Bug 1661651 - [Regression] Thunderbird no longer prompts for the CAC PIN when sending emails
Summary: [Regression] Thunderbird no longer prompts for the CAC PIN when sending emails
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: thunderbird
Version: 7.6
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Jan Horak
QA Contact: Desktop QE
Depends On:
TreeView+ depends on / blocked
Reported: 2018-12-21 21:11 UTC by Joe Wright
Modified: 2019-09-20 09:16 UTC (History)
13 users (show)

Fixed In Version: thunderbird-60.7.2-2.el7_6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-09-20 09:16:36 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Mozilla Foundation 1519093 0 None None None 2019-06-18 12:58:28 UTC

Description Joe Wright 2018-12-21 21:11:41 UTC
Description of problem:
- Thunderbird no longer prompts for the CAC PIN when sending emails

Version-Release number of selected component (if applicable):
- thunderbird-60.3.0-1.el7_5.x86_64
- coolkey-1.1.0-40.el7.x86_64

How reproducible:
- 100% by customer

Steps to Reproduce:
(requires mail server system that requires smartcards/certificates)
1. Configure thunderbird to use CAC
2. Exit
3. Restart thunderbird and attempt to send email

Actual results:
- Thunderbird does not prompt for a PIN when sending an email
- You have to go into the Thunderbird preferences and view certificates.  When you do this you will be prompted for your CAC PIN.  After having done this, you will be able to send signed emails until you remove and reinsert the card.

Error message:
"Sending of the message failed.  You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."

Expected results:
- With CAC card inserted, prompt user for PIN when sending emails

Additional info:

Comment 7 Simo Sorce 2019-02-11 15:39:49 UTC
This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Comment 9 amitkuma 2019-02-13 09:31:37 UTC
Hey Simo,

Reopening the Bugzilla. This is really important for customer, Since this is regression.

*********Other information***************
- customer using coolkey.

- Customer has tried using coolkey, but still issue persists.

- When user tries sending E-Mail(after inserting CAC) they get Error 
    => Sending of Message Failed, You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired.

- Workaround-1:
 -> Go to:
    Thunderbird Preferences > View Certificates.    //Now user is prompted for CAC PIN. 
    - After having done this, they will be able to send signed emails until they remove and reinsert their card 

- Workaround-2:
 -> I removed the cert8.db file from my Thunderbird profile and sending encrypted email works again. I still have the issue where Thunderbird does not prompt for the CAC PIN when I send a signed email

- RHEL-7.5(Thunderbird-52.9.1) does not shown the issue. 

- RHEL-7.6(Thunderbird-60.3.0) no longer prompts for PIN. 

*****Why it's important for Customer*****
 While not a work stoppage, customers are frustrated by having to use the work-around many times per day.

*******Customer Tests with switching to opensc**********
- When I change Thunderbird over to using OpenSC with the CAC in the SCR3310 reader, I get the same behavior that I was getting under CoolKey. Under the Security Devices... preferences panel I am unable to "Log In" to the CAC. When sending an email, Thunderbird reports the same error I was getting under CoolKey.
- If I downgrade Thunderbird to 52.9.1 then I am able to "Log In" to the CAC and send signed emails using OpenSC. This only works when the card is in the SCR3310 reader. It does not work from the Dell SmartCard Keyboard reader.
- I'm willing to do some troubleshooting of OpenSC if that will be the only supported Smart Card library under RHEL. It does present some problems. For instance, since switching to OpenSC, I cannot log into my workstation or unlock the screen

Regressions are important since they break exiting functionality.
Still if Business Justification is needed we can ask same from Customer.

Comment 10 amitkuma 2019-02-13 09:37:57 UTC
Thunderbird 60.3.0 - has the issue
Thunderbird 60.2.1 - has the issue
Thunderbird 52.9.1 - works

Comment 23 amitkuma 2019-04-12 13:44:46 UTC
Dear Jan,

Thanks for response. We have asked customer to try 60.6.1, But how this rules out nss possibility!

Issue can be with cert-check(may be involving hash checks of key on cert and generates cert using nss), But same issue may be with newer nss versions as well!

Comment 24 Jakub Jelen 2019-04-12 14:21:52 UTC
The listing is weird since it shows two slots for your CAC card, where should be only one. I assume the certificates are correctly visible in the following listings, but in any case for the reference, I would be interested in the output of the following commands:

pkcs11-tool -L
pkcs11-tool -O
modutil -dbdir /etc/pki/nssdb -list

On the OpenSC side from the logs, the CAC card is detected correctly, certificates retrieved, but after probing the slot list, there is no follow-up call to OpenSC from NSS and from Thunderbird.

I can also recommend trying different card reader, since the Dell one can be sometimes not very reliable, but if it worked before, it should continue to work.

Comment 25 Joe Wright 2019-04-15 12:56:33 UTC
Issue can also be reproduced with Thunderbird(60.6.1) from upstream, resulting in the same error.

Comment 26 Jan Horak 2019-04-16 15:09:31 UTC
From the error message it seems that certificate cannot be found or its verification fails. Along with Jakub suggestions please also attach ask customer to attach certverifier.log content obtained by:

MOZ_LOG="certverifier:5" thunderbird &> certverifier.log

Comment 30 Jan Horak 2019-04-25 08:50:53 UTC
From the TB 52 vs 60 sources, there's been some changes. Looks like this issue is already reported to upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1519093 I'm going to investigate further.

Comment 37 amitkuma 2019-05-08 06:09:55 UTC
Customer's Update

**********Created By: Jason Fonseca  (5/8/2019 2:35 AM)*********
I installed the version of Thunderbird provided below.  I reverted OpenSC back to 0.16.0-10.  I started Thunderbird using the directions below.  In the Account Settings under Security, I selected the signing and encryption certificates.  I composted and successfully sent a signed email.  I pulled and reinserted the card.  I then sent another signed email and got the error.  The tb-debug-log will be attached.

Comment 45 Jan Horak 2019-09-20 09:16:36 UTC
As customer already mentioned, this has been already fixed by 60.7.2-2.

Note You need to log in before you can comment on or make changes to this bug.