Closed Bug 1042870 Opened 10 years ago Closed 10 years ago

CALDAV to HTTPS with self-signed certificates stopped working (fails using mozilla::pkix, works using NSS)

Categories

(Core :: Security: PSM, defect)

31 Branch
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: u453171, Unassigned)

Details

(Whiteboard: mozilla::pkix, revert to old SSL-Verification Library, TB 31, core, SSL)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release) Build ID: 20140722064054 Steps to reproduce: Im using TB 31 + Lightning 3.3 to synchronize my CALDAV calendar (Horde) via https. For https I'm using self signed certificates. TZPUSH is used for contacts (also Horde, self signed). Actual results: Calendars do not sync (yellow triangle next to calendar). Thunderbird throws DAV_NOT_DAV and READ_FAILED errors in console when starting, for each https CalDav-url. When connecting to the server by plain-http, the sync is successfull. TZPUSH is also not syncing. Expected results: The calendars should have synced. After downgrading to TB 24.6.0.1 and Lightning 2.6.6, calendars are in sync again. Also: TZPUSH is working again So: problem might also be related to TB 31
For me it was the case of beeing a cA: true certificate, see https://bugzilla.mozilla.org/show_bug.cgi?id=1036338#c5
(In reply to chris from comment #1) > For me it was the case of beeing a cA: true certificate, see > https://bugzilla.mozilla.org/show_bug.cgi?id=1036338#c5 The property CA: True is set in my CA's root Certificate: X509v3 Basic Constraints: critical CA:TRUE I'll have a try with deleting the imported CA's and reimporting them. Maybe this will help.
I don't think this is a Lightning problem. Thunderbird 31 contains a new certificate verification library. This blog post <http://mike.kaply.com/2014/08/01/new-certificate-verification-library-in-firefox-31/> provides some useful links and information on how to revert to the old library for testing. If your certificate works after enabling the old verification library than I assume it is a problem with the new verification library.
Hi Stefan, your solution works out. What have I done? 0) Deleted the old Calendar 1) I set security.use_mozillapkix_verification to false 2) Deleted the CA-Certificates from TB. 3) Deleted Password/Username from TB's Password Database 4) Reimported CA-Certificates and set trust-levels accordingly. 5) Added the CalDav Calender Some steps might not be necessary. To cross-out the possibilty that I'd imported the CA-Certificates in a wrong way, I reenabled the new library with "security.use_mozillapkix_verification=true". As expected, the calendar is broken again. Error-Message for documentation: Warning: Fehler beim Lesen von Daten für Kalender: CALENDARNAME. Allerdings ist dieser Fehler wahrscheinlich vernachlässigbar, daher versucht das Programm fortzufahren. Fehlercode: DAV_NOT_DAV. Beschreibung: Die Ressource auf https://a.valid.url/ ist entweder keine DAV-Sammlung oder sie ist nicht verfügbar Warning: Fehler beim Lesen von Daten für Kalender: CALENDARNAME. Allerdings ist dieser Fehler wahrscheinlich vernachlässigbar, daher versucht das Programm fortzufahren. Fehlercode: READ_FAILED. Beschreibung: Long story short: Issue is solved by reverting to old SSL-Verification Library.
Whiteboard: mozilla::pkix, revert to old SSL-Verification Library, TB 31, core, SSL
Moving over to Core, hopefully the experts there can help to analyze.
Component: Provider: CalDAV → Security: PSM
Product: Calendar → Core
Summary: CALDAV to HTTPS with self-signed certificates stopped working. → CALDAV to HTTPS with self-signed certificates stopped working (fails using mozilla::pkix, works using NSS)
Version: Lightning 3.3 → 31 Branch
Reporter, if you could post a copy of the certificates you're using (just the public parts), it would help diagnose the problem. Thanks!
Flags: needinfo?(mozilla)
