Closed
Bug 1042647
Opened 10 years ago
Closed 10 years ago
upgrading to TB31 breaks SSL connectivity
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1036338
People
(Reporter: fmgre-01, Unassigned)
References
Details
(Keywords: regression)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4 Steps to reproduce: We use SSL client ans server authentication to connect to our imap/smtp server. We have a root certificate and in intermedaite certificate that validates the server Actual results: Works fine on TB 24 Upgrading to 31 breaks the connectivity --> message is ssl_error_cipher_disallowed_for_version Expected results: transparent migration (( could be linked to 1036338 but no sure ))
Comment 2•10 years ago
|
||
Do you have the ability to look into the server logs? Mine shows errors in the following way: Jul 24 16:14:08 servername dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=79.240.xx.xx, lip=130.83.xx.xx, TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<QZrvEfH+yABP8M9N> This looks strange, as this worked fine until I updated Thunderbird, all other clients work as well (including Firefox which uses the very same certificate), and the certificate also includes the full chain. The root CA is a trusted one (Deutsche Telekom), I also added the certificate exported from Firefox into Thunderbirds Trusted List, without changing that I'm still not able to connect to my IMAP server
Comment 3•10 years ago
|
||
Same problem on trying to send mails through our SMTP server: Jul 24 16:27:12 servername postfix/smtpd[3122]: connect from xx.dip0.t-ipconnect.de[79.240.xx.xx] Jul 24 16:27:12 servername postfix/smtpd[3122]: SSL_accept error from xx.dip0.t-ipconnect.de[79.240.xx.xx]: 0 Jul 24 16:27:12 servername postfix/smtpd[3122]: warning: TLS library problem: 3122:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1258:SSL alert number 48: Jul 24 16:27:12 servername postfix/smtpd[3122]: lost connection after STARTTLS from xx.dip0.t-ipconnect.de[79.240.xx.xx] Jul 24 16:27:12 servername postfix/smtpd[3122]: disconnect from pxx.dip0.t-ipconnect.de[79.240.xx.xx]
yes i had .... i did to have the same log , i am using a stunnel frontend. Before TB31, the SSLversion used was : SSLv3 After TB31 i had to change the SSLVersuion to include TLS otherwise TB did not work
Yes, the SSL core shared with Firefox may disable ciphers and protocols to increase security. Maybe that happened between 24 and 31. Check in Options->advanced->config editor and search for "security.ssl" whether your specific cipher is enabled.
SAme problem after update.. IMAP witH SSL not working anymore. Any news
Comment 7•10 years ago
|
||
Strangely, I found the following solution to my problem: I had tons of SSL certificates in my Thunderbird cert store, and after clearing some of them out, it works again - but don't ask me which one was the bad cert...
Hi Could you be more specific? where were that certs? on servers tab. OR on your certicates tab? Thanks
Comment 9•10 years ago
|
||
In both sections. Sadly, I don't remember which cert needed to be removed to connect agaion
Comment 10•10 years ago
|
||
Does setting security.use_mozillapkix_verification to false make it work? xref/dupe bug 1036338
Keywords: regression
Comment 11•10 years ago
|
||
(In reply to Magnus Melin from comment #10) > Does setting security.use_mozillapkix_verification to false make it work? > xref/dupe bug 1036338
Flags: needinfo?(fmgre-01)
Comment 12•10 years ago
|
||
(In reply to Magnus Melin from comment #10) > Does setting security.use_mozillapkix_verification to false make it work? > xref/dupe bug 1036338 Yes, it makes it work. I had this problem on one machine running Windows 7. Two machines with WinXP did not have problems after upgrading to TB31.
Updated•10 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(fmgre-01)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•