Open Bug 1185344 Opened 9 years ago Updated 2 years ago

connect to courier-imap-ssl doesn't work since I upgraded to v 38.0.1

Categories

(MailNews Core :: Security, defect)

Product:
MailNews Core
Component:
Security
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: mozilla, Unassigned)

Details

(Keywords: regression) 

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150630154324

Steps to reproduce:

I have courier IMAP running for years and I cannot access my mails since I upgraded Thunderbird to v 38.0.1 on my Windows Notebook. it still works with my Desktop running the older Thunderbird from Ubuntu LTS. Some additional Information can be found in a Gentoo Forums post I made: https://forums.gentoo.org/viewtopic-t-608756-start-0.html


Actual results:

Mails are not displayed, Thunderbird shows a timeout popup


Expected results:

successfully connect to my IMAP server
Sorry. this was actually the wrong Gentoo Forums Link. I mixed it up. this is actually right:  https://forums.gentoo.org/viewtopic-t-1023582.html
now I'm in the office and I've been able to check with an older TB on my Ubuntu desktop v 31.7.0 still connects fine so I doubt there's a problem with the server
another hint. I think there's something seriously broken with the SSL implementation. I deleted my self signed certificate from the Thunderbird certificate store and restarted. I got no SSL warning about a self signed certificate AND no connect so I ran this on the server:
 $ openssl s_client -host localhost  -port 993 | tee imap.log 2>&1
here's imap.log:
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMA
P SSL key/CN=localhost/emailAddress=postmaster@example.com
   i:/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMA
P SSL key/CN=localhost/emailAddress=postmaster@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGBDCCA+ygAwIBAgIJAJfQ/QfalUEQMA0GCSqGSIb3DQEBBQUAMIG1MQswCQYD
VQQGEwJVUzELMAkGA1UECAwCTlkxETAPBgNVBAcMCE5ldyBZb3JrMRwwGgYDVQQK
DBNDb3VyaWVyIE1haWwgU2VydmVyMS0wKwYDVQQLDCRBdXRvbWF0aWNhbGx5LWdl
bmVyYXRlZCBJTUFQIFNTTCBrZXkxEjAQBgNVBAMMCWxvY2FsaG9zdDElMCMGCSqG
SIb3DQEJARYWcG9zdG1hc3RlckBleGFtcGxlLmNvbTAeFw0xNDExMDYxODQ2NTBa
Fw0xNTExMDYxODQ2NTBaMIG1MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxETAP
BgNVBAcMCE5ldyBZb3JrMRwwGgYDVQQKDBNDb3VyaWVyIE1haWwgU2VydmVyMS0w
KwYDVQQLDCRBdXRvbWF0aWNhbGx5LWdlbmVyYXRlZCBJTUFQIFNTTCBrZXkxEjAQ
BgNVBAMMCWxvY2FsaG9zdDElMCMGCSqGSIb3DQEJARYWcG9zdG1hc3RlckBleGFt
cGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKzpGa2TbaYP
hnLnYP5qPvFZWDcCTC3e3Twd2KULwDYZl0wlLew354Ohutb/VSjhKp+BSPSaoQ5e
