SS & Thunderbird Security Exception Not Saved

[zoltanthegypsy 1]

This is driving me nuts...

 

I have SS9 (and 10) running on several PCs.  Thunderbird is my email client.  If SS is set to scan SSL connections I can't save a security cert exception.  I select save and things are fine until the next reboot, then I get asked again for each email account.

 

This only happens on the Windows 10 machines.  It does not happen with Windows 7.

 

Support has suggested turning off SSL scanning, but that strikes me as rather bad advice.

 

A virtual beer to anyone who can help me sort this.

 

Thanks,

Z.

[Marcos 5,074]

Just for clarification apart from the issue with saving the exception - you don't want to have email received by Thunderbird scanned if you want to exclude the certificate? Is there any good reason for that?

[zoltanthegypsy 1]

Hi Marcos,

 

Not quite sure I understand your question.  Sorry I'm not being clear.  I want SS to scan my email.  I don't want to be asked to save the security exception every time I reboot.

 

If I turn off SSL scanning I don't get pestered on each reboot, but I do not want to turn off scanning.

 

Thanks!

Z.

[itman 1,659]

I have SS9 (and 10) running on several PCs.  Thunderbird is my email client.  If SS is set to scan SSL connections I can't save a security cert exception. 

Appears that perhaps the Eset root CA certificate has not been imported by default into TBird's certificate store when Eset was installed?  

 

Verify if there is an Eset CA certificate in TBird's certificate store. In TBird, select Tools -> Options -> Certificates -> View Certificates and search for an Eset certificate.

 

Also does this occur when you try to open TBird stand-alone or within your browser? If it it occurs within the browser, what browser are you using?

Edited November 15, 2016 by itman

[zoltanthegypsy 1]

This happens when I open Tbird stand-alone.

 

Checking certificates BEFORE adding the exception after rebooting on a Windows 10 laptop (where I tried to save the exception before rebooting):

 

in Servers: ESET, spol.sr.o with a sub(something) of zipcon.net which is one of my servers.

in Others: ESET, spol.sr.o with weveral subs of zipcon.net and secure.zipcon.net.

 

On a Windows 7 desktop that doesn't ask for an exception on each reboot:

 

In Servers: no ESET

in Others: same as above: ESET, spol.sr.o with sub thingy of zipcon.net and secure2.zipcon.net

 

No idea what the above means.  Hopefully you do.

 

Many thanks,

Z.

[itman 1,659]

Below is the Eset certificate installed in my Win 10 desktop root CA store. It should be the same one installed that is installed in TBird. Format of this cert. is the same as that installed in Win 7 before I upgraded to Win 10. Aside from the cert. from/to dates that sync back to when Eset was installed, your desktop certs. should look the same as far as I am aware of.

 

I have no clue as to those zipcon.net refs. in your certificates. Might have something to do to the country where Eset was purchased from? We'll let Marcos "chime in" of this one.

 

-EDIT- Is zipcon.net your ISP?

 

Edited November 15, 2016 by itman

[zoltanthegypsy 1]

Zipcon is one of my ISPs.  There are also entries for ESET/att.yahoo.com - my other ISP.

 

I'll stare at the certs when I have a chance.  Still very odd that saving an exception lasts through multiple restarts of Tbird, but not a a reboot.  Also odd that things are just fine on Win 7 but not Win 10.

 

Since my Tbird profiles are copies from one machine to another I tested a clean Tbird + ESET install on a "virgin" Win 10 laptop. SSL scanning triggers the same problem on that one too.

 

Thanks much for the reply,

Z.

[itman 1,659]

For starters, you should not have to set certificate exceptions for Thunderbird to run properly.

 

Do you have SSL/TLS filtering set to "automatic" along with thunderbird.exe also set to the same as shown in the below screen shot:

 

 

 

[zoltanthegypsy 1]

Filtering is set exactly as shown in your screenshot.

 

There may be something hinky about my ISP's certificate.  ISTR that it's always been necessary to set an exception once. Don't know what to think about the att.yahoo exemption request showing up every time though.

 

Still, it all works on the Win 7 machines but not on Win 10.

 

I'm grateful for the help.

 

Z.

[Marcos 5,074]

Perhaps you could provide a screen shot of the error or notice that you get when receiving email in Thunderbird. As for the issue with saving the exclusion, do you get a UAC prompt when attempting to save it?

[zoltanthegypsy 1]

I don't get a UAC prompt attempting to save the exception.

 

I get what's shown in the attached image after every reboot.

 

Z.

 

 

[itman 1,659]

Make sure the Eset SSL cert. in TBird is set to "identify web sites."

 

Below is a screen shot of how I have TBird setup on a desktop PC. All those settings are default ones:

 

Edited November 16, 2016 by itman

[itman 1,659]

Also, do you have the "remote content" option in TBird enabled? It is disabled by default for security reasons. 

Edited November 16, 2016 by itman

[Marcos 5,074]

I would expect that the same warning would appear regardless of whether ESET is installed or not. If there's no certificate issue on the server, the warning could appear on Windows XP with SSL filtering enabled due to an old version of Schannel but not on newer operating systems.

[zoltanthegypsy 1]

I believe the ESET Cert in Tbird is set correctly - it matches itman's unless I'm missing something.

 

Remote content is disabled.

 

Marcos, I understand that I will get the warning regardless of ESET's presence.  The thing is, if I disable SSL scanning I only get the warning ONCE.  I select the "permanently store this exception" and I never see it again. That's with both Win 7 and Win 10.

