Thunderbird asks PIN1 without any need

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Start Thunderbird with ID card inserted
2. Thunderbird asks PIN1 per network mail account (if using TLS/SSL only?)

What is the expected output? What do you see instead?

It shouldn't interact in any way with ID card if there isn't any need.

What version of the product are you using? On what operating system?

MacOSX 10.6.4. Software installed from 
ID-card_software_installer_20100923_r3122.dmg

Please provide any additional information below.

BTW, 'Estonian ID-card support' add-on is disabled. I've heard it happen in 
Linux as well, but can't verify it at the moment.

Original issue reported on code.google.com by hasso.te...@gmail.com on 27 Sep 2010 at 6:35

[GoogleCodeExporter]

I am unable to reproduce this.

Most likely cause is that the opensc security module is loaded with wrong 
flags. Security modules need to be loaded with 'friendly' flag set so that 
Thunderbird wouldn't ask for PIN every time. The 'Estonian ID-card support' 
extension is supposed to load onepin-opensc-pkcs11.so with correct flags; can 
you try re-enabling it to see if that makes the problem go away?

If the problem persists, please provide the output of Tools->Add-ons->Estonian 
ID Card->Preferences->Log and 
Edit->Preferences->Advanced->Certificates->Security Devices.

Original comment by kalevlember@gmail.com on 29 Sep 2010 at 2:24

[GoogleCodeExporter]

Mkay. Indeed unloading the module and enabling 'Estonian ID-card support' again 
fixes the issue. Disabling it again doesn't make the issue reappear. But I also 
noticed that disabling the add-on doesn't unload module again, maybe it should?

Now I have another problem though and I'm not sure who to blame. It's maybe 
related to the fact why I had this completely needless pin asking at all. 
Checking mail from Elion servers (neti.ee, estpak.ee, hot.ee) triggers this:

This site has requested that you identify yourself with a certificate:
mail.neti.ee:995

I'm not sure why it requests that, but IMHO the question arises anyway - what 
happens if some server requests for optional client certificate, but it's not 
related to Estonian ID card in any way?

Original comment by hasso.te...@gmail.com on 30 Sep 2010 at 7:06

[GoogleCodeExporter]

I'm not sure an extension can listen for a message that user has disabled it.
If so, it might be possible to implement a module unload.

The server must present a list of CA-s it accepts. If Estonian ID-card root CA 
is not listed, the
certificate on card is not used and PIN1 should not be prompted for.

Original comment by ant...@gmail.com on 30 Sep 2010 at 9:28

[GoogleCodeExporter]

Mkay. But I'm not sure how to debug this. At least this command line doesn't 
show anything interesting:

$ openssl s_client -connect mail.neti.ee:995
...
No client certificate CA names sent
...
$

Original comment by hasso.te...@gmail.com on 30 Sep 2010 at 10:09

[GoogleCodeExporter]

Your method to debug it is absolutely correct:

$ openssl s_client -connect id.swedbank.ee:443
...
Acceptable client certificate CA names
/C=EE/O=AS Sertifitseerimiskeskus/OU=ESTEID/CN=ESTEID-SK 2007
/emailAddress=pki@sk.ee/C=EE/O=AS 
Sertifitseerimiskeskus/OU=ESTEID/SN=1/CN=ESTEID-SK
/emailAddress=pki@sk.ee/C=EE/O=AS Sertifitseerimiskeskus/CN=Juur-SK
...

Original comment by ant...@gmail.com on 30 Sep 2010 at 11:50

[GoogleCodeExporter]

Hmm...

openssl s_client -connect www.swedbank.ee:443
...
No client certificate CA names sent
...

Not sure if it's not a Thunderbird bug after all.
Does it prompt for certificate for other SSL services as well?
If so, then what happens when You remove the security module?

Original comment by ant...@gmail.com on 30 Sep 2010 at 11:54

[GoogleCodeExporter]

Nope. It doesn't happen with mail accounts hosted by gmail or zone.ee, both 
using SSL.

Original comment by hasso.te...@gmail.com on 30 Sep 2010 at 12:03