Closed Bug 1042870 Opened 6 years ago Closed 6 years ago

CALDAV to HTTPS with self-signed certificates stopped working (fails using mozilla::pkix, works using NSS)

Categories

(Core :: Security: PSM, defect)

31 Branch
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: mozilla, Unassigned)

Details

(Whiteboard: mozilla::pkix, revert to old SSL-Verification Library, TB 31, core, SSL)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 20140722064054

Steps to reproduce:

Im using TB 31 + Lightning 3.3 to synchronize my CALDAV calendar (Horde) via https.
For https I'm using self signed certificates. TZPUSH is used for contacts (also Horde, self signed).


Actual results:

Calendars do not sync (yellow triangle next to calendar).

Thunderbird throws DAV_NOT_DAV and READ_FAILED errors in console when starting, for each https CalDav-url. 

When connecting to the server by plain-http, the sync is successfull.
TZPUSH is also not syncing. 



Expected results:

The calendars should have synced.


After downgrading to TB 24.6.0.1 and Lightning 2.6.6, calendars are in sync again.
Also: TZPUSH is working again

So: problem might also be related to TB 31
For me it was the case of beeing a cA: true certificate, see https://bugzilla.mozilla.org/show_bug.cgi?id=1036338#c5
(In reply to chris from comment #1)
> For me it was the case of beeing a cA: true certificate, see
> https://bugzilla.mozilla.org/show_bug.cgi?id=1036338#c5

The property CA: True is set in my CA's root Certificate:

X509v3 Basic Constraints: critical
                CA:TRUE

I'll have a try with deleting the imported CA's and reimporting them.
Maybe this will help.
I don't think this is a Lightning problem.

Thunderbird 31 contains a new certificate verification library. This blog post <http://mike.kaply.com/2014/08/01/new-certificate-verification-library-in-firefox-31/> provides some useful links and information on how to revert to the old library for testing.

If your certificate works after enabling the old verification library than I assume it is a problem with the new verification library.
Hi Stefan, your solution works out.

What have I done?

0) Deleted the old Calendar
1) I set security.use_mozillapkix_verification to false
2) Deleted the CA-Certificates from TB.
3) Deleted Password/Username from TB's Password Database
4) Reimported CA-Certificates and set trust-levels accordingly.
5) Added the CalDav Calender

Some steps might not be necessary.

To cross-out the possibilty that I'd imported the CA-Certificates in a wrong way, I reenabled the new library with "security.use_mozillapkix_verification=true". As expected, the calendar is broken again.

Error-Message for documentation:
Warning: Fehler beim Lesen von Daten für Kalender: CALENDARNAME. Allerdings ist dieser Fehler wahrscheinlich vernachlässigbar, daher versucht das Programm fortzufahren. Fehlercode: DAV_NOT_DAV. Beschreibung: Die Ressource auf https://a.valid.url/ ist entweder keine DAV-Sammlung oder sie ist nicht verfügbar Warning: Fehler beim Lesen von Daten für Kalender: CALENDARNAME. Allerdings ist dieser Fehler wahrscheinlich vernachlässigbar, daher versucht das Programm fortzufahren. Fehlercode: READ_FAILED. Beschreibung: 


Long story short: Issue is solved by reverting to old SSL-Verification Library.
Whiteboard: mozilla::pkix, revert to old SSL-Verification Library, TB 31, core, SSL
Moving over to Core, hopefully the experts there can help to analyze.
Component: Provider: CalDAV → Security: PSM
Product: Calendar → Core
Summary: CALDAV to HTTPS with self-signed certificates stopped working. → CALDAV to HTTPS with self-signed certificates stopped working (fails using mozilla::pkix, works using NSS)
Version: Lightning 3.3 → 31 Branch
Reporter, if you could post a copy of the certificates you're using (just the public parts), it would help diagnose the problem. Thanks!
Flags: needinfo?(mozilla)
Hi Dave is this sufficient?


##Connection to the Server:
openssl s_client -connect horde.demuth.mobi:443 -servername horde.demuth.mobi

