Open Bug 1179002 Opened 7 years ago Updated 7 years ago

connecting to a mailbox with STARTTLS and encrypted password fails after upgrading to TB 38.0.1

Categories

(Thunderbird :: Security, defect)

38 Branch
All
Linux
defect
Not set
normal

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: marja11, Unassigned)

Details

(Keywords: regression, Whiteboard: [has protocol log])

Attachments

(1 file, 1 obsolete file)

Attached file shortened_imap.log (obsolete) —
User Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150627185143

Steps to reproduce:

upgrade from Thunderbird 31.7.0 to 38.0.1

tried 3x

First in Mageia cauldron (64bit)
Then in Mageia 5 (32bit)
Last time I used the version from https://www.mozilla.org/en-US/thunderbird/download/?product=thunderbird-38.0.1&os=linux&lang=en-US (again in Mga5)


Actual results:

I could no longer connect to one of my mailboxes.

It is the only one for which STARTTLS + encrypted password is used


Expected results:

Connecting should still be possible

I removed everything referring to my other mailboxes from the attached imap log.
The others all use SSL/TLS and don't have a problem.
OS: Unspecified → Linux
Hardware: Unspecified → All
Whiteboard: [has protocol log]
Any difference with 38.1.0. Not bug 1174159?
Keywords: regression
(In reply to Magnus Melin from comment #1)
> Any difference with 38.1.0. Not bug 1174159?

No difference, sorry.

However, I created a new .thunderbird with only the Interconnect mailbox, so that I can now attach a full log (just in case I deleted too much in the first one I attached)
Attachment #8627940 - Attachment is obsolete: true
I just got the 38.1 update and it broke one of my accounts also.  Platform=Windows.
Changing Connection security from SSL/TLS to None allows me to check mail.
(In reply to sean e from comment #3)
> I just got the 38.1 update and it broke one of my accounts also. 
> Platform=Windows.
> Changing Connection security from SSL/TLS to None allows me to check mail.

Your issue in that case was quite likely the fact the server has not had an update to it's TLS certificates.  If that were the case there would be entries in the error console about weak Diffie-Hellman
(In reply to Matt from comment #4)
> Your issue in that case was quite likely the fact the server has not had an
> update to it's TLS certificates.  If that were the case there would be
> entries in the error console about weak Diffie-Hellman

No weak Diffie-Hellman message:

Timestamp: 2015.07.17 7:45:49 pm
Error: An error occurred during a connection to mail.ca.astound.net:995.

SSL peer was not expecting a handshake message it received.

(Error code: ssl_error_handshake_unexpected_alert)
Same issue with Thunderbird update pushed on Ubuntu 14.04 yesterday (07-22-2015), switching from 31.7.0 to 31.8.0, trying to fetch mails from a POP3S server (SSL/TLS secured, normal password). Thunderbird displays "Connected ..." in the status bar but nothing occurs then.

Below are information about the certificate, provided by running the following command. Connected with openssl, I can successfully run pop3 commands like "user" "pass" "list" "retr" successfully.

$ openssl s_client -connect <host>:pop3s
CONNECTED(00000003)
depth=1 CN = <Removed4Bugzilla> Authority, OU = <Removed4Bugzilla> Services, O = <Removed4Bugzilla>, C = Fr
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/CN=<Removed4Bugzilla>/O=<Removed4Bugzilla>/C=fr
   i:/CN=<Removed4Bugzilla> Authority/OU=<Removed4Bugzilla> Services/O=<Removed4Bugzilla>/C=Fr
 1 s:/CN=<Removed4Bugzilla> Authority/OU=<Removed4Bugzilla> Services/O=<Removed4Bugzilla>/C=Fr
   i:/CN=<Removed4Bugzilla> Authority/OU=<Removed4Bugzilla> Services/O=<Removed4Bugzilla>/C=Fr
---
Server certificate
-----BEGIN CERTIFICATE-----
<Removed4Bugzilla>
-----END CERTIFICATE-----
subject=/CN=<Removed4Bugzilla>/O=<Removed4Bugzilla>/C=fr
issuer=/CN=<Removed4Bugzilla> Authority/OU=<Removed4Bugzilla> Services/O=<Removed4Bugzilla>/C=Fr
---
No client certificate CA names sent
---
SSL handshake has read 3385 bytes and written 460 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: <Removed4Bugzilla>
    Session-ID-ctx: 
    Master-Key: <Removed4Bugzilla>
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1437632543
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
+OK <Removed4Bugzilla> Zimbra POP3 server ready
(In reply to Maxime from comment #6)
> Same issue with Thunderbird update pushed on Ubuntu 14.04 yesterday
> (07-22-2015), switching from 31.7.0 to 31.8.0, trying to fetch mails from a
> POP3S server (SSL/TLS secured, normal password). Thunderbird displays
> "Connected ..." in the status bar but nothing occurs then.
> 

Sorry, Maxime, but I don't have any problems with 31.8.0 (downloaded from https://www.mozilla.org/en-US/thunderbird/download/?product=thunderbird-31.8.0&os=linux&lang=en-US ). 
Besides, I only have problems in 38.0.1 and 38.1.0 when using STARTTLS + encrypted password, I never had problems with my IMAP SSL/TLS secured mailboxes.

So it is extremely unlikely that your bug is the same as mine and getting mine solved might not help you at all. Please file a separate bug report.
Component: Untriaged → Security
I created a new e-mail account with a provider who loves Linux, and exactly the same settings (STARTTLS + encrypted password) aren't a problem there: I can fetch my mails fine with TB 38.1.0

If no one else hits this issue, then it's probably an issue with the other provider, who doesn't seem interested as long as everything works with outlook :-/

Otoh: why does it work fine there in 31.8.0, what is so different between 31.*.* and 38.*.*?
You need to log in before you can comment on or make changes to this bug.