We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

Connection to Server not working with SSL/TLS (but works fine with no connection security)

  • 2 replies
  • 1 has this problem
  • 1 view
  • Last reply by Matt

cb4yh
cb4yh
more options

I've been using the same server settings for many years now and recently migrated from Win7 to Win10 (while copying over the Thunderbird profile to keep all the settings), and now the server connection is no longer working, at least as long as the Connection security is set to SSL/TLS (which it has always been in the past). When I attempt to read mail, in the status bar it says "Connected to [my email server]...", but nothing more happens (it doesn't crash, either, i.e., I can keep clicking on other things; it's just that nothing happens, and no mail is read). How can I see where/why it's stuck? BTW: the SSL certificate of my email provider's server is completely OK, I checked this in various ways. If I want to add a certificate exception for the server, Thunderbird tells me that this server has a perfectly good certificate and no exception is needed. Still, it won't do anything after the connection. Thanks!

I've been using the same server settings for many years now and recently migrated from Win7 to Win10 (while copying over the Thunderbird profile to keep all the settings), and now the server connection is no longer working, at least as long as the Connection security is set to SSL/TLS (which it has always been in the past). When I attempt to read mail, in the status bar it says "Connected to ''[my email server]''...", but nothing more happens (it doesn't crash, either, i.e., I can keep clicking on other things; it's just that nothing happens, and no mail is read). How can I see where/why it's stuck? BTW: the SSL certificate of my email provider's server is completely OK, I checked this in various ways. If I want to add a certificate exception for the server, Thunderbird tells me that this server has a perfectly good certificate and no exception is needed. Still, it won't do anything after the connection. Thanks!

Chosen solution

This is a difficult situation. Traditionally Thunderbird has displayed an untrusted certificate dialog. I assumed it still did. But then what is happening is hard to just guess. It could be that AVG has switched to using the Windows certificate store and as a result you don't get an error from Thunderbird.

It could be the certificate exists in the Thunderbird store, but fails the check to see if it has been expired or revoked (Options > security> Query OCSP respopnders.)

ALL of the anti virus product that insert certificates insert self signed garbage that fails all attempts to validate it. If they were to get real certificates, or go through the audit process to become certifying authorities themselves it would not be such an issue.

But Symantec made such a hash of their time as a certifying Authority. See https://www.sslshopper.com/symantec-sells-ca-business-to-digicert.html I doubt any of the other security players whose monetization strategy from their FREE products is not clear will be interested in going down that route. Nothing like having your security provider found to be doing the wrong thing to make you trust them.

Read this answer in context 👍 0

All Replies (2)

cb4yh
cb4yh Question owner
more options

Meanwhile, I could locate the problem. To find it, I had to temporarily install a different email client, which was more verbose about problems, and so I found out the following: my virus scanner (AVG) apparently has stopped passing through SSL/TLS handshakes transparently. So what happens is that Thunderbird, when it wants to set up the secured connection, gets a certificate from AVG instead of from the real mail server (and of course and rightfully so, the AVG certificate is rejected by Thunderbird). I now switched off email scanning by AVG, and everything works correctly and as before (albeit without my emails being scanned, but I can live with that).

The problem is solved, but I would still like to know how, in this case, I could have found out what exactly Thunderbird "sees" and with what is has a problem; this would have saved me a lot of time debugging.

Matt
Matt
  • Moderator
  • Top 10 Contributor
more options

Chosen Solution

This is a difficult situation. Traditionally Thunderbird has displayed an untrusted certificate dialog. I assumed it still did. But then what is happening is hard to just guess. It could be that AVG has switched to using the Windows certificate store and as a result you don't get an error from Thunderbird.

It could be the certificate exists in the Thunderbird store, but fails the check to see if it has been expired or revoked (Options > security> Query OCSP respopnders.)

ALL of the anti virus product that insert certificates insert self signed garbage that fails all attempts to validate it. If they were to get real certificates, or go through the audit process to become certifying authorities themselves it would not be such an issue.

But Symantec made such a hash of their time as a certifying Authority. See https://www.sslshopper.com/symantec-sells-ca-business-to-digicert.html I doubt any of the other security players whose monetization strategy from their FREE products is not clear will be interested in going down that route. Nothing like having your security provider found to be doing the wrong thing to make you trust them.