ESET Insiders BDeep 7 Posted March 2, 2016 ESET Insiders Share Posted March 2, 2016 (edited) Troubleshooting this in our corporate environment, I believe I found a fix for the Thunderbird SSL inspection/certificate errors. Need some public peer review. We've repeated my steps twice, with success so far on two different machines, and are about to put it into limited production. The problem: Web Inspector is turned on with SSL inspection occurring. RESOLUTION – Instructions only The user must install or have installed on their system Mozilla Firefox. Once installed, the user must restart their computer so that a unique security certificate is generated for the user. If the user is already running Mozilla Firefox, proceed to step 2. Open Mozilla Firefox and right click on an empty area near the “tab” button. Ensure that “Menu Bar” is selected. Click on “Tools” then click on “Options”. Click on “Advanced”, then click on “Certificates” tab, then click on “View Certificates”. Once Certificate Manager opens, click on “Authorities” tab and scroll down until you see “ESET, spol. s r. o.”. Click on “ESET SSL Filter CA” then click on the “Export” button. If you do not see the ESET SSL Filter CA certificate, STOP and contact your official technology support team. You cannot use a certificate downloaded from another computer. From the “Save as type” drop down menu, select “X.509 Certificate with chain (PKCS#7) (*.p7c). Save the file to a location that you can easily find. Close Mozilla Firefox and open Mozilla Thunderbird. Within Mozilla Thunderbird, click on “Tools” then click on “Options”. When the Options window opens, click on “Advanced”, select the “Certificates” tab, and click on the “View Certificates” button. Click on the “Authorities” tab, click on the “Import” button, and find your previously saved certificate. You must change the drop-down to “All Files (*.*” in order to see your certificate. Once select, click on “Import” or “OK”. Click on all three check boxes then click on “OK”. Continue to click on “OK” until all windows are closed. Close and exit Mozilla Thunderbird then re-open Mozilla Thunderbird. Your email application will now scan and protect from malicious email. RESOLUTION – Instructions with graphics The user must install or have installed on their system Mozilla Firefox. Once installed, the user must restart their computer so that a unique security certificate is generated for the user. If the user is already running Mozilla Firefox, proceed to step 2. Open Mozilla Firefox and right click on an empty area near the “tab” button. Ensure that “Menu Bar” is selected. Click on “Tools” then click on “Options”. Click on “Advanced”, then click on “Certificates” tab, then click on “View Certificates”. Once Certificate Manager opens, click on “Authorities” tab and scroll down until you see “ESET, spol. s r. o.”. Click on “ESET SSL Filter CA” then click on the “Export” button. If you do not see the ESET SSL Filter CA certificate, STOP and contact your official technology support team. You cannot use a certificate downloaded from another computer. From the “Save as type” drop down menu, select “X.509 Certificate with chain (PKCS#7) (*.p7c). Save the file to a location that you can easily find. Close Mozilla Firefox and open Mozilla Thunderbird. Within Mozilla Thunderbird, click on “Tools” then click on “Options”. When the Options window opens, click on “Advanced”, select the “Certificates” tab, and click on the “View Certificates” button. Click on the “Authorities” tab, click on the “Import” button, and find your previously saved certificate. You must change the drop-down to “All Files (*.*” in order to see your certificate. Once select, click on “Import” or “OK”. Click on all three check boxes then click on “OK”. Continue to click on “OK” until all windows are closed. Close and exit Mozilla Thunderbird then re-open Mozilla Thunderbird. Your email application will now scan and protect from malicious email. Edited March 2, 2016 by BDeep Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted March 2, 2016 Administrators Share Posted March 2, 2016 This is done automatically after installation and after enabling SSL/TLS scanning. Manual import of the root certificate is only needed in the case of unsupported or portable applications. Link to comment Share on other sites More sharing options...
