Client TLS certificate
I have added a certificate to the Thunderbird Certificate Manager (localcert.png), with the info as shown in certdetails.png. However, Thunderbird is not sending the certificate. I have "When a server requests my personal certificate" set to "Ask me every time". I also tried choosing "Select one automatically" but that did not change the result.
However, my mail server, which uses TLS client certificates as one factor in sender authentication says: May 27 02:00:05 Mercury2 smtpd[9850]: b972fe936721dfe0 smtp disconnected reason="io-error: handshake failed: error:0A0000C7:SSL routines::peer did not return a certificate"
What am I doing wrong in the config that is causing Thunderbird to not send the certificate?
Details of SW in use: OS Ubuntu 24.04.2 LTS Mail server OpenSMTPD opensmtpd-7.6.0,1 on FreeBSD Thunderbird 128.10.2esr (64-bit) installed from snap $ snap info thunderbird name: thunderbird summary: Mozilla Thunderbird email application publisher: Canonical✓ store-url: https://snapcraft.io/thunderbird contact: https://www.thunderbird.net/contact/ license: unset description: |
Thunderbird is a free email application that’s easy to set up and customize - and it’s loaded with great features!
commands:
- thunderbird
snap-id: k1Ml1O9GzSO2QftV0ZlWSbUfQ78nN460 tracking: latest/stable refresh-date: 3 days ago, at 10:48 MDT channels:
latest/stable: 128.10.2esr-1 2025-05-23 (734) 220MB - latest/candidate: 128.11.0esr-1 2025-05-23 (735) 220MB - latest/beta: 139.0b4-2 2025-05-20 (731) 236MB - latest/edge: ↑
installed: 128.10.2esr-1 (734) 220MB -
All Replies (9)
What did you select as 'Authentication method' in your Account Settings? My best guess would be it should be set to 'TLS Certificate'.
It is not an option for sending mail. See attached authoptions.png. That is a problem to deal with later; one at a time.
For reading, I have selected SSL/TLS and Certificate (see fetchconfig.png). For "When a server requests my personal certificate:", I have selected "Select one automatically". However, dovecot on the server says: May 30 16:27:57 Server dovecot[19451]: imap-login: Disconnected: Connection closed (client didn't send a cert): user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, TLS, session=<raSZ5Vw2zrLGMdl5>
When I use OpenSSL with s_client and the same certificate that is in Thunderbird, it connects OK and I can talk to the IMAP server.
Thanks for any advice. Kenneth
Frankly, I don't know. I don't know of any email provider offering certificate based authentication either.
Update. Reading works fine on my Android K-9 mail app.
I have sending mail using the certificate working for both Thunderbird and K-9.
Daily build in a clean directory still gives this error for reading: May 31 15:58:18 Mercury2 dovecot[2685]: imap-login: Disconnected: Connection closed (client didn't send a cert): user=<>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS, session=<wy9XmXA2VLvGMdkF>
It did ask me for a certificate to use, but apparently did not send it based on the error.
I will report a bug.
I added the cert to Firefox. I set up a server on port 8080 using the mail server's certificate: openssl s_server -port 8080 -4 -cert server.cert.pem -key server.key.pem -verifyCAfile ../certs/ca.cert.pem -chainCAfile /tmp/ca-chain.cert.pem -crlf -Verify 2 -www Firefox connects, properly sends the certificate, and the client cert is validated OK on the server.
I tried connecting to port 993 on the mail server using Firefox, but (sanely), it will not let me.
So, this appears to be something different between Thunderbird and Firefox, which is odd. I would have expected them to use the same TLS and certificate code.
Yeah, raising a bug in Bugzilla probably is your best bet. If you do so, please post the bug ID here.
Modified by christ1
Bug does not appear in Thunderbird Daily 141.0a1 (2025-05-31) (64-bit) I have to use the "Normal Password" option with the certificate loaded.
You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.