1107037 - sbs.rpc.lan - STARTTLS not working with Mercury Mail Server (ports 993 and 8443)

Status: RESOLVED INCOMPLETE

(Thunderbird :: Security, defect)

Description

[Greg]

User Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0
Build ID: 20141024174355

Steps to reproduce:

Upgrade Thunderbird Windows client to 32.3.0 on a working IMAP connection to Mercury Mail Server


Actual results:

Thunderbird report it is disconnected from mail server.  No login to IMAP sever (Mercury) possible with existing settings in Account-Server-Authentication set to STARTTLS.
Changing to Authencation NONE allows the IMAP connection. 

Just had 10 clients update to 32.3.0 and all of them can no longer login to the IMAP server using STARTTLS

The Mail server is Mercury the companion server to Pegasus client

So in short using Thunderbird 32.3.0 I have to disable STARTTLS to connect to the IMAP server
Mercury/32 Mail Transport System for Win32 and NetWare Systems v4.74

The IMAP server and T/Bird worked fine before this update please can we restore the previous behaviour ???

Any one else have similar issues the STARTTLS with other servers ??


Expected results:

STARTTLS authentication which was working in Thunderbird 32.2.0 and earlier clients, stops working when it should still be allowed.
Setting to Authenticate NONE allows the IMAP connection

Comment 1

[Magnus Melin [:mkmelin]]

Maybe it used SSL 3.0 which is now disabled starting with the 31.3.0 release?
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

Comment 2

[Javi Rueda :javirid]

No data-loss and neither hang nor crash, so this is not a critical bug.

This one could be another duplicate of bug 970254. Greg, are there any error message shown on the Error Console (about ssl_error_no_cypher_overlap)?

Comment 3

[Greg]

Thanks for the reply Javi,

This may be due to the mail server only supporting up to v3 of SSl/Starttls
If so I will have to use older version of Thunderbird for any IMAP connections to the server from the Internet (Lan clients not so severe.

Here is the Thunderbird error console report.

Timestamp: 5/12/2014 9:24:30 AM
Error: An error occurred during a connection to sbs.rpc.lan:143.
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)

Comment 4

[Javi Rueda :javirid]

Thank you for the information, Greg. That error message confirms that this bug is in fact a duplicate of bug 970254.

This means that this bug should be closed and from now, the fix should come from bug 970254. which is a core bug, affecting all Mozilla products.

You could visit it from now on, as sometimes someone post a workaround for the problem.

Comment 5

[Masatoshi Kimura [:emk]]

I don't think this is actually a dupe of bug 970254.
ssl_error_no_cypher_overlap will be used for gazillions of different causes of handshake failures.
Rather, this is likely to be a fallout from bug 1076983.

Comment 8

[Dave Garrett]

Is there still an issue here, and is it anything someone here can help with? If it's just an old server that needs upgrading/replacing, there's not much point in keeping this open.