ESET Insiders BDeep 7 Posted March 2, 2016 Author ESET Insiders Share Posted March 2, 2016 This is done automatically after installation and after enabling SSL/TLS scanning. Manual import of the root certificate is only needed in the case of unsupported or portable applications. That may be the case but I have 15 production clients (that we know of so far) that have been escalated to Tier 3 (the engineering team, i.e.: me specifically) that aren't working. Some users are prompted to close applications so the root cert can be added, others with ESET installed while applications are already closed. In all cases, not getting added automatically to Thunderbird certificate store. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted March 2, 2016 Administrators Share Posted March 2, 2016 There was a problem on Feb 29 due to a bug with the leap year, however, on other days it should work just fine and the root certificate should be added automatically to the system TRCA certificate store as well as to supported browsers and email clients during installation or when enabling SSL/TLS scanning. It is important that no browser or email client process in running in the Task manager when ESET attempts to add the root certificate. Otherwise an error will be thrown and ESET will re-try to add the root certificate at the next system startup. Link to comment Share on other sites More sharing options...
ESET Insiders BDeep 7 Posted March 2, 2016 Author ESET Insiders Share Posted March 2, 2016 There was a problem on Feb 29 due to a bug with the leap year, however, on other days it should work just fine and the root certificate should be added automatically to the system TRCA certificate store as well as to supported browsers and email clients during installation or when enabling SSL/TLS scanning. It is important that no browser or email client process in running in the Task manager when ESET attempts to add the root certificate. Otherwise an error will be thrown and ESET will re-try to add the root certificate at the next system startup. Again, I think the point is being missed but it is my fault because I did not mention that we are using ESET Endpoint Security 6. Mozilla Thunderbird is not support in EES 6 according to this: hxxp://support.eset.com/kb2138/?viewlocale=en_US"ESET Endpoint Security, ESET Endpoint Antivirus, ESET File Security, ESET Smart Security and ESET NOD32 Antivirus are compatible with the email clients indicated below by the green check marks " and Mozilla Thunderbird 2-6 is not listed as compatible. Then it goes on to say "Compatibility with ESET products means that, regardless of the protocol used, all email received is scanned for threats and spam." And finally "* ESET Endpoint Security version 5 and 6 and ESET Smart Security version 5 through version 9 will scan POP3/POP3S and IMAP/IMAPS email for the presence of malicious code while using Mozilla Thunderbird 6 and later or other email clients not listed above. Email will not be scanned for spam, however." But POPS and IMAPS is not scanned due to the root certificate not being added to Mozilla Thunderbird running EES 6 hence the need for a "workaround" list above. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted March 3, 2016 Administrators Share Posted March 3, 2016 Mozilla Thunderbird is not supported in terms of a plug-in for scanning email, however, the root certificate is added to Thunderbird's CA certificate store. Link to comment Share on other sites More sharing options...
ESET Insiders BDeep 7 Posted March 3, 2016 Author ESET Insiders Share Posted March 3, 2016 Mozilla Thunderbird is not supported in terms of a plug-in for scanning email, however, the root certificate is added to Thunderbird's CA certificate store. Not talking about a plug-in for scanning email but speaking directly to Thunderbird's CA certificate store. We'll leave it at this. I do not want it to turn into a tit-for-tat but what I said still applies (and confirmed) on the other production machines. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted March 3, 2016 Administrators Share Posted March 3, 2016 I've just tested Endpoint 6.3 with the latest version of Thunderbird 38,6.0 and the root certificate was imported successfully without any manual intervention. If you wold like to troibleshoot it, we'd need to get a Procmon log from the time when Thunderbird is not among running processes and you enable SSl/TLS scanning and click OK. Link to comment Share on other sites More sharing options...
ESET Insiders BDeep 7 Posted March 3, 2016 Author ESET Insiders Share Posted March 3, 2016 I've just tested Endpoint 6.3 with the latest version of Thunderbird 38,6.0 and the root certificate was imported successfully without any manual intervention. If you wold like to troibleshoot it, we'd need to get a Procmon log from the time when Thunderbird is not among running processes and you enable SSl/TLS scanning and click OK. As much as I would love to troubleshoot this and get some good info back to you, I am not in a position to do so (time constraints). It is a "patch, fix, go" mode right now. :-\ Link to comment Share on other sites More sharing options...
Recommended Posts