User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3) Gecko/20030312 Build Identifier: When I hit "Get Mail" button Tbird say that it can't verify server's cert with a known trusted authority. That's ok since it is self-signed one. I want to accept it permanently. So: * Accept this certificate permanently * Accept this certificate for this session only * Do not accep and do not connect I choose first one. Press [OK]. Dialog disappears and appears again. Second choice works. Reproducible: Always Steps to Reproduce: Expected Results: Tbird should remember the cert and do not ask me again unless it sees cert suddenly changes under us.

any JS errors in the console when this happens?

Be sure that your certificate is not expired...

>any JS errors in the console when this happens? Will check that... >Be sure that your certificate is not expired... It is not. Anyway, Thunderbird does not say anything like that. It just redisplays the dialog with three choices again.

I find the same bug on Linux: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 I created the cert myself just to pull email over SSL so verification with a known trusted authority fails.

I see no errors in JS console, but anyway this also happens in Mozilla MailNews

I have this bug on two different Windows XP machines and one Linux Gentoo.

Thunderbird version 0.6 (20040502); Mac OS 10.2.8 I can confirm this bug on the Mac. SSL certificate has not expired; trying to accept it permanently does not generate an error in the JavaScript Console. The wording of the options on the Mac is * Accept this certificate permanently * Accept this certificate temporarily for this session * Do not accept this certificate and do not connect to this Web site. The second option is selected by default. Selecting the first option dismisses the dialog, but the dialog then immediately reappears with the second option selected.

Possibly related bug: Bug 225849

"Accept this certificate permanently" now works for me on Thunderbird 0.7 (20040616) under Mac OS 10.2.8.

Firefox-0.9.1 on Windows. Similar problem with accepting certs for https sites still exists.

are you guys using fips mode?

Hmm. What is fips mode?

Federal Information Processing Standard (FIPS). In this mode the cryptographic operations are performed according to the rules of the FIPS 140-2 certification standard. See: http://www.developer.thamizha.com/mozilla/helpfiles/using_certs_help.html#using_certs_devices_fips

I can confirm this on Thunderbird version 0.8 (20040913) on Mac OS X 10.3.5. Having no master password set will cause Thunderbird to always ask you to accept the certificate everytime it checks for mail if the server's certificate has not expired and is not from a trusted authority (e.g., self-signed). Setting a master password seems to cause Thunderbird to confirm usage of the certificate less often during a session, although you are still prompted from time to time (seems random). I'm not running in FIPS mode either.

Same bug on Mozilla Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041020 I can't accept the certificate permanently on both POP over SSL and HTTPS. I can't either import it manually using the certificate manager.

an example of this (with Suite 1.7.2) one can find on: mail.zst.edu.pl smtps and pop3s You can test it probably, because afaik login/pass is checked after SSL synchronization.

I'm using verion 1.0 and I have had to turn off security for my SMTP connection as there appears to be no way to say "always accept this certificate". The screen dump shows why I cannot get the ISP to change his cert. There is one cert. for the mailbox, but each subscriber is given a virtual domain. I'd like to be able to say "yeah, this one but no others". As it is, I've had to turn off security altoghether

(In reply to comment #17) > Created an attachment (id=170910) [edit] > no option to say "always accept this cert." > > I'm using verion 1.0 and I have had to turn off security for my SMTP connection > as there appears to be no way to say "always accept this certificate". [...] That issue is Bug 255025, not this one here.

*** Bug 247476 has been marked as a duplicate of this bug. ***

This bug doesn't disclose whether the server was IMAP/SSL or POP3/SSL server. I'm guessing that it's POP3/SSL, partly because bug 247476 used POP3/SSL and is marked as a duplicate of this bug. Assumiung that the problem was with POP3/SSL, please do this diagnostic test. This is a diagnostic test, intended to help us diagnose the issue. It's not intended to be a solution, but it might prove to be an OK short-term workaround for brave power users. Using FireFox, visit this URL: https://pop.your.isp:995/ (use your own POP3/SSL server's DNS name in that URL, but use port 995. You'll see the familiar cert verification error dialogs. When you come to the dialog that lets you choose to accept the cert permanently or for this session, tell it to accept the cert permanently. Wait a bit (the page will appear to be continuously loading), and then stop the page loading, and cleanly shutdown FireFox. Shut down TBird, too. They both have to be shut down during the following steps. Now, go into TBird's profile directory and make a backup copy of the file cert8.db. Copy it somewhere else for safe keeping. Then copy the file cert8.db from FireFox's profile directory to TBird's profile directory, replacing TBird's original cert8.db (which you've already copied for safe keeping, right?) and restart TBird. Then try the POP3/SSL connection again. Maybe it'll be better then. Please let us know the outcome of that experiment. If things go awry, shut down TBird again, and put back TBird's original cert8.db file (the one you copied for safe keeping). Then it should go back to acting as it did before.

