Self-signed certificate problem after upgrade to TB 68.4.1
After upgrading to TB 68.4.1 I could not read/write e-mails anymore. The error message is "The IMAP server does not support the selected authentication method". The log file shows
[(null) 18264: Unnamed thread 23287970]: D/IMAP try to log in [(null) 18264: Unnamed thread 23287970]: D/IMAP IMAP auth: server caps 0x4484421, pref 0x1006, failed 0x0, avail caps 0x0 [(null) 18264: Unnamed thread 23287970]: D/IMAP (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, MSN = 0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style IMAP login = 0x4, auth external IMAP login = 0x20000000, OAUTH2 = 0x800000000) [(null) 18264: Unnamed thread 23287970]: D/IMAP no remaining auth method [(null) 18264: Unnamed thread 23287970]: E/IMAP login failed entirely
So, no authentication method was even selected.
I have created a new appdata Thunderbird folder. Now I can define an exception for my certificate in the settings - without specifying the port. The downloaded certificate has the wrong port number however (should be 143 but is 443). When reading e-mails another certificate with the correct port is downloaded which I can confirm, and the e-mails are read correctly. However when restarting Thunderbird the above error message comes again and I have to repeat the procedure by first deleting the certificate and then defining an exception for it.
My questions: - How can I tell Thunderbird to accept my certificate without defining an exception in the settings? This was not required before the update. - How can I define the certificate exception in a way to get the correct port that persists after restarting Thunderbird?
Chosen solution
Has you certificate store been changed by an anti virus? security.enterprise_roots.enabled in the config editor set to true.
Does your server support TLS V 1.0 and 1.1 only?
I got an email today advising it is disabled in the 73 beta, I would expect that to show up is Thunderbird 68.5 so it should not yet be an issue.
If you are talking about the distrusting of the Symantec certificates in the V68 release notes (your link is broken) they have been phased out over a long time. and as your certificate is self signed not relevant
Read this answer in context 👍 0All Replies (5)
How about just using a real certificate? We are going away from self signed certificates if I read the last changes to actually mean anything.
But no remaining auth methods usually means that the server is not running a new enough version of TLS, or the key size is not large enough, not that the certificate is invalid. (that should get an error in the user interface of it's own)
Thank you for the quick reply!
It seems to be a specific problem of the Thunderbird instance on my Windows computer. I have tried to repeat the same steps in a virtual machine on my computer, and everything works as expected: 1. Created a new account with my account settings (STARTTLS, ingoing port 143, outgoing port 587) in the Thunderbird instance of my virtual machine 2. After confirmation Thunderbird comes up with the expected certificate warning (with the correct port 143) and lets me accept the certificate permanently 3. E-Mails are downloaded
In my local Thunderbird however I do not get the certificate warning in step 2 but the error message "The IMAP server does not support the selected authentication method" mentioned in my previous post. My impression is that the download request is done with the wrong port number (should be 143 for STARTTLS but is 443 for HTTPS).
What I have tried but did not help: - Reinstalled Thunderbird - Deleted appdata Thunderbird folder to let Thunderbird recreate all data including profiles - Temporarily deactivated Symantec Endpoint Protection to avoid some magic port forwarding
Any ideas? Are there any registry settings that might cause the problem? Any chance to increase debugging level to get more detailed information?
I went back to TB 60.9.1 (using the existing profile) and - tata... - everything works fine again! So the problem must have to do with TB 68.4.1.
In the release notes I read that TB 68 has stricter certificate checks: https://www.thunderbird.net/en-US/thund ... easenotes/
Maybe the problem has to do with it. For now I will have to stay with TB 60...
Seçilmiş Həll
Has you certificate store been changed by an anti virus? security.enterprise_roots.enabled in the config editor set to true.
Does your server support TLS V 1.0 and 1.1 only?
I got an email today advising it is disabled in the 73 beta, I would expect that to show up is Thunderbird 68.5 so it should not yet be an issue.
If you are talking about the distrusting of the Symantec certificates in the V68 release notes (your link is broken) they have been phased out over a long time. and as your certificate is self signed not relevant
Modified
That was it! In TB 60 security.enterprise_roots.enabled was set to false. I updated to TB 68.4.2. and security.enterprise_roots.enabled was modified to true. I changed it back to false, and now e-mails are working as before.
I would not have found this solution. Thank you so much for your help!