Closed
Bug 1042870
Opened 10 years ago
Closed 10 years ago
CALDAV to HTTPS with self-signed certificates stopped working (fails using mozilla::pkix, works using NSS)
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: u453171, Unassigned)
Details
(Whiteboard: mozilla::pkix, revert to old SSL-Verification Library, TB 31, core, SSL)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 20140722064054
Steps to reproduce:
Im using TB 31 + Lightning 3.3 to synchronize my CALDAV calendar (Horde) via https.
For https I'm using self signed certificates. TZPUSH is used for contacts (also Horde, self signed).
Actual results:
Calendars do not sync (yellow triangle next to calendar).
Thunderbird throws DAV_NOT_DAV and READ_FAILED errors in console when starting, for each https CalDav-url.
When connecting to the server by plain-http, the sync is successfull.
TZPUSH is also not syncing.
Expected results:
The calendars should have synced.
After downgrading to TB 24.6.0.1 and Lightning 2.6.6, calendars are in sync again.
Also: TZPUSH is working again
So: problem might also be related to TB 31
Comment 1•10 years ago
|
||
For me it was the case of beeing a cA: true certificate, see https://bugzilla.mozilla.org/show_bug.cgi?id=1036338#c5
(In reply to chris from comment #1)
> For me it was the case of beeing a cA: true certificate, see
> https://bugzilla.mozilla.org/show_bug.cgi?id=1036338#c5
The property CA: True is set in my CA's root Certificate:
X509v3 Basic Constraints: critical
CA:TRUE
I'll have a try with deleting the imported CA's and reimporting them.
Maybe this will help.
Comment 3•10 years ago
|
||
I don't think this is a Lightning problem.
Thunderbird 31 contains a new certificate verification library. This blog post <http://mike.kaply.com/2014/08/01/new-certificate-verification-library-in-firefox-31/> provides some useful links and information on how to revert to the old library for testing.
If your certificate works after enabling the old verification library than I assume it is a problem with the new verification library.
Hi Stefan, your solution works out.
What have I done?
0) Deleted the old Calendar
1) I set security.use_mozillapkix_verification to false
2) Deleted the CA-Certificates from TB.
3) Deleted Password/Username from TB's Password Database
4) Reimported CA-Certificates and set trust-levels accordingly.
5) Added the CalDav Calender
Some steps might not be necessary.
To cross-out the possibilty that I'd imported the CA-Certificates in a wrong way, I reenabled the new library with "security.use_mozillapkix_verification=true". As expected, the calendar is broken again.
Error-Message for documentation:
Warning: Fehler beim Lesen von Daten für Kalender: CALENDARNAME. Allerdings ist dieser Fehler wahrscheinlich vernachlässigbar, daher versucht das Programm fortzufahren. Fehlercode: DAV_NOT_DAV. Beschreibung: Die Ressource auf https://a.valid.url/ ist entweder keine DAV-Sammlung oder sie ist nicht verfügbar Warning: Fehler beim Lesen von Daten für Kalender: CALENDARNAME. Allerdings ist dieser Fehler wahrscheinlich vernachlässigbar, daher versucht das Programm fortzufahren. Fehlercode: READ_FAILED. Beschreibung:
Long story short: Issue is solved by reverting to old SSL-Verification Library.
Whiteboard: mozilla::pkix, revert to old SSL-Verification Library, TB 31, core, SSL
Comment 5•10 years ago
|
||
Moving over to Core, hopefully the experts there can help to analyze.
Component: Provider: CalDAV → Security: PSM
Product: Calendar → Core
Summary: CALDAV to HTTPS with self-signed certificates stopped working. → CALDAV to HTTPS with self-signed certificates stopped working (fails using mozilla::pkix, works using NSS)
Version: Lightning 3.3 → 31 Branch
Comment 6•10 years ago
|
||
Reporter, if you could post a copy of the certificates you're using (just the public parts), it would help diagnose the problem. Thanks!
Flags: needinfo?(mozilla)
Hi Dave is this sufficient?
