User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40

Steps to reproduce:

enter a seach expression in "Find more add-ons" in the "Add-ons Manger"

Actual results:

opend a new internal browser tap what shows:
Secure connection failed

When I click on:
Or you can add an exception…
nothing happens.
Error Console throws error 2147942487

Expected results:

dialogue to pop up to allow to add the exception

Is this another instance of a self-signed certificate from an anti-virus program failing OSCP validation? There is a lot of that and SMTP servers not supporting a TLS version after 1.1 around at the moment with the 78 update. Both result is errors in the error console and somewhat cryptic inability to connect messages (or a dialog that say there is a problem with the certificate but offer no way to identify the actual certificate in question. )

I don't think so, this is http and should not be a problem.
But why would one get a security problem for ATN in the first place? (I don't.)

While I mentioned the TLS 1.1 and earlier withdrawal which is affecting SMTP at the moment. I would see this as most probably a self-signed certificate issued by the anti-virus program at the root of the problem.

Common scenarios are Thunderbird can not validate using oscp so the connection fails.
The certificate is not trusted by Thunderbird at all. So the connection fails
The certificate has not been added to the Thunderbird certificate store as this requires a manual step for many anti-virus products when installed. So the connection fails.

Unless the installer switches Thunderbird to using the more easily manipulated Windows certificate store (Kaspersky) on install.

I have no idea what your system is Magnus, but in support, we spend almost as much time diagnosing dodgy anti-virus products as we spend on Thunderbird.

Details of exactly what the error in the error console usually offers clues and breadcrumbs, but error codes are meaningless to me.

good morning,
let me clarify the situation a bit.
I'm behind a proxy, Zscaler Private Access, what does a certificate swap. If you don't have Zscaler and company certificates stored it can cause such issues. Regardless of the installed certificates I still should be able to add an exception but no dialogue pops-up.

I have just double-checked the existent of the "local" certificates in Thunderbird's certificate manager. They do all exist but I still get that issue. So there is another problem but I cannot narrow it down. Although I think it is related to Zscaler. It might be also the reason, why the in-app update is not working (but it does work in Firefox).

still exists in 78.2.1 (32-bit)

But have you verisifed the use of OCSP is disabled in options? I do not see it if you have.
Thunderbird 78 also updated the minimum acceptable TLS used for encryption. Unless the encryption used is TLS version 1.2 or higher you do not get any choice in the matter. So my guess is the version of TLS in use if obsolete. At least that is what my wife found with the black box products in her office. Some were still using TLS V1.

I reckon you mean the option:

Query OCSP responder servers to confirm the current validity of certificates

I deactivated that option and set

security.tls.version.min = 1
security.tls.version.enable-deprecated = false

without any effect

I still believe that the source of the problem is the internal certificate used by the Zscaler Proxy Server

(In reply to stefan.mueller.83 from comment #7)

I still believe that the source of the problem is the internal certificate used by the Zscaler Proxy Server

Probably, but without the certificate I at least am just guessing. Perhaps attach a couple of screen shots from the certificate viewer for the certificates it is issuing.

I added the certificates as I did for GitLab, Firefox etc. The other apps work well with the added certificates/Authorities.
My guess is, that the internal browser does not use them as other apps do.

Besides this I should be able to add an exception when the notification apears

Secure connection failed
when I click on
Or you can add an exception…
nothing happens. That should be independent of any certificate issue.
It should rather tell for what an exception needs to be added what in turn may tell me what I'm missing.

ignore my previous comment

I added the certificates as I did for GitLab, Firefox etc. The other apps work well with the added certificates/Authorities.
My guess is, that the internal browser does not use them as other apps do.

Besides this I should be able to add an exception when the notification appears

Secure connection failed

when I click on

Or you can add an exception…

nothing happens. That should be independent of any certificate issue.
It should rather tell for what an exception needs to be added what in turn may tell me what I'm missing.

that bug is about to make Thunderbird useless.

The wired thing is that it worked in previous versions without any hassle!

when I switch off https://www.zscaler.com/products/zscaler-client-connector, not only disabling the services, Thunderbird does not show any security warning.
So, the problem is strictly related to working behind a reverse proxy.

that same issue existed in the past at Firefox, can't you just port the existing code from Firefox?

(In reply to stefan.mueller.83 from comment #13)

that same issue existed in the past at Firefox, can't you just port the existing code from Firefox?

I don't have any expertise here, sorry

If you can find what code that is...

(In reply to Magnus Melin [:mkmelin] from comment #15)

If you can find what code that is...

you mean me?

I don't have any clue of FF's codebase: All that I can say after you add the proxy's certificates, browsing is not a problem. May TB's browser does not include the certificates added to receive and send emails.

(In reply to stefan.mueller.83 from comment #16)

(In reply to Magnus Melin [:mkmelin] from comment #15)

If you can find what code that is [that Firefox had fixed) ...

you mean me?

I don't have any clue of FF's codebase: All that I can say after you add the proxy's certificates, browsing is not a problem. May TB's browser does not include the certificates added to receive and send emails.

Honza do you know of a related issue that FIrefox fixed in recent years?

https://mzl.la/3t4YgZ0 lists the open TBbug reports of last two years regarding proxy.
https://mzl.la/36qJfal lists fixed core bugs of the last two years

I did some tests on this. I installed a man-in-the-middle SSL proxy from the Stanford University:
https://crypto.stanford.edu/ssl-mitm/

After activating that proxy in Firefox 88, I could no longer connect to AMO and I was also not given the option to add an exception because the AMO server is using HSTS:

addons.mozilla.org has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

This is actually good.

I was not able to test this with Thunderbird, because the Stanford ssl proxy does not support ECPublicKey which ATN apparently uses. But from a general security point of view, I highly oppose those certificate manipulations. ATN is the trusted location to download reviewed add-ons and tempering with the certificate allows injecting malicious add-ons and what not. I do not know if there are plans to enable certificate pinning, but that would prevent certificate manipulations once and for all.

If you ask me, this is not a bug in Thunderbird. Not at all. Instead, let connections to addons.thunderbird.net pass through the proxy without breaking up the SSL connection.

Can we close this as invalid?

Let's close it.