[Regression] Cacert CA certified certificate no longer recognized

I just updated to 16.0.1 and on restart I keep getting the dialog:

  You are about to override how Thunderbird identifies this site.
  ...
  blah, blah
  ...
  Confirm Security Exception

every time TB tries to fetch my mail using POP from sub3.homie.mail.dreamhost.com:955 over SSL/TLS.

I've uninstalled and reinstalled the Dreamhost cert authority, making sure to allow it to identify sites and mail users:

http://wiki.dreamhost.com/NDN_Certificate

But still the mail server cert (which appears to originate with that cert authority cert) is not accepted by TB.

Works fine on 15.0.1. Testing 16.0.1...

I installed 16.0.1 on linux on a test user (so I didn't update, I directly installed) and configured my dreamhost account. I had to confirm the security exception once, but otherwise setting up the account was done actually with email address and password alone. I haven't seen the error you describe using IMAP. I have it all set up. Is there anything else I can test for you guys?

Hi Miquel. It's not IMAP, but rather POP3 that I have a problems with. (Actually, IMAP may be a problem too, but I haven't got as far as trying that just yet.)

Regarding your testing, yes, after accepting the certificate in 16.0.1 you won't be prompted to again. The issue is that you shouldn't be prompted to accept it at all.

Can you try this:

Delete your Thunderbird profile and delete Thunderbird 16.0.1. Install 15.0.1 instead, and install the certificate authority cert as detailed on the wiki page linked to in comment 0. Now create your test email account in Thunderbird and try to check your mail over POP3 with SSL/TLS. Do you get prompted now? If so, accept the certificate. Next, update to 16.0.1 and try checking your email again. Do you get prompted now?

To be clear, what is primarily of interest here is whether a cert that is installed and accepted in a Thunderbird profile in 15 stops being accepted when you install 16 and use it with that same TB account.

From http://wiki.dreamhost.com/NDN_Certificate:

"Not quite standards compliant

Now, however some astute readers have alerted me to the fact that this new certificate isn’t actually X.509 specification compliant. We’re going to stick with it, since it does help a subset of our users, and will consider some alternatives for the future!"

Jwatt could you try with a new profile ?

Hi,
This is not happening to me when upgrading a functional imaps config with dreamhost from Thunderbird 15.0.1 to 16.0.1 with OSX 10.8.2

I wonder if this isn't the same that I reported as https://bugs.launchpad.net/thunderbird/+bug/1066585 Sounds a lot like it, 15 worked fine and 16 drops the ball.

Happening here; the issue is not that I can't work around it with a security exception, but that it should not require a security exception. The remote server is presenting a valid certificate signed by a CA certificate I have installed, there is no security exception to be made. I'm certainly not about to start adding invalid security exceptions!

Have downgraded to 15 to work-around for now.

Can someone chase the regression window for those of you who have and see the issue ?

Created attachment 672204
The certificate confirmation I get

Created attachment 672205
The certificate for which confirmation is requested

I've added screenshots of the confirmation requests I get for the dreamhost certificate. I _do not know_ if this is the problem you are all referring to.

My domain name is mail.miquelmartin.org and I'm using the default SSL support from dreamhost, which means the certificate I get from them has a CN of *.mail.dreamhost.com.

Naturally, mail.miquelmartin.org is not included in *.mail.dreamhost.com, so I rightfully get a "Wrong Site" warning which I have to confirm.

This is _not_ a bug, though. Maybe I'm looking at the wrong stuff.

*.mail.dreamhost.com has md5 as signature algorithm. Maybe OP got hit by https://bugzilla.mozilla.org/show_bug.cgi?id=650355 ?

After change from md5 to sha1 as signature algorithm in my CA certificate, the TB problems with certificates signed by my CA has gone.

Jwatt does it solve it for you too ?

How do I check and change the signature algorithm for an existing certificate?

You can't. CA should reissue certificate with sha1 instead of md5.

#18, thank you for your comment. The first step would be to verify that indeed certificate X uses md5, no? How did you do this in comment #14?

(In reply to Rolf Leggewie from comment #19)
> #18, thank you for your comment. The first step would be to verify that
> indeed certificate X uses md5, no? How did you do this in comment #14?

See bug 802699 comment 2 (https://bugzilla.mozilla.org/show_bug.cgi?id=802699#c2) for the step-by-step instructions for how to do this. Let me know if you have trouble.

bsmith said how you can verify if certificate uses md5 or sha1. Change to sha1 should do the trick and the problem will be solved.

I am still affected by this problem in TB17 and going by #20 the certificate I use is not md5: PKCS #1 SHA-1 With RSA Encryption

Ludovic, how can I provide the information you were requesting?

(In reply to Rolf Leggewie from comment #22)
> I am still affected by this problem in TB17 and going by #20 the certificate
> I use is not md5: PKCS #1 SHA-1 With RSA Encryption
>
> Ludovic, how can I provide the information you were requesting?

for thr regression window see http://www.rumblingedge.com/2009/02/24/howto-find-regression-windows-through-manual-binary-search/

sorry for the delay the email got lost somehow.