##Connection to the Server:
openssl s_client -connect horde.demuth.mobi:443 -servername horde.demuth.mobi
CONNECTED(00000003)
depth=1 O = CAcert Inc., OU = http://www.CAcert.org, CN = CAcert Class 3 Root
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=*.demuth.mobi
i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGTjCCBDagAwIBAgIDAirJMA0GCSqGSIb3DQEBDQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTQwNDA5MDgxNzIyWhcNMTYwNDA4
MDgxNzIyWjAYMRYwFAYDVQQDFA0qLmRlbXV0aC5tb2JpMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAtC5v23RE3qPViQPgErvmO/8WC26EIYxFpug8PV3r
wEWPZHYtqu+rqRswPfdgttI5q8gICUcJTX3IK4+ToffmtJLhnBKUsBBYVne+d4bz
0mU6CWPp7gVnxL4AK69wV4ZK7T/0UOcLvSXm43GDZcUngMVGPMWr7vU7kU06AxIk
DD0HgRHYR96A24w2/PK6HK//TQzB+t+7Liar+eL8yCGNiqfS7W5N6FIdvxV6hUSo
qhROauLBauMZ9UubRhMapXWmTJXcXX+vwfESTzS0dM1rQt6+TOwFv+6SK0AdxoKk
RNONhyi/IuJNoQA5Dtpev868fzeavPdkcHzL18NtG5HgEwvho7eNJW5/xYvYfu02
PaX0DG7vTJ4I6AOjvkJyav5IDg/jraXWgEyX/cAwTJOeydgxW8SrKhGgVNuaeJTo
HcWYLzHncseVZJXkfKkUnQGfjBwhzuajq+L+sTXZHynp3Sm6ejwGqBeNtSM7h9np
N3B27DS7uiG5UEmrm9Smh64NR0ZtrZQYnC7kREqcpD/miGK+Pkh0qZOuaIawVorI
IF0OxMgAfaGCE01Y2KhHoRxkZ8w5ON7N8gvMSEDURUfDNggOOgurKhbxSX1kFQoX
378ru2/3ODSmCWdMcToOVc2UoYoNmUGAEbhTd/vMYvBdpRSyKw8X+SARYfkpA5BT
3LECAwEAAaOCAWMwggFfMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMDQG
A1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3
CgMDMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2Fj
ZXJ0Lm9yZy8wOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5jYWNlcnQub3Jn
L2NsYXNzMy1yZXZva2UuY3JsMIGZBgNVHREEgZEwgY6CDSouZGVtdXRoLm1vYmmg
GwYIKwYBBQUHCAWgDwwNKi5kZW11dGgubW9iaYIOZmsuZGVtdXRoLm1vYmmgHAYI
KwYBBQUHCAWgEAwOZmsuZGVtdXRoLm1vYmmCEWhvcmRlLmRlbXV0aC5tb2JpoB8G
CCsGAQUFBwgFoBMMEWhvcmRlLmRlbXV0aC5tb2JpMA0GCSqGSIb3DQEBDQUAA4IC
AQAB+mV9f99LU06/QvyQ2nAD6lmCxq+zRCFS675kK5RjsoBkIXrIpEaLkKoqKYNI
X43qBP/bU3cgOQp698DsUpXpiXoUvbJNgGyac/d4ihCTd/OuYnuXhstHCxTp4YEG
hAb0ZeadY6QwF13Ds4v9L9lp92i1hiX836ub1PYz03b+vo/rhN9uVELFFY30luZd
z9ATjSVNgndYaQa8DbQZWvET1htJxYvAkHiYx/l8gOlRkstR0VnOH7yq9Jktfrt9
zs7DiGyKI3iSS4OO97nedl3lGoZTJxnhjQzfZm5AOxW/SnnCEckV0d1gNgphBigH
A15x/zzESNzgCmMzqyZlmbF5ZqTZ0mUz8t0Ovu3JrL8OQuLKD6Cm1pHxiysnTuqV
02Ds3oZfIiNVwt1LM1pWG82aW+RUBzAzB5T/hkDyUD5SE3+Osm9hAUw1WkfPayVG
bFViepkxtjSctPVqCeb5htTVeVm4l3xBabb6odqV7kTWZwcraJHbhrr3nQxsr5Xd
P4WT9WGLFgpIKfkQ9bcB3lwIsiG6p27sH6b0czBH0vk7GeqOV8LqgauIYOCMX/LI
07S8LbJvXi5JXgI6yxq8ITTIlBsFFfBwYkbGu9ibBC3YqI0t/XjPb7yo86wGC1Wp
+vz7M72LIeqdK/OU1Sz2ZbS/OwR/MpBnRpau4V901mo3QA==
-----END CERTIFICATE-----
subject=/CN=*.demuth.mobi
issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
---
No client certificate CA names sent
---
SSL handshake has read 4643 bytes and written 536 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: F47C17CA6AD45381271A5FB15B2822BAA77C1A8F0047F1A2FBF6BD1E7A4F8924
Session-ID-ctx:
Master-Key: 2395D41072181E58A256321B9174B7B6C9004D935E230982A687420BE91DD545AEBD0C465E5EBB61755AA69C47489689
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
<snip>
Start Time: <snip>
##Server Certificate:
ertificate:
Data:
Version: 3 (0x2)
Serial Number: 142025 (0x22ac9)
Signature Algorithm: sha512WithRSAEncryption
Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
Validity
Not Before: Apr 9 08:17:22 2014 GMT
Not After : Apr 8 08:17:22 2016 GMT
Subject: CN=*.demuth.mobi
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus: <snip>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
Authority Information Access:
OCSP - URI:http://ocsp.cacert.org/
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.cacert.org/class3-revoke.crl
X509v3 Subject Alternative Name:
DNS:*.demuth.mobi, othername:<unsupported>, DNS:fk.demuth.mobi, othername:<unsupported>, DNS:horde.demuth.mobi, othername:<unsupported>
Signature Algorithm: sha512WithRSAEncryption
<snip>
## Root CA-Keys can be found here:
http://www.cacert.org/index.php?id=3
Flags: needinfo?(mozilla)
Comment 8•10 years ago
|
||
If you import the CAcert root certificate linked to on that page into Thunderbird using Preferences -> Advanced -> Certificates -> View Certificates -> Authorities - > Import and trust it to identify websites, does it work?
(In reply to David Keeler (:keeler) [use needinfo?] from comment #8)
> If you import the CAcert root certificate linked to on that page into
> Thunderbird using Preferences -> Advanced -> Certificates -> View
> Certificates -> Authorities - > Import and trust it to identify websites,
> does it work?
As depicted in Comment 4 - Step 4 This was done, but does not solve the problem.
Reporter | ||
Comment 10•10 years ago
|
||
I upgraded to TB v.31.1.0 today.
To check if the issue still exists, I set security.use_mozillapkix_verification to true.
The calendars are still syncing.
It seems that the issue is fixed.
I'll test it this afternoon on a similar device and confirm.
Flags: needinfo?(mozilla)
Reporter | ||
Comment 11•10 years ago
|
||
confirmed. also works on second device.
Update seemes to have resolved the issue.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(mozilla)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•