1042647 - upgrading to TB31 breaks SSL connectivity

Status: RESOLVED DUPLICATE of bug 1036338

(Thunderbird :: Security, defect)

Description

[fred m]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4

Steps to reproduce:

We use SSL client ans server authentication to connect to our imap/smtp server.
We have a  root certificate and in intermedaite certificate that validates the server


Actual results:

Works fine on TB 24
Upgrading to 31 breaks the connectivity 
--> message is ssl_error_cipher_disallowed_for_version


Expected results:

transparent migration 
(( could be linked to 1036338 but no sure ))

Comment 1

[fred m]

is SSLv3 support dropped ?

Comment 2

[Nico Haase]

Do you have the ability to look into the server logs? Mine shows errors in the following way:

Jul 24 16:14:08 servername dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=79.240.xx.xx, lip=130.83.xx.xx, TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<QZrvEfH+yABP8M9N>

This looks strange, as this worked fine until I updated Thunderbird, all other clients work as well (including Firefox which uses the very same certificate), and the certificate also includes the full chain. The root CA is a trusted one (Deutsche Telekom), I also added the certificate exported from Firefox into Thunderbirds Trusted List, without changing that I'm still not able to connect to my IMAP server

Comment 3

[Nico Haase]

Same problem on trying to send mails through our SMTP server:

Jul 24 16:27:12 servername postfix/smtpd[3122]: connect from xx.dip0.t-ipconnect.de[79.240.xx.xx]
Jul 24 16:27:12 servername postfix/smtpd[3122]: SSL_accept error from xx.dip0.t-ipconnect.de[79.240.xx.xx]: 0
Jul 24 16:27:12 servername postfix/smtpd[3122]: warning: TLS library problem: 3122:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1258:SSL alert number 48:
Jul 24 16:27:12 servername postfix/smtpd[3122]: lost connection after STARTTLS from xx.dip0.t-ipconnect.de[79.240.xx.xx]
Jul 24 16:27:12 servername postfix/smtpd[3122]: disconnect from pxx.dip0.t-ipconnect.de[79.240.xx.xx]

Comment 4

[fred m]

yes i had .... i did to have the same log , i am using a stunnel frontend.
Before TB31, the SSLversion used was : SSLv3
After TB31 i had to change the SSLVersuion to include TLS otherwise TB did not work

Comment 5

[:aceman]

Yes, the SSL core shared with Firefox may disable ciphers and protocols to increase security. Maybe that happened between 24 and 31. Check in Options->advanced->config editor and search for "security.ssl" whether your specific cipher is enabled.

Comment 6

[babc]

SAme problem after update.. IMAP witH SSL not working anymore.

Any news

Comment 7

[Nico Haase]

Strangely, I found the following solution to my problem: I had tons of SSL certificates in my Thunderbird cert store, and after clearing some of them out, it works again - but don't ask me which one was the bad cert...

Comment 8

[babc]

Hi Could you be more specific? where were that certs? on servers tab. OR on your certicates tab?

Thanks

Comment 9

[Nico Haase]

In both sections. Sadly, I don't remember which cert needed to be removed to connect agaion

Comment 10

[Magnus Melin [:mkmelin]]

Does setting security.use_mozillapkix_verification to false make it work? 
xref/dupe bug 1036338

Comment 11

[Wayne Mery (:wsmwk)]

(In reply to Magnus Melin from comment #10)
> Does setting security.use_mozillapkix_verification to false make it work? 
> xref/dupe bug 1036338

Comment 12

[Holger]

(In reply to Magnus Melin from comment #10)
> Does setting security.use_mozillapkix_verification to false make it work? 
> xref/dupe bug 1036338

Yes, it makes it work.

I had this problem on one machine running Windows 7. Two machines with WinXP did not have problems after upgrading to TB31.