Jump to content

SS & Thunderbird Security Exception Not Saved


Recommended Posts

This is driving me nuts...

 

I have SS9 (and 10) running on several PCs.  Thunderbird is my email client.  If SS is set to scan SSL connections I can't save a security cert exception.  I select save and things are fine until the next reboot, then I get asked again for each email account.

 

This only happens on the Windows 10 machines.  It does not happen with Windows 7.

 

Support has suggested turning off SSL scanning, but that strikes me as rather bad advice.

 

A virtual beer to anyone who can help me sort this.

 

Thanks,

Z.

Link to comment
Share on other sites

  • Administrators

Just for clarification apart from the issue with saving the exception - you don't want to have email received by Thunderbird scanned if you want to exclude the certificate? Is there any good reason for that?

Link to comment
Share on other sites

Hi Marcos,

 

Not quite sure I understand your question.  Sorry I'm not being clear.  I want SS to scan my email.  I don't want to be asked to save the security exception every time I reboot.

 

If I turn off SSL scanning I don't get pestered on each reboot, but I do not want to turn off scanning.

 

Thanks!

Z.

Link to comment
Share on other sites

I have SS9 (and 10) running on several PCs.  Thunderbird is my email client.  If SS is set to scan SSL connections I can't save a security cert exception. 

Appears that perhaps the Eset root CA certificate has not been imported by default into TBird's certificate store when Eset was installed?  

 

Verify if there is an Eset CA certificate in TBird's certificate store. In TBird, select Tools -> Options -> Certificates -> View Certificates and search for an Eset certificate.

 

Also does this occur when you try to open TBird stand-alone or within your browser? If it it occurs within the browser, what browser are you using?

Edited by itman
Link to comment
Share on other sites

This happens when I open Tbird stand-alone.

 

Checking certificates BEFORE adding the exception after rebooting on a Windows 10 laptop (where I tried to save the exception before rebooting):

 

in Servers: ESET, spol.sr.o with a sub(something) of zipcon.net which is one of my servers.

in Others: ESET, spol.sr.o with weveral subs of zipcon.net and secure.zipcon.net.

 

On a Windows 7 desktop that doesn't ask for an exception on each reboot:

 

In Servers: no ESET

in Others: same as above: ESET, spol.sr.o with sub thingy of zipcon.net and secure2.zipcon.net

 

No idea what the above means.  Hopefully you do.

 

Many thanks,

Z.

Link to comment
Share on other sites

Below is the Eset certificate installed in my Win 10 desktop root CA store. It should be the same one installed that is installed in TBird. Format of this cert. is the same as that installed in Win 7 before I upgraded to Win 10. Aside from the cert. from/to dates that sync back to when Eset was installed, your desktop certs. should look the same as far as I am aware of.

 

I have no clue as to those zipcon.net refs. in your certificates. Might have something to do to the country where Eset was purchased from? We'll let Marcos "chime in" of this one.

 

-EDIT- Is zipcon.net your ISP?

 

post-6784-0-98321600-1479248012_thumb.png

Edited by itman
Link to comment
Share on other sites

Zipcon is one of my ISPs.  There are also entries for ESET/att.yahoo.com - my other ISP.

 

I'll stare at the certs when I have a chance.  Still very odd that saving an exception lasts through multiple restarts of Tbird, but not a a reboot.  Also odd that things are just fine on Win 7 but not Win 10.

 

Since my Tbird profiles are copies from one machine to another I tested a clean Tbird + ESET install on a "virgin" Win 10 laptop. SSL scanning triggers the same problem on that one too.

 

Thanks much for the reply,

Z.

Link to comment
Share on other sites

For starters, you should not have to set certificate exceptions for Thunderbird to run properly.

 

Do you have SSL/TLS filtering set to "automatic" along with thunderbird.exe also set to the same as shown in the below screen shot:

 

post-6784-0-11443800-1479257825_thumb.png

 

 

Link to comment
Share on other sites

Filtering is set exactly as shown in your screenshot.

 

There may be something hinky about my ISP's certificate.  ISTR that it's always been necessary to set an exception once. Don't know what to think about the att.yahoo exemption request showing up every time though.

 

Still, it all works on the Win 7 machines but not on Win 10.

 

I'm grateful for the help.

 

Z.

Link to comment
Share on other sites

  • Administrators

Perhaps you could provide a screen shot of the error or notice that you get when receiving email in Thunderbird. As for the issue with saving the exclusion, do you get a UAC prompt when attempting to save it?

Link to comment
Share on other sites

Make sure the Eset SSL cert. in TBird is set to "identify web sites."

 

Below is a screen shot of how I have TBird setup on a desktop PC. All those settings are default ones:

 

post-6784-0-59655700-1479305874_thumb.png

Edited by itman
Link to comment
Share on other sites

Also, do you have the "remote content" option in TBird enabled? It is disabled by default for security reasons. 

Edited by itman
Link to comment
Share on other sites

  • Administrators

I would expect that the same warning would appear regardless of whether ESET is installed or not. If there's no certificate issue on the server, the warning could appear on Windows XP with SSL filtering enabled due to an old version of Schannel but not on newer operating systems.

Link to comment
Share on other sites

I believe the ESET Cert in Tbird is set correctly - it matches itman's unless I'm missing something.

