Thunderbird and OCSP error with Comodo cert

[Guest]

[gtmikey]

I'm the guy who got his free e-mail certificates from Comodo and installed them in OE and Thunderbird and THEN got SecureEmail.  To be honest, I pretty much have SecureEmail turned off and use the certificate functions in Thunderbird and Firefox directly.  As I correspond with many people who use webmail such as Hotmail and Yahoo, the SecureEmail one time encryption function to people without their own X.509 certificates is not useful.  To the problem!

I recently turned on the OCSP function in Thunderbird version 2.0.0.18 (20081105) for Windows (W2K Pro).  This version of Thunderbird and Firefox version 3.0.5 share the certificate store.  By turning on OCSP I mean I selected the "Use OCSP to validate only certificates the specify an OCSP service URL".  When trying to send an e-mail to a friend who also has a Comodo free e-mail certificate obtained without SecureEmail, I get the error that an OCSP failure has occurred and the certificate could not be validated.  I strongly suspect this is a Thunderbird issue but so far I have not been able to find a report of this issue on line.  As Comodo's support is excellent, I started my in depth search here.

I have attached screen shots of the two error messages.

The error message does not make it clear which or both certificates cannot be validated.  Both certificates show this value in the Authority Information Access Extension OCSP: URI: http://ocsp.comodoca.com.  My certificate was issued with a not valid before date 2008-10-13 00:00:00 AM GMT and my friend's has 2008-10-22 00:00:00 AM GMT for that value. 

BTW Greenwich Mean Time has been replaced with Universal Coordinated Time and AM/PM is meaningless in 24 hour time indicators such as my local time indication for not valid before of 2008-10-12 17:00:00 PM.

[gordon2008]

Hi,

Please submit the ticket in the following link
http://support.comodo.com/index.php?_m=tickets&_a=submit

[BigMike]

I recently turned on the OCSP function in Thunderbird version 2.0.0.18 (20081105) for Windows (W2K Pro).  This version of Thunderbird and Firefox version 3.0.5 share the certificate store.  By turning on OCSP I mean I selected the "Use OCSP to validate only certificates the specify an OCSP service URL".  When trying to send an e-mail to a friend who also has a Comodo free e-mail certificate obtained without SecureEmail, I get the error that an OCSP failure has occurred and the certificate could not be validated.  I strongly suspect this is a Thunderbird issue but so far I have not been able to find a report of this issue on line.

Hm, I had the same problem. All I could find about Thunderbird and OCSP was the hint to disable it...
I thought that's not a big problem, because you can set the CRL update interval down to once per day and adding the needed urls for the CRL's is done in a few minutes - but as I realized, the automatic update mechanism for CRL's seems also to be broken! Oh - and I'm pretty sure, that's a Thunderbird problem

[malbec]

Hi,

I have exactly the same problem: I use Thunderbird version 2.0.0.23 (20090812). I installed the certificate I requested yesterday, but when  I select "Use OCSP to validate only certificates the specify an OCSP service URL", wWhen trying to send an e-mail , I get the error "an OCSP failure has occurred and the certificate could not be validated".

If I select "don't use OCSD", evrything works OK.

Did you get an answer to your ticket ?

I thank you in advance for your help.

[gtmikey]

The short answer was, "It is a Thunderbird problem. Go tell Mozilla."  Mozilla said, "(the silence was deafening.)".  So I just turned OCSP off and forgot about it.  I imagine it will be fixed when enough complaints register it onto the radar.

[BigMike]

"It is a Thunderbird problem. Go tell Mozilla."

In my eyes, this is the only answer Comodo can give. Because it is a bug in Thunderbird. It's not caused by misconfiguration.

So I just turned OCSP off and forgot about it.

You should at least keep in mind, that the certificate could have been revoked! That's the purpose of OCSP/CRL's: Checking, if the certificate was reported as compromised.

I imagine it will be fixed when enough complaints register it onto the radar.

I wouldn't count on this in the near future. As I read, the problem is known for a long time now.

[malbec]

Thanks to both of you!

So, I'll go on without OCSP, till Mozilla does something...

You should at least keep in mind, that the certificate could have been revoked! That's the purpose of OCSP/CRL's: Checking, if the certificate was reported as compromised.

Yes. Sure. May be could I chek it manually from time to time? But how?

[BigMike]

You can force a manual download of the certificate revocation list.

First of all, each vendor of certificates provides its own CRL. The address of the CRL can be found in the certificate. So, depending on which vendor issued the certificate of your contact, you may need to add more CRLs.

I'll describe the procedure:
First, look in
Tools -> Properties, Advanced, Certificates. Click on "Certificates...", there select the "Certificates of other people" tab and you'll get a list of all certificates of your contacts.
Double click a certificate, select "Details"
Under "Certificate Layout", you'll find an entry "Extensions" with an subentry, holding urls to download the crl.
Copy one of these urls to clipboard. For COMODO it's

Code:

http://crl.comodoca.com/UTN-USERFirst-ClientAuthenticationandEmail.crl

for example.
Close this window and the certificate manager, back in properties, click on "CRLs...", select "Import" and paste the copied url.

Note, that the automatic download of the CRL won't work, too!!
It seems to be also known to the Mozilla people...

To force a manual update, you have to click "Update" here.

I'm using a localized version of Thunderbird, so my translated names may differ from the original ones.

[Jim__]

The short answer was, "It is a Thunderbird problem. Go tell Mozilla."  Mozilla said, "(the silence was deafening.)".  So I just turned OCSP off and forgot about it.  I imagine it will be fixed when enough complaints register it onto the radar.

What is the bug number for your report? I will vote for it. Voting is one way to draw developer attention to a problem.

[BigMike]

Here's the bug report for the ocsp issue on Bugzilla. First reported 2006-05-10 - good luck!

[gtmikey]

Sorry if you took my short summary as a criticism of Comodo.  It wasn't meant as such.  I figured it was a Mozilla prob but I knew I would get a response from Comodo and hoped, if there was an answer, Comodo would have it. Which work around you have provided.  Thank you, Big Mike.

[BigMike]

Sorry if you took my short summary as a criticism of Comodo.

I didn't take it as a criticism. I wasn't completely sure if it was clear (to you and anyone else reading this thread) from Comodo's answer, that they can't give any hints on solving this problem, since there simply is no solution.

I just tried to stress this point to spare others from spending hours trying to find the solution.

[Tags:]