Digital Signatures are maked as not valid in TB 115.1.0 (64-bit) Windows
In TB 115.1.0 (64-bit) on Windows digital signature are maked as not valid for an unknown reason. This happens at least with emails send from Outlook clients. In TB 102.14.0 (64-bit) on Windows this digital signatures were shown as valid. However, digitsal signatures of emails send from other clients (e.g. Thunderbird, Nine from 9folders) are shown as valid.
Soluzione scelta
Slightly more updated info at https://blog.thunderbird.net/2023/10/thunderbird-115-and-signatures-using-the-obsolete-sha-1-algorithm/
Basically can still accept SHA-1 signatures if you have to by setting mail.smime.accept_insecure_sha1_message_signatures to true in the Config Editor.
Would be nice if we could still see the signer's certificate as we can with all other signature errors (e.g. changed content by an intermediate server, sender address mismatch, etc) but that would be a bug report.
Leggere questa risposta nel contesto 👍 0Tutte le risposte (8)
I have to wonder if it is the email that is not valid as per the discussion here https://thunderbird.topicbox.com/groups/e2ee/T73970314d54cdfdb-Me264daf5de25d4c964ff3462
The send and received emails are exactly the same (despite the additional headers" Received: from ...). My issues is with validating the signature of receiving emails.
It looks like you're having an issue with digital signatures not being recognized as valid in Thunderbird 115.1.0 on Windows, especially with emails sent from Outlook clients. It's great that you've noticed this change from Thunderbird 102.14.0. This could be due to changes in how digital signatures are handled in the newer version. To troubleshoot, try checking Thunderbird's security settings and ensure that any required certificates are installed and up-to-date. Remember, digital signature verification involves a complex process, so a little digging might be needed to pinpoint the issue.
The certificates are installed and up-to-date and the security settings are the same on both versions. In the meantime I tried with an encrypted message which I sent to myself. Decrypting worked, but the error message for the signature now says that "The messge was signed using an encryption strength that this version of your software does not support."
I use an RSA key with key size 2048, signature algorithm SHA-256 with RSA Encryption Version 3.
Is there anything related in the Error Console (CTRL-Shift-J)?
The error console shows only some warnings about ignored declarations like "mso-style-type" etc.
I did some further testing with the hash algorithms in Outlook and I saw that the signatures of emails using SHA-256, SHA-384 and SHA-512 for singing are validated by Thunderbird 115.1.0.
The problem exists only for signatures when Outlook uses the SHA-1 for signing, which unfortunately seems to be the default.
The problem exists only for signatures when Outlook uses the SHA-1 for signing, ...
... which unfortunately seems to be the default.
I don't know whether SHA-1 signatures are the default for Outlook, but it's certainly configurable. Having said that, I do find Outlooks S/MIME handling very weird to say the least. And it often does not find a recipients certificate for encryption, even though it's clearly there.
Soluzione scelta
Slightly more updated info at https://blog.thunderbird.net/2023/10/thunderbird-115-and-signatures-using-the-obsolete-sha-1-algorithm/
Basically can still accept SHA-1 signatures if you have to by setting mail.smime.accept_insecure_sha1_message_signatures to true in the Config Editor.
Would be nice if we could still see the signer's certificate as we can with all other signature errors (e.g. changed content by an intermediate server, sender address mismatch, etc) but that would be a bug report.
Modificato da velosol il