 

Remote content is disabled.

 

Marcos, I understand that I will get the warning regardless of ESET's presence.  The thing is, if I disable SSL scanning I only get the warning ONCE.  I select the "permanently store this exception" and I never see it again. That's with both Win 7 and Win 10.

 

With SSL scanning enabled I save the exception and it's OK until the next reboot. It shows up after each reboot - on the Win 10 machines.  On the Win 7 machines the exception gets saved (or recognized if that's a better description) and I never see it again.

 

Sorry if I'm being obtuse and don't understand what you're telling me :(  I just want to be able to save the bleeping exception through a reboot.

 

Thanks all,

Z.

 

BTW if I try to add an image in-line I get "You are not allowed to use that image extension on this community."  I can attach the same images OK. Is there a post-count threshold before I can in-line images?  I'm looking around for the forum guidelines but haven't found them yet...

 

post-5586-0-47192000-1479340841_thumb.png

Link to comment
Share on other sites

  • Administrators

I will need to discuss this with developers. As far as I know, exceptions for certificates can only be set if it's possible to verify a certificate which doesn't happen in this case due to CN mismatch.

Link to comment
Share on other sites

What are all those "webhosting.zipcon.net" certs. located under Eset. spool s.r.o. about? As far as I am aware of, the only cert. that should be located there is "Eset SSL Filter CA."

 

Did you modify TBird's default Security Devices settings?

Edited by itman
Link to comment
Share on other sites

I haven't modified anything.

 

My _guess_ is that I get a new "webhosting.zipcon.net" added to the ESET entry every time i _try_ to add a new exception.

 

Thanks both for taking the time to dig into this. Hoping the devs come up with something.

 

regards,

Z.

Edited by zoltanthegypsy
Link to comment
Share on other sites

Something strange is going on here.

 

When you set up Thunderbird, you specify your e-mail provider e-mail server URL and what protocol to use; IMAP/S or POP/S. That's about it.

 

Eset's SSL protocol scanning is done at the network level and there really shouldn't be any interaction with anything other than Thunderbird. For example, I use AOL e-mail and connect to its servers w/o issue. It appears to me that somehow your e-mail provider which I assume is your ISP, zipcon.net?, is doing some type of additional security checking. That is during the Thunderbird handshake with its e-mail servers, it is detecting Eset's MITM activity which SSL protocol scanning is performing. Bottom line, it appears to me that Eset SSL protocol scanning is not compatible with the additional security checking your e-mail provider is performing. 

 

In Eset's "List of SSL/TLS filtered applications," set thunderbird.exe to "Ignore." That should stop Eset's SSL protocol scanning of Tbird. If it doesn't, then try adding thunderbird.exe to "Protocol Filtering - excluded applications." Either one of these options should prevent you having to add a certificate exception each time Thunderbird startups up.

Link to comment
Share on other sites

You can try the following as a test on one Win 10 desktop. If TBird does not throw a cert. exception for SSL protocol scanning, at least you have a work around until Eset can find a solution to your particular situation. Note that if you search the web, the are a number of postings of TBird problems w/Win 10.

 

Run Thunderbird in compatibility mode

 

In order to fix issues with Thunderbird, sometimes it’s best that you run it in compatibility mode. To do that, follow these steps:

 

1.Find Thunderbird’s shortcut and right click it. Choose Properties from the menu.

 

2.Navigate to Compatibility tab and check Run this program in compatibility mode for.

 

3.Select one of the older versions of Windows from the list, for example Windows 7 or Windows XP.

 

4.Click Apply and OK to save changes.

Link to comment
Share on other sites

Came across this posting in the Endpoint forum: https://forum.eset.com/topic/7604-eset-endpoint-security-6-ssl-inspection-thunderbird-need-peer-review/ . Scroll down to the no. 11 paragraph. Note that "Trust this CA to identify e-mail users" is check marked for the Eset certificate in Tbird. Set that on for one desktop and see if that solves the issue.

Edited by itman
Link to comment
Share on other sites

Another great try - but no joy :(

 

I do note that the zipcon ESET sub-entries get added each time I try to save another exception.  It's like the existing exception isn't recognized after a reboot.  Or something...

Link to comment
Share on other sites

Below is something else you can try I found on the Bitdefender forum. I will also note that I use SMTP for my outgoing e-mail protocol. You will have to find the server URL for ISP's SMTP server. From what I have "gleaned" from the web, TBird throws these SSL cert. exceptions primarily on outbound e-mail connection handshakes.

I may have the problem licked. (Not a solution, but a workaround.) I changed from SSL/TLS to STARTTLS, and don't seem to get the prompts anymore(SSL cert. exceptions from TBird), even with email scanning (i.e. antivirus) and anti-spam enabled.

Because I hate when people are vague about how they fixed a problem, here are the rather exact steps in Thunderbird:

1. Select Tools > "Account Settings..."

2. Select "Server Settings" under the applicable account(s).

3. For "Connection security", change SSL/TLS to STARTTLS.

4. Select "Outgoing Server (SMTP)".

5. Double click each applicable SMTP server, and then perform step 3 for it.

6. Click OK twice.

Thank you for trying to help, Scott. I really appreciate
it.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...