Hi, I have the exactly same described problem with IMAP/SSL. I have done the test you want us to do. I just changed the port to 993 when I was connecting to my isp with firefox (Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.12) Gecko/20051022 Firefox/1.0.7). In fact the certificate I had to accept is outdated of one week (ha the admins... :p) so I also had to click first on time [OK]. Then I successfully accepted permanently my certificate. Then I had a page with some errors : the servor expected imap requests. Then I did the cert8.db file copy. I reopened my thunderbird (version 1.0.7 (20051021)). Thunderbird warned me that the certificate is outdated (that's normal), I click OK, and that's all ; I did'nt have to accept the certificate. Going to the preference on the certificates, I can see my firefox's accepted certificate. Hope I helped you.

In comment 21, you got a different error message, but you still had to do a security override. I think the test would have to be done with an unexpired cert to be conclusive. But thanks for trying.

My admin has updated the certificate, so thunderbird doesn't alert about an outdated certificate, but it still doesn't accept permanently the certificate. So I have redone the test you requested. I have returned to the initial state by restoring the saved cert8.db. And it works : with the new firefox's cert8.db, Thunderbird doesn't request anything while opening my imap folders.

Thunderbird 1.5.0.4 is interupting my work all the time. It is BUGING me BUGING me BUGING me... I had the same problem with previous versions and I have been desperately waiting for this OBVIOUS bug to get fixed, but today I see that this bug was opened last year with many people having the problem (I've seen many duplicateds of this bug and other bugs reported here for the same problem). I have 6 pop (ssl) accounts, with an automatic check every 4 mintues. So about every few minutes I get an anoying POPUP window to confirm an expired certificate (there is 1) or untrusted certificates or I don't know what. I am a simple USER. This is above my head. I only want to be able to work normally without being interrupted every 2 minutes. This has been going on for months now. If this does not change it will end with me going BUG BUG BUG BUG BUG MAD MAD MAD (sorry, I have been upset by this every day for months now). Please, PLEASE, fix this. Thank you in advance.

Thunderbird version 1.5.0.2 (20060308) and 1.5.0.4 (20060530); Mac OS 10.3.9. WFM with above versions in my existing profiles and in a fresh profile. Could the people who are still seeing this bug please try to reproduce it in a fresh profile? Anyone who can reproduce this bug in a fresh profile, please add a comment with the protocol (POP or IMAP), server name and security settings of the problematic server(s), as well as any other preferences set, so that someone else can try to reproduce - and hopefully debug - the problem by initiating an SSL connection to that server?

Comment on attachment 170910 [details] cert name mismatch dialog Folks, there are (at least) 3 separate certificate validity tests that have separate manual user overrides. They include a) cert validity dates (expiration) (bug 92410) b) cert heritage (issuer unknown or untrusted, and usage restriction extensions) (this bug) c) cert/host name mismatch (bug 228684) There are separate bugs for each of them. Please don't mix them up. If you add a comment, be sure you add it to the bug that describes the specific issue you have. Also, although the NSS code is common to FireFox and Thunderbird, the handling of these errors and their overrides is NOT. So, it's important to keep FireFox (browser) certificate UI issues separated from Thunderbird (email) certificate UI issues. I think we'll be coming up with solutions for these pretty soon, and they'll be radically different for browsing than for email. Thanks.