Hi Dave is this sufficient? ##Connection to the Server: openssl s_client -connect horde.demuth.mobi:443 -servername horde.demuth.mobi CONNECTED(00000003) depth=1 O = CAcert Inc., OU = http://www.CAcert.org, CN = CAcert Class 3 Root verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/CN=*.demuth.mobi i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root 1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org --- Server certificate -----BEGIN CERTIFICATE----- MIIGTjCCBDagAwIBAgIDAirJMA0GCSqGSIb3DQEBDQUAMFQxFDASBgNVBAoTC0NB Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTQwNDA5MDgxNzIyWhcNMTYwNDA4 MDgxNzIyWjAYMRYwFAYDVQQDFA0qLmRlbXV0aC5tb2JpMIICIjANBgkqhkiG9w0B AQEFAAOCAg8AMIICCgKCAgEAtC5v23RE3qPViQPgErvmO/8WC26EIYxFpug8PV3r wEWPZHYtqu+rqRswPfdgttI5q8gICUcJTX3IK4+ToffmtJLhnBKUsBBYVne+d4bz 0mU6CWPp7gVnxL4AK69wV4ZK7T/0UOcLvSXm43GDZcUngMVGPMWr7vU7kU06AxIk DD0HgRHYR96A24w2/PK6HK//TQzB+t+7Liar+eL8yCGNiqfS7W5N6FIdvxV6hUSo qhROauLBauMZ9UubRhMapXWmTJXcXX+vwfESTzS0dM1rQt6+TOwFv+6SK0AdxoKk RNONhyi/IuJNoQA5Dtpev868fzeavPdkcHzL18NtG5HgEwvho7eNJW5/xYvYfu02 PaX0DG7vTJ4I6AOjvkJyav5IDg/jraXWgEyX/cAwTJOeydgxW8SrKhGgVNuaeJTo HcWYLzHncseVZJXkfKkUnQGfjBwhzuajq+L+sTXZHynp3Sm6ejwGqBeNtSM7h9np N3B27DS7uiG5UEmrm9Smh64NR0ZtrZQYnC7kREqcpD/miGK+Pkh0qZOuaIawVorI IF0OxMgAfaGCE01Y2KhHoRxkZ8w5ON7N8gvMSEDURUfDNggOOgurKhbxSX1kFQoX 378ru2/3ODSmCWdMcToOVc2UoYoNmUGAEbhTd/vMYvBdpRSyKw8X+SARYfkpA5BT 3LECAwEAAaOCAWMwggFfMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMDQG A1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3 CgMDMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2Fj ZXJ0Lm9yZy8wOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5jYWNlcnQub3Jn L2NsYXNzMy1yZXZva2UuY3JsMIGZBgNVHREEgZEwgY6CDSouZGVtdXRoLm1vYmmg GwYIKwYBBQUHCAWgDwwNKi5kZW11dGgubW9iaYIOZmsuZGVtdXRoLm1vYmmgHAYI KwYBBQUHCAWgEAwOZmsuZGVtdXRoLm1vYmmCEWhvcmRlLmRlbXV0aC5tb2JpoB8G CCsGAQUFBwgFoBMMEWhvcmRlLmRlbXV0aC5tb2JpMA0GCSqGSIb3DQEBDQUAA4IC AQAB+mV9f99LU06/QvyQ2nAD6lmCxq+zRCFS675kK5RjsoBkIXrIpEaLkKoqKYNI X43qBP/bU3cgOQp698DsUpXpiXoUvbJNgGyac/d4ihCTd/OuYnuXhstHCxTp4YEG hAb0ZeadY6QwF13Ds4v9L9lp92i1hiX836ub1PYz03b+vo/rhN9uVELFFY30luZd z9ATjSVNgndYaQa8DbQZWvET1htJxYvAkHiYx/l8gOlRkstR0VnOH7yq9Jktfrt9 zs7DiGyKI3iSS4OO97nedl3lGoZTJxnhjQzfZm5AOxW/SnnCEckV0d1gNgphBigH A15x/zzESNzgCmMzqyZlmbF5ZqTZ0mUz8t0Ovu3JrL8OQuLKD6Cm1pHxiysnTuqV 02Ds3oZfIiNVwt1LM1pWG82aW+RUBzAzB5T/hkDyUD5SE3+Osm9hAUw1WkfPayVG bFViepkxtjSctPVqCeb5htTVeVm4l3xBabb6odqV7kTWZwcraJHbhrr3nQxsr5Xd P4WT9WGLFgpIKfkQ9bcB3lwIsiG6p27sH6b0czBH0vk7GeqOV8LqgauIYOCMX/LI 07S8LbJvXi5JXgI6yxq8ITTIlBsFFfBwYkbGu9ibBC3YqI0t/XjPb7yo86wGC1Wp +vz7M72LIeqdK/OU1Sz2ZbS/OwR/MpBnRpau4V901mo3QA== -----END CERTIFICATE----- subject=/CN=*.demuth.mobi issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root --- No client certificate CA names sent --- SSL handshake has read 4643 bytes and written 536 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: F47C17CA6AD45381271A5FB15B2822BAA77C1A8F0047F1A2FBF6BD1E7A4F8924 Session-ID-ctx: Master-Key: 2395D41072181E58A256321B9174B7B6C9004D935E230982A687420BE91DD545AEBD0C465E5EBB61755AA69C47489689 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: <snip> Start Time: <snip> ##Server Certificate: ertificate: Data: Version: 3 (0x2) Serial Number: 142025 (0x22ac9) Signature Algorithm: sha512WithRSAEncryption Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root Validity Not Before: Apr 9 08:17:22 2014 GMT Not After : Apr 8 08:17:22 2016 GMT Subject: CN=*.demuth.mobi Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: <snip> Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: Full Name: URI:http://crl.cacert.org/class3-revoke.crl X509v3 Subject Alternative Name: DNS:*.demuth.mobi, othername:<unsupported>, DNS:fk.demuth.mobi, othername:<unsupported>, DNS:horde.demuth.mobi, othername:<unsupported> Signature Algorithm: sha512WithRSAEncryption <snip> ## Root CA-Keys can be found here: http://www.cacert.org/index.php?id=3
Flags: needinfo?(mozilla)
If you import the CAcert root certificate linked to on that page into Thunderbird using Preferences -> Advanced -> Certificates -> View Certificates -> Authorities - > Import and trust it to identify websites, does it work?
(In reply to David Keeler (:keeler) [use needinfo?] from comment #8) > If you import the CAcert root certificate linked to on that page into > Thunderbird using Preferences -> Advanced -> Certificates -> View > Certificates -> Authorities - > Import and trust it to identify websites, > does it work? As depicted in Comment 4 - Step 4 This was done, but does not solve the problem.
I upgraded to TB v.31.1.0 today. To check if the issue still exists, I set security.use_mozillapkix_verification to true. The calendars are still syncing. It seems that the issue is fixed. I'll test it this afternoon on a similar device and confirm.
Flags: needinfo?(mozilla)
confirmed. also works on second device. Update seemes to have resolved the issue.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(mozilla)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.