1661651 – [Regression] Thunderbird no longer prompts for the CAC PIN when sending emails

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1661651 - [Regression] Thunderbird no longer prompts for the CAC PIN when sending emails

Summary: [Regression] Thunderbird no longer prompts for the CAC PIN when sending emails

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	thunderbird
Sub Component:
Version:	7.6
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Horak
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-12-21 21:11 UTC by Joe Wright
Modified:	2019-09-20 09:16 UTC (History)
CC List:	13 users (show)
Fixed In Version:	thunderbird-60.7.2-2.el7_6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-09-20 09:16:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Mozilla Foundation	1519093	0	None	None	None	2019-06-18 12:58:28 UTC

Description Joe Wright 2018-12-21 21:11:41 UTC

Description of problem:
- Thunderbird no longer prompts for the CAC PIN when sending emails

Version-Release number of selected component (if applicable):
- thunderbird-60.3.0-1.el7_5.x86_64
- coolkey-1.1.0-40.el7.x86_64


How reproducible:
- 100% by customer

Steps to Reproduce:
(requires mail server system that requires smartcards/certificates)
1. Configure thunderbird to use CAC
2. Exit
3. Restart thunderbird and attempt to send email

Actual results:
- Thunderbird does not prompt for a PIN when sending an email
- You have to go into the Thunderbird preferences and view certificates.  When you do this you will be prompted for your CAC PIN.  After having done this, you will be able to send signed emails until you remove and reinsert the card.

Error message:
"Sending of the message failed.  You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."

Expected results:
- With CAC card inserted, prompt user for PIN when sending emails

Additional info:

Comment 7 Simo Sorce 2019-02-11 15:39:49 UTC

This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Comment 9 amitkuma 2019-02-13 09:31:37 UTC

Hey Simo,

Reopening the Bugzilla. This is really important for customer, Since this is regression.

*********Other information***************
- customer using coolkey.

- Customer has tried using coolkey, but still issue persists.
******************************************

*******************Issue*******************
- When user tries sending E-Mail(after inserting CAC) they get Error
=> Sending of Message Failed, You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired.

- Workaround-1:
-> Go to:
Thunderbird Preferences > View Certificates. //Now user is prompted for CAC PIN.
- After having done this, they will be able to send signed emails until they remove and reinsert their card

- Workaround-2:
-> I removed the cert8.db file from my Thunderbird profile and sending encrypted email works again. I still have the issue where Thunderbird does not prompt for the CAC PIN when I send a signed email

- RHEL-7.5(Thunderbird-52.9.1) does not shown the issue.

- RHEL-7.6(Thunderbird-60.3.0) no longer prompts for PIN.
**********************************************

*****Why it's important for Customer*****
While not a work stoppage, customers are frustrated by having to use the work-around many times per day.
*****************************************

*******Customer Tests with switching to opensc**********
- When I change Thunderbird over to using OpenSC with the CAC in the SCR3310 reader, I get the same behavior that I was getting under CoolKey. Under the Security Devices... preferences panel I am unable to "Log In" to the CAC. When sending an email, Thunderbird reports the same error I was getting under CoolKey.
- If I downgrade Thunderbird to 52.9.1 then I am able to "Log In" to the CAC and send signed emails using OpenSC. This only works when the card is in the SCR3310 reader. It does not work from the Dell SmartCard Keyboard reader.
- I'm willing to do some troubleshooting of OpenSC if that will be the only supported Smart Card library under RHEL. It does present some problems. For instance, since switching to OpenSC, I cannot log into my workstation or unlock the screen
***************************************************

Regressions are important since they break exiting functionality.
Still if Business Justification is needed we can ask same from Customer.

Comment 10 amitkuma 2019-02-13 09:37:57 UTC

Thunderbird 60.3.0 - has the issue
Thunderbird 60.2.1 - has the issue
Thunderbird 52.9.1 - works

Comment 23 amitkuma 2019-04-12 13:44:46 UTC

Dear Jan,

Thanks for response. We have asked customer to try 60.6.1, But how this rules out nss possibility!

Issue can be with cert-check(may be involving hash checks of key on cert and generates cert using nss), But same issue may be with newer nss versions as well!

Comment 24 Jakub Jelen 2019-04-12 14:21:52 UTC

The listing is weird since it shows two slots for your CAC card, where should be only one. I assume the certificates are correctly visible in the following listings, but in any case for the reference, I would be interested in the output of the following commands:

pkcs11-tool -L
pkcs11-tool -O
modutil -dbdir /etc/pki/nssdb -list

On the OpenSC side from the logs, the CAC card is detected correctly, certificates retrieved, but after probing the slot list, there is no follow-up call to OpenSC from NSS and from Thunderbird.

I can also recommend trying different card reader, since the Dell one can be sometimes not very reliable, but if it worked before, it should continue to work.

Comment 25 Joe Wright 2019-04-15 12:56:33 UTC

Issue can also be reproduced with Thunderbird(60.6.1) from upstream, resulting in the same error.

Comment 26 Jan Horak 2019-04-16 15:09:31 UTC

From the error message it seems that certificate cannot be found or its verification fails. Along with Jakub suggestions please also attach ask customer to attach certverifier.log content obtained by:

MOZ_LOG="certverifier:5" thunderbird &> certverifier.log

Comment 30 Jan Horak 2019-04-25 08:50:53 UTC

From the TB 52 vs 60 sources, there's been some changes. Looks like this issue is already reported to upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1519093 I'm going to investigate further.

Comment 37 amitkuma 2019-05-08 06:09:55 UTC

Customer's Update

**********Created By: Jason Fonseca  (5/8/2019 2:35 AM)*********
I installed the version of Thunderbird provided below.  I reverted OpenSC back to 0.16.0-10.  I started Thunderbird using the directions below.  In the Account Settings under Security, I selected the signing and encryption certificates.  I composted and successfully sent a signed email.  I pulled and reinserted the card.  I then sent another signed email and got the error.  The tb-debug-log will be attached.
*****************************************************************

Comment 45 Jan Horak 2019-09-20 09:16:36 UTC

As customer already mentioned, this has been already fixed by 60.7.2-2.

Note You need to log in before you can comment on or make changes to this bug.