 

With SSL scanning enabled I save the exception and it's OK until the next reboot. It shows up after each reboot - on the Win 10 machines.  On the Win 7 machines the exception gets saved (or recognized if that's a better description) and I never see it again.

 

Sorry if I'm being obtuse and don't understand what you're telling me   I just want to be able to save the bleeping exception through a reboot.

 

Thanks all,

Z.

 

BTW if I try to add an image in-line I get "You are not allowed to use that image extension on this community."  I can attach the same images OK. Is there a post-count threshold before I can in-line images?  I'm looking around for the forum guidelines but haven't found them yet...

 

[Marcos 5,074]

I will need to discuss this with developers. As far as I know, exceptions for certificates can only be set if it's possible to verify a certificate which doesn't happen in this case due to CN mismatch.

[itman 1,659]

What are all those "webhosting.zipcon.net" certs. located under Eset. spool s.r.o. about? As far as I am aware of, the only cert. that should be located there is "Eset SSL Filter CA."

 

Did you modify TBird's default Security Devices settings?

Edited November 17, 2016 by itman

[zoltanthegypsy 1]

I haven't modified anything.

 

My _guess_ is that I get a new "webhosting.zipcon.net" added to the ESET entry every time i _try_ to add a new exception.

 

Thanks both for taking the time to dig into this. Hoping the devs come up with something.

 

regards,

Z.

Edited November 17, 2016 by zoltanthegypsy

[itman 1,659]

Something strange is going on here.

 

When you set up Thunderbird, you specify your e-mail provider e-mail server URL and what protocol to use; IMAP/S or POP/S. That's about it.

 

Eset's SSL protocol scanning is done at the network level and there really shouldn't be any interaction with anything other than Thunderbird. For example, I use AOL e-mail and connect to its servers w/o issue. It appears to me that somehow your e-mail provider which I assume is your ISP, zipcon.net?, is doing some type of additional security checking. That is during the Thunderbird handshake with its e-mail servers, it is detecting Eset's MITM activity which SSL protocol scanning is performing. Bottom line, it appears to me that Eset SSL protocol scanning is not compatible with the additional security checking your e-mail provider is performing. 

 

In Eset's "List of SSL/TLS filtered applications," set thunderbird.exe to "Ignore." That should stop Eset's SSL protocol scanning of Tbird. If it doesn't, then try adding thunderbird.exe to "Protocol Filtering - excluded applications." Either one of these options should prevent you having to add a certificate exception each time Thunderbird startups up.

[zoltanthegypsy 1]

Roger that.  If I thought not doing SSL scanning was a good option, we wouldn't be having this discussion

 

I have to go back to why Win 10 but not Win 7?

 

Z.

[itman 1,659]

You can try the following as a test on one Win 10 desktop. If TBird does not throw a cert. exception for SSL protocol scanning, at least you have a work around until Eset can find a solution to your particular situation. Note that if you search the web, the are a number of postings of TBird problems w/Win 10.

 

Run Thunderbird in compatibility mode

 

In order to fix issues with Thunderbird, sometimes it’s best that you run it in compatibility mode. To do that, follow these steps:

 

1.Find Thunderbird’s shortcut and right click it. Choose Properties from the menu.

 

2.Navigate to Compatibility tab and check Run this program in compatibility mode for.

 

3.Select one of the older versions of Windows from the list, for example Windows 7 or Windows XP.

 

4.Click Apply and OK to save changes.

[zoltanthegypsy 1]

Thanks for that.  Interesting thing to try that I hadn't thought of.

 

It didn't make a difference.  Neither did running in Admin mode - in the hope it was a permissions thing.

 

Z.

[itman 1,659]

Came across this posting in the Endpoint forum: https://forum.eset.com/topic/7604-eset-endpoint-security-6-ssl-inspection-thunderbird-need-peer-review/ . Scroll down to the no. 11 paragraph. Note that "Trust this CA to identify e-mail users" is check marked for the Eset certificate in Tbird. Set that on for one desktop and see if that solves the issue.

Edited November 17, 2016 by itman

[zoltanthegypsy 1]

Another great try - but no joy

 

I do note that the zipcon ESET sub-entries get added each time I try to save another exception.  It's like the existing exception isn't recognized after a reboot.  Or something...

[itman 1,659]

Below is something else you can try I found on the Bitdefender forum. I will also note that I use SMTP for my outgoing e-mail protocol. You will have to find the server URL for ISP's SMTP server. From what I have "gleaned" from the web, TBird throws these SSL cert. exceptions primarily on outbound e-mail connection handshakes.

I may have the problem licked. (Not a solution, but a workaround.) I changed from SSL/TLS to STARTTLS, and don't seem to get the prompts anymore(SSL cert. exceptions from TBird), even with email scanning (i.e. antivirus) and anti-spam enabled.

Because I hate when people are vague about how they fixed a problem, here are the rather exact steps in Thunderbird:

1. Select Tools > "Account Settings..."

2. Select "Server Settings" under the applicable account(s).

3. For "Connection security", change SSL/TLS to STARTTLS.

4. Select "Outgoing Server (SMTP)".

5. Double click each applicable SMTP server, and then perform step 3 for it.

6. Click OK twice.

Thank you for trying to help, Scott. I really appreciate it.

Edited November 18, 2016 by itman