CONNECTED(00000003)
depth=1 O = CAcert Inc., OU = http://www.CAcert.org, CN = CAcert Class 3 Root
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=*.demuth.mobi
   i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
 1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
   i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGTjCCBDagAwIBAgIDAirJMA0GCSqGSIb3DQEBDQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTQwNDA5MDgxNzIyWhcNMTYwNDA4
MDgxNzIyWjAYMRYwFAYDVQQDFA0qLmRlbXV0aC5tb2JpMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAtC5v23RE3qPViQPgErvmO/8WC26EIYxFpug8PV3r
wEWPZHYtqu+rqRswPfdgttI5q8gICUcJTX3IK4+ToffmtJLhnBKUsBBYVne+d4bz
0mU6CWPp7gVnxL4AK69wV4ZK7T/0UOcLvSXm43GDZcUngMVGPMWr7vU7kU06AxIk
DD0HgRHYR96A24w2/PK6HK//TQzB+t+7Liar+eL8yCGNiqfS7W5N6FIdvxV6hUSo
qhROauLBauMZ9UubRhMapXWmTJXcXX+vwfESTzS0dM1rQt6+TOwFv+6SK0AdxoKk
RNONhyi/IuJNoQA5Dtpev868fzeavPdkcHzL18NtG5HgEwvho7eNJW5/xYvYfu02
PaX0DG7vTJ4I6AOjvkJyav5IDg/jraXWgEyX/cAwTJOeydgxW8SrKhGgVNuaeJTo
HcWYLzHncseVZJXkfKkUnQGfjBwhzuajq+L+sTXZHynp3Sm6ejwGqBeNtSM7h9np
N3B27DS7uiG5UEmrm9Smh64NR0ZtrZQYnC7kREqcpD/miGK+Pkh0qZOuaIawVorI
IF0OxMgAfaGCE01Y2KhHoRxkZ8w5ON7N8gvMSEDURUfDNggOOgurKhbxSX1kFQoX
378ru2/3ODSmCWdMcToOVc2UoYoNmUGAEbhTd/vMYvBdpRSyKw8X+SARYfkpA5BT
3LECAwEAAaOCAWMwggFfMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMDQG
A1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3
CgMDMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2Fj
ZXJ0Lm9yZy8wOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5jYWNlcnQub3Jn
L2NsYXNzMy1yZXZva2UuY3JsMIGZBgNVHREEgZEwgY6CDSouZGVtdXRoLm1vYmmg
GwYIKwYBBQUHCAWgDwwNKi5kZW11dGgubW9iaYIOZmsuZGVtdXRoLm1vYmmgHAYI
KwYBBQUHCAWgEAwOZmsuZGVtdXRoLm1vYmmCEWhvcmRlLmRlbXV0aC5tb2JpoB8G
CCsGAQUFBwgFoBMMEWhvcmRlLmRlbXV0aC5tb2JpMA0GCSqGSIb3DQEBDQUAA4IC
AQAB+mV9f99LU06/QvyQ2nAD6lmCxq+zRCFS675kK5RjsoBkIXrIpEaLkKoqKYNI
X43qBP/bU3cgOQp698DsUpXpiXoUvbJNgGyac/d4ihCTd/OuYnuXhstHCxTp4YEG
hAb0ZeadY6QwF13Ds4v9L9lp92i1hiX836ub1PYz03b+vo/rhN9uVELFFY30luZd
z9ATjSVNgndYaQa8DbQZWvET1htJxYvAkHiYx/l8gOlRkstR0VnOH7yq9Jktfrt9
zs7DiGyKI3iSS4OO97nedl3lGoZTJxnhjQzfZm5AOxW/SnnCEckV0d1gNgphBigH
A15x/zzESNzgCmMzqyZlmbF5ZqTZ0mUz8t0Ovu3JrL8OQuLKD6Cm1pHxiysnTuqV
02Ds3oZfIiNVwt1LM1pWG82aW+RUBzAzB5T/hkDyUD5SE3+Osm9hAUw1WkfPayVG
bFViepkxtjSctPVqCeb5htTVeVm4l3xBabb6odqV7kTWZwcraJHbhrr3nQxsr5Xd
P4WT9WGLFgpIKfkQ9bcB3lwIsiG6p27sH6b0czBH0vk7GeqOV8LqgauIYOCMX/LI
07S8LbJvXi5JXgI6yxq8ITTIlBsFFfBwYkbGu9ibBC3YqI0t/XjPb7yo86wGC1Wp
+vz7M72LIeqdK/OU1Sz2ZbS/OwR/MpBnRpau4V901mo3QA==
-----END CERTIFICATE-----
subject=/CN=*.demuth.mobi
issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
---
No client certificate CA names sent
---
SSL handshake has read 4643 bytes and written 536 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: F47C17CA6AD45381271A5FB15B2822BAA77C1A8F0047F1A2FBF6BD1E7A4F8924
    Session-ID-ctx: 
    Master-Key: 2395D41072181E58A256321B9174B7B6C9004D935E230982A687420BE91DD545AEBD0C465E5EBB61755AA69C47489689
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    <snip>

    Start Time: <snip>


##Server Certificate:
ertificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 142025 (0x22ac9)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
        Validity
            Not Before: Apr  9 08:17:22 2014 GMT
            Not After : Apr  8 08:17:22 2016 GMT
        Subject: CN=*.demuth.mobi
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus: <snip>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access: 
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name: 
                DNS:*.demuth.mobi, othername:<unsupported>, DNS:fk.demuth.mobi, othername:<unsupported>, DNS:horde.demuth.mobi, othername:<unsupported>
    Signature Algorithm: sha512WithRSAEncryption
         <snip>

## Root CA-Keys can be found here:
http://www.cacert.org/index.php?id=3
Flags: needinfo?(mozilla)
If you import the CAcert root certificate linked to on that page into Thunderbird using Preferences -> Advanced -> Certificates -> View Certificates -> Authorities - > Import and trust it to identify websites, does it work?
(In reply to David Keeler (:keeler) [use needinfo?] from comment #8)
> If you import the CAcert root certificate linked to on that page into
> Thunderbird using Preferences -> Advanced -> Certificates -> View
> Certificates -> Authorities - > Import and trust it to identify websites,
> does it work?

As depicted in Comment 4 - Step 4 This was done, but does not solve the problem.
I upgraded to TB v.31.1.0 today.
To check if the issue still exists, I set security.use_mozillapkix_verification to true.

The calendars are still syncing.

It seems that the issue is fixed.
I'll test it this afternoon on a similar device and confirm.
Flags: needinfo?(mozilla)
confirmed. also works on second device.

Update seemes to have resolved the issue.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(mozilla)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.