TLS handshake: Bad certificate - how to solve?
Hi, I try to access my email on IMAP mail server running Dovecot v2.3.7.2. It works just fine with any other email client I have tried such as Outlook, Bluemail, Claws, ...
However, when accessing the my email through Thunderbird, it just says "Connecting to... " in the bottom status bar and nothing ever happens - I do not get an error message or any other kind of status update.
In dovecot's mail.log I get these error messages though:
Nov 21 07:55:21 hostxyz dovecot: master: Dovecot v2.3.7.2 (3c910f64b) starting up for imap (core dumps disabled) Nov 21 08:03:46 hostxyz dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.0.0.2, lip=192.168.0.120, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<Kt6V8kfRD4EKAAAC>
Note that there is a valid non-self-signed server side certificate installed on the mail server. As I don't have a problem accessing email through other clients I assume that something is wrong with my configuration of Thunderbird. Could you please highlight how to configure Thunderbird to make it work again?
Krejt Përgjigjet (7)
Hallo, may be you have to import the servers certificate into your Thunderbird or you have to declare an exception. Options -> Safety -> Certificates
I also have this problem with a CA, server cert, client cert and Dovecot I have generated them using xca and can post the certs and keys if required.
I'm happy to try anything - even nightlys :)
You can't import a certificate into server certificate tab without calling a server.
For the client to fail like this without a word is frustrating - because you have to debug the server to find out what was wrong with Thunderbird.
I tried imap:server:993 in the location box - but it won't load it. and you can't upload one manually into that dialog box.
You can only import your own certificates/keys and CA certificates.
Seamonkey seem worked and Fairmail(Android) works.
ii dovecot-core 1:2.3.4.1-5+deb10u6 amd64 secure POP3/IMAP server - core files
Thunderbird 91.6.0 (64-bit
Using dovecot ssl_min_protocol = TLSv1.2 and all other default.
Debug: SSL: where=0x10, ret=1: before SSL initialization Debug: SSL: where=0x2001, ret=1: before SSL initialization Debug: SSL: where=0x2002, ret=-1: before SSL initialization Debug: SSL: where=0x2001, ret=1: before SSL initialization Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate request Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Debug: SSL: where=0x10, ret=1: before SSL initialization Debug: SSL: where=0x2001, ret=1: before SSL initialization Debug: SSL: where=0x2002, ret=-1: before SSL initialization Debug: SSL: where=0x2001, ret=1: before SSL initialization Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate request Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Debug: SSL alert: where=0x4004, ret=554: fatal bad certificate Debug: SSL: where=0x2002, ret=-1: error Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Disconnected (no auth attempts in 1 secs): user=<>, rip=10.8.0.10, lip=10.8.0.1, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<Bbx/lCzYvIYKCAAK>
Is there anything related in the TB error console (Ctrl-Shift-J)?
Ok - I finnally found a log mechanism - https://searchfox.org/comm-central/search?q=LazyLogModule
export MOZ_LOG_FILE=/tmp/imap.log export MOZ_LOG=pipnss:5
And snarfed the log - but I can't upload it so I'll just paste it in here.
Arrrh -- Ensure this value has at most 10000 characters (it has 10081). :)
[Parent 1229825: Main Thread]: D/pipnss nsNSSComponent::ctor [Parent 1229825: Main Thread]: D/pipnss Beginning NSS initialization [Parent 1229825: Main Thread]: D/pipnss nsNSSComponent::InitializeNSS [Parent 1229825: Main Thread]: D/pipnss NSS Initialization beginning [Parent 1229825: Main Thread]: D/pipnss NSS profile at '/home/wozza/.thunderbird/uqeiznj0.default' [Parent 1229825: Main Thread]: D/pipnss not setting NSS_SDB_USE_CACHE [Parent 1229825: Main Thread]: D/pipnss inSafeMode: 0 [Parent 1229825: Main Thread]: D/pipnss initialized NSS in r/w mode [Parent 1229825: Main Thread]: D/pipnss NSS Initialization done [Parent 1229825: Main Thread]: D/pipnss nsNSSComponent: adding observers [Parent 1229825: Main Thread]: D/pipnss nsNSSComponent::MaybeEnableIntermediatePreloadingHealer [Parent 1229825: StreamTrans #1]: D/pipnss loaded CKBI from /usr/lib/x86_64-linux-gnu [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfb910] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304) [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfb910] Socket set up [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfb910] connecting SSL socket [Parent 1229825: Socket Thread]: E/pipnss [7fb8b9bfb910] Lower layer connect error: -5934 [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfbdf0] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304) [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfbdf0] Socket set up [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfbdf0] connecting SSL socket [Parent 1229825: Socket Thread]: E/pipnss [7fb8b9bfbdf0] Lower layer connect error: -5934 [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89550] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304) [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89550] Socket set up [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89550] connecting SSL socket [Parent 1229825: Socket Thread]: E/pipnss [7fb8ccb89550] Lower layer connect error: -5934 [Parent 1229825: Socket Thread]: V/pipnss [7fb8b9bfbdf0] read -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8b9bfb910] read -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] read -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] wrote -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] wrote -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] read -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] wrote -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] read -1 bytes [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89400] starting AuthCertificateHook [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89400] starting AuthCertificateHookInternal [Parent 1229825: SSL Cert #1]: D/pipnss [7fb8ccb89400] SSLServerCertVerificationJob::Run [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] wrote -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] read -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] polling SSL socket during certificate verification using lower 5 [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] polling SSL socket during certificate verification using lower 6 [Parent 1229825: Socket Thread]: D/pipnss AuthCertificate setting NEW cert 7fb8b28e6e20 [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89400] HandshakeCallback: succeeded using TLS version range (0x0301,0x0304) [Parent 1229825: Socket Thread]: D/pipnss HandshakeCallback KEEPING existing cert [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89550] nsNSSSocketInfo::NoteTimeUntilReady [Parent 1229825: Socket Thread]: D/pipnss [7fb8ccb89550] nsNSSSocketInfo::SetHandshakeCompleted [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] wrote 137 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8b9bfb910] read -1 bytes [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfbc10] starting AuthCertificateHook [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfbc10] starting AuthCertificateHookInternal [Parent 1229825: SSL Cert #1]: D/pipnss [7fb8b9bfbc10] SSLServerCertVerificationJob::Run [Parent 1229825: SSL Cert #1]: D/pipnss [0x7fb8b9bfbc10] Certificate error was not overridden [Parent 1229825: Main Thread]: D/pipnss FindClientCertificatesWithPrivateKeys [Parent 1229825: Main Thread]: D/pipnss module 'NSS Internal PKCS #11 Module' [Parent 1229825: Main Thread]: D/pipnss slot 'NSS Internal Cryptographic Services' [Parent 1229825: Main Thread]: D/pipnss (looking at non-internal slot) [Parent 1229825: Main Thread]: D/pipnss slot 'NSS User Private Key and Certificate Services' [Parent 1229825: Main Thread]: D/pipnss (looking at internal slot) [Parent 1229825: Main Thread]: D/pipnss provisionally adding '[email protected],CN=warrenc5' [Parent 1229825: Main Thread]: D/pipnss module 'Builtin Roots Module' [Parent 1229825: Main Thread]: D/pipnss slot 'NSS Builtin Objects' [Parent 1229825: Main Thread]: D/pipnss (looking at non-internal slot) [Parent 1229825: Main Thread]: D/pipnss returning: [Parent 1229825: Main Thread]: D/pipnss [email protected],CN=warrenc5 [Parent 1229825: Main Thread]: D/pipnss keeping cert '[email protected],CN=warrenc5' [Parent 1229825: Socket Thread]: V/pipnss [7fb8b9bfb910] read -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8b9bfb910] polling SSL socket during certificate verification using lower 5 [Parent 1229825: Socket Thread]: V/pipnss [7fb8b9bfb910] polling SSL socket during certificate verification using lower 5 [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfbe20] starting AuthCertificateHook [Parent 1229825: Socket Thread]: D/pipnss [7fb8b9bfbe20] starting AuthCertificateHookInternal [Parent 1229825: SSL Cert #1]: D/pipnss [7fb8b9bfbe20] SSLServerCertVerificationJob::Run [Parent 1229825: SSL Cert #1]: D/pipnss [0x7fb8b9bfbe20] Certificate error was not overridden [Parent 1229825: Main Thread]: D/pipnss FindClientCertificatesWithPrivateKeys [Parent 1229825: Main Thread]: D/pipnss module 'NSS Internal PKCS #11 Module' [Parent 1229825: Main Thread]: D/pipnss slot 'NSS Internal Cryptographic Services' [Parent 1229825: Main Thread]: D/pipnss (looking at non-internal slot) [Parent 1229825: Main Thread]: D/pipnss slot 'NSS User Private Key and Certificate Services' [Parent 1229825: Main Thread]: D/pipnss (looking at internal slot) [Parent 1229825: Main Thread]: D/pipnss provisionally adding '[email protected],CN=warrenc5' [Parent 1229825: Main Thread]: D/pipnss module 'Builtin Roots Module' [Parent 1229825: Main Thread]: D/pipnss slot 'NSS Builtin Objects' [Parent 1229825: Main Thread]: D/pipnss (looking at non-internal slot) [Parent 1229825: Main Thread]: D/pipnss returning: [Parent 1229825: Main Thread]: D/pipnss [email protected],CN=warrenc5 [Parent 1229825: Main Thread]: D/pipnss keeping cert '[email protected],CN=warrenc5' [Parent 1229825: Socket Thread]: V/pipnss [7fb8b9bfbdf0] read -1 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] read 140 bytes [Parent 1229825: Socket Thread]: V/pipnss [7fb8ccb89550] read 197 bytes [Parent 1229825: Socket Thread
Digging a little deeper to try and get the CertificateVerify result from TB but cant.
is 42 error that dovecot reports this error code here?
https://searchfox.org/mozilla-central/source/security/nss/lib/mozpkix/include/pkix/Result.h#88
MOZILLA_PKIX_MAP(ERROR_BAD_CERT_DOMAIN, 42, SSL_ERROR_BAD_CERT_DOMAIN)
So to follow up - I got it working by getting the certificate in the certificate manager through the https server I set up (apache - default ssl)
Then manually editing the overrides file ~/.thunderbird/uqeiznj0.default/cert_override.txt and changing the first field from www.itcl.com.au:443 to mail.itcl.com.au:993
It would just be a lot easier to add an exception with the certificate file in the user interface.
I will further investigate how to manually construct this file from the raw certificate details ...
Then you can just write your own exceptions.