I can confirm this bug too... It all worked fine in Thunderbird 1.5 but went haywire as soon as I upgraded to 2.0.0.0. I just downloaded/installed it yesterday and has been bugging me ever since. As a workaround, I disabled the secure connection for now, but, ideally, the bug should be fixed so I can get my mail via SSL. I am using IMAP/SSL and am on WinXP SP2. Incidentally, I have never run into this bug on Firefox (and I connect to WHM/CPanel on the same server with the self-signed certificate all the time...); it's only been ever Thunderbird that causes problems.

What is also annoying: the POP3-server hs1.domain.com has the certificate from www.domain.com (which is not correct - a problem of the provider). Everytime TB fetches mail with SSL (i.e. every 10 minutes), I have to confirm that I want the connection.

Yes same problem here. I have several email accounts; about 3 of them bug me every couple minutes. What is happening with thunderbird ? Years are passing by, but thunderbird still is such a frustrating application (due to such a small problem). Is there any hope we might ever see an "Accept this certificate without bugging me again about it" ? Thanks.

I recently started suffering from the "cannot accept cert permanently but only for this session works fine" bug after an (unrelated) OS wipe / reinstall. Previously it did not happen, but I can't think of anything I set up differently after the reinstall vs the initial install. I access two independent accounts using IMAP SSL that both exhibit the bug. I also use Thunderbird on an XP box, accessing the same set of accounts, and it is not exhibiting the bug -- is there something specific I can compare between these two installations to help diagnose the cause of this problem?

I am using Thunderbird version 2.0.0.13pre (20080226) on OS X (Leopard). My ISP has the POPS3 certificate made out to "localhost". This is fine from my point of view because they host many e-mail domains, and it would be prohibitively expensive to get real certificates for each mail client. But, there is NO "accept this certificate permanently" option in my dialog boxes. I can view it or click OK. As a result, I get this alert every time I check my mail, even in the same session, and this has become totally annoying.

It's all different for tb3.

I don't see how this is a duplicate of 230937. The problem is that the "Accept this certificate permanently" option never works (pops up the same dialog over and over again). For me this happens with every single SSL account I use (not just the locally signed ones). This problem is still unresolved after installing an upgrade that was released today.

Bryan: Magnus talked about TB3, not about the TB2 security update. Bugzilla is mostly for active development (as in trunk, beta versions, etc.).

Ok. Still, while I see that the recent comment from James is clearly a dupe of 230937, the original content of this bug describes a different problem. I don't see the warning from the other bug.

Yes, the original bug may have been a bit different. Doesn't really matter though as the handling of such situations is very different on trunk. (Atm you have to really jump through hoops to accept any mis-matching/self-signed cert.) xref bug 399174. Marking WFM instead.

After going through the comments trail I am somewhat disappointed with the Mozilla team on this. The trail starts in 2003!!! 5 years should be enough time to permanently fix something as important as this. One of the reasons I use Mozilla THunderbird and FIrefox is the presumably better security. But this bug has annoyed me so much that I am now considering moving back to good old Microsoft!

I agree that this should be a blocker for the release of 2.0. I am annoyed dozens of times a day because my ISP uses a self-signed cert for the IMAPS server, and I have no means to accept this cert permanently.

Tim van Dijen sent an email suggesting an add-on called "Remember mismatched domain". Meanwhile I found another solution. I discovered that my Linux Thunderbird (which I had not used for quite a while) did not have this problem on the same laptop. I use a dual boot system with WinXP and SuSe10.3 using a common mail directory. So I copied the following files from my Linux Thunderbird profile to the Windows profile directory: cert.db key3.db secmod.db Lo and behold!! The problem disappeared in WinXP. I am not sure if one needs to copy all the 3 - leave it to the Mozilla team to figure out :)

Please reread comment 37, this is nothing that will get fixed for the 2.0 releases, and the bug report as such makes no sense for trunk (3.0) builds.

You should mark it "won't fix" since it does NOT work.

The handling of certificate "security exceptions" has been completely reworked on the trunk for FF3. Most of the historic complaints about permanent overrides for cert errors are now resolved for FF3. However, these changes require UI work (IINM) that has not yet been done (IINM) for TBird on trunk. The trunk version of TBird and SM should both catch up with FF3 before they are released. If there's no other bug to track that work, then I'd nominate this bug for that honor. :)

To keep the focus I created a new bug for that - bug 429843.