x, or SeaMonkey. It adds a "Don’t warn me again about this certificate for this domain" checkbox to the Domain Name Mismatch and Server Certificate Expired warning windows.

Issuer Certificate Unknown or Site certified by an Unknown Authority

If you get an error message stating that the certificate is not trusted because the issuer certificate is unknown or the web site is certified by an unknown authority it is complaining that it can't find the Certificate Authority (CA) certificate for that SSL certificate. Press the View Certificate button, look at the certificate, and find out who who is the Certificate Authority by looking at the Organization listed in Issued By. You might also want to make a secure connection to webmail (a web page provided by your email provider that is used to read/send mail) using Firefox, click on the icon in the address bar, and then press the "more information" button to view the details of its certificate. Frequently the same SSL certificate is used in both Thunderbird and Firefox.

Use Tools -> Account Settings -> an_account_name -> Security -> View Certificates -> Authorities in Thunderbird and look for a certificate for that CA. If you find it check that its still valid. If you can't find one try to find a CA certificate that you can import. For example, if the SSL certificate uses "Symantec Class 3 Secure Server SHA256 SSL CA" as the CA you can download that CA certificate from the Symantec Intermediate CA (ICA) Certificates web site and then import it using the Thunderbird certificate manager (Tools -> Account Settings -> an_account_name -> Security -> View certificates -> Import). [2]

If its invalid check that the date on your computer is correct. It sounds unlikely but sometimes its set for the wrong year, which might cause the CA certificate to become invalid. If the CA certificate looks valid you can add a security exception for your email providers SSL certificate using Tools -> Account Settings -> an_account_name -> Security -> View Certificates -> Servers -> Add Exception to get rid of the error messages. However, its recommended that you contact your email provider to try to find out why that problem is happening. [3]

If you are using Avast!, upgraded from an earlier version of Avast to Avast 2014, and didn't disable the "mail shield" the error can be caused by Avast! rooting your certificates in order to scan email sent over a SSL connection (a benign man in the middle attack). Try importing a mail shield certificate to workaround that problem. [4]

Revoked Certificate

If you get an error message about the certificate being revoked (sec_error_revoked_certificate) that means that its invalid and should not be used.

Older versions of Thunderbird never checked whether the certificate was revoked. However, Thunderbird 3.1.2 and later do, so you may find when you upgraded all of a sudden your secure connection failed. You can disable checking whether its revoked by setting security.OCSP.enabled to 0 using the Config editor. It typically defaults to 1. Since its your email provider that marked it as invalid, yet they're still using it, contact them and find out whats going on.

Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature

Usually this means you need to import a certificate for the Certificate Authority (CA) used by the SSL certificate. However, Thunderbird 16 and later considers any certificates that use a MD5 hash invalid. You can override this by setting security.enable_md5_signatures true using the config editor, though the real solution is for your email provider to use a secure hash. [5]

Incorrect use of wild cards in certificate

This problem occurs if your email provider uses a load balancing router to automatically select one of several mail servers, and doesn't use the right syntax to specify that the certificate applies to more than one host.

Thunderbird 2.* had a bug where it accepted a wild card for more than one atom in the hostname in a certificate. i.e. *.mail.dreamhost.com was accepted for a a1.postal.mail.dreamhost.com host, when it really should have specified *.postal.mail.dreamhost.com. Thunderbird 3 is stricter and rejects that as a invalid hostname. You can workaround this by setting the environmental variable NSS_USE_SHEXP_IN_CERT_NAME to 1 before starting Thunderbird, and use the Remember Mismatched Domains add-on to avoid getting prompted every time. [6]

Thunderbird SSL/TLS bug fix exposes bugs in many protocol implementations

Thunderbird 10.0 has a bug fix [7] in its SSL/TLS implementation that is compliant with all versions of the SSL/TLS protocols and compatible with other SSL implementations (such as OpenSSL). However, many products have bugs in their SMTP, IMAP, POP, LDAP, and/or HTTP code in how they parse what the client sends them. Those bugs used to be hidden until this bug fix. An example is using Merak IceWarp version 10.3.5 as a IMAP server. [8]

A temporary workaround until your mail servers are updated is to : Temporarily put NSS_SSL_CBC_RANDOM_IV=0 in the environment on their local machine. (The best way to do this would be to create a batch file that sets NSS_SSL_CBC_RANDOM_IV=0 and then runs Thunderbird, because this limits the scope of the workaround to just Thunderbird. However, if that is too difficult, you can change the environment for all software you run. On Windows 7 (and probably Vista), you can do this through the UI you can find by typing "Edit environment variables for your account" into the Start Menu's search box.

Ports

SSL certificates are normally only used with certain ports. If you get this error for a port that is normally used by a different protocol or a insecure connection, be suspicious.

Port Protocol Secure connection
25 SMTP No*
80 HTTP No
110 POP No*
143 IMAP No*
389 LDAP No
443 HTTP Yes
465 SMTP Yes
587 SMTP Yes
636 LDAP Yes
993 IMAP Yes
995 POP Yes

*Note: These ports can be "upgraded" to secure connections after initially being established as insecure, using the STARTTLS protocol.

Related bugs

See Also

External Links