/0MLNw92L/e5fRn8BFcS5JaymqnM/j4SRt/M3iA/9nNuB0cFWPQchrwgPGhVrHDu
sMcRWHFt+Th4k8TEmWiK1OpQfvzQ9qRIn83ecDoY5GTQwGihPCjD2OFqSnO3DzlZ
9uUMhRy4RNfLHoyLDhaJk7hWel+S9dm29+ydR5E2+b+KlNnz6UApfnZEwaVyVaEu
BccS5UNhzAEmq/NeylQFJ/D24kwfXZYYTPEciVvhQr7cr4+y4ugXU16h2/98O1cT
Wyixfa25dbhYGayVq0c2n14egse3KJfkHdBuP1ynb/j++0vg+yeyNsrOv1PoEKIB
NqaAcz1zhRtn23WUSau3MsbNN60KghWMJbj04A/M1JekD6h8b7PDobtDXP8Chwn7
fO2uQvYU8w6WbMgieTWs4XjZa/CK7QzBMCX2l4cvurVTCP/Q0CHD8ou/ok0uouYU
ogYoXB61BowISUrvpPXMPEYjkw6E/IElMViyg2C4FNQu+5qP8obIdwckI5EorOae
9XVeYDj85XKuTC99dacGoS4mXhHfyMlvIJCLpxy/qXADxgvsgb6EVd3E7g+4R8k4
UoJ1N0jg92fmLdzZQFoVAQPNjvPQH24pAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQE
AwIGQDANBgkqhkiG9w0BAQUFAAOCAgEAB7j+mFBgRRsgw6mPNskoyOiMs+LX/jEX
2wX2seArLLjNYSqMR4spL3gefK61hY9kCEqAK5cAtgiW28u0Wl6TxF3KsaPkimDg
kD/LmudrTZMFg7QEw702oZCI33aPjwwRu5+L4CohyUttAQ1mnW0r8jkT1kXi/JZ1
FaV165Y8sTlCamuXC2832eiju28Y5Mn9Uni/tK6fZfUAGFhdhgJt6rzvrQuVJhaP
rnq4QQxyThXLL2TjTdAeEbkgPrTH995CR7nFIZB8H/EyILnVuuxP9VWTjRLs6Pc+
crJECJvLA48Xh6NEgCtMg3uEvm07jMj+iuzyrxAbqzxE6T31Cl8odnibSunkPmFK
3APOOkg3jeBI+CJC7Wk9ZqHZsDWuVVOlISkDqv/CLneBnvn0KpAeIYKhwnPQjwjE
aO8YTXGrfIvZR15fOf0CGUBjjUhWEgJXJ+56UrgNNqDzzeWmvBV1a7OLh0W/QLM8
SvkUZmsDpI1eGnVAeCIi+n/JY882/tlD/7pSNpLlflHo+sQkU9fpSbFejmMvq3iG
PfVTTtZ461z7F32s6LCDW2BMK83r6+8roJHGcqaH31QGNaTdLESCvNQUNyXDFaHN
5uRvKGDauONvfeMGZEOWZQ5YenQJ+kzUU2EKRyk0zoCY7/31hjpmvfo0QLdhbr6w
DiyThvExoBQ=
-----END CERTIFICATE-----
subject=/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
issuer=/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
---
No client certificate CA names sent
---
SSL handshake has read 2585 bytes and written 460 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: 3969AC008255C5B4F627A49412CB63DCA34BC1BFE61465FE8583EC9582990F7F
    Session-ID-ctx:
    Master-Key: 3E7B8B582A96939933BEF2B2F7C4952227B7679E5D3342DBA67BDA7379D0AAA2D93262922672DF634B146D2A4EE869B4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - d0 50 24 1c 95 bc 81 53-7e 63 b3 36 af 44 cd 6f   .P$....S~c.6.D.o
    0010 - 27 ad 5b ea f0 b7 72 36-c9 79 8e 6b 5c 7b 07 13   '.[...r6.y.k\{..
    0020 - 00 72 db ae 38 64 47 68-28 12 48 2a 8a a9 f3 87   .r..8dGh(.H*....
    0030 - a7 8c 44 ae f2 28 49 54-b7 41 b7 16 e2 86 0d da   ..D..(IT.A......
    0040 - f7 55 e0 96 f3 23 4b 62-74 b3 79 10 06 96 3d 36   .U...#Kbt.y...=6
    0050 - 2d 98 5c 6b 14 d6 00 71-c5 37 a8 86 4c 01 c0 53   -.\k...q.7..L..S
    0060 - 8b b6 33 40 61 eb 69 65-5d a8 28 29 2c c6 77 94   ..3@a.ie].(),.w.
    0070 - ec ea f1 83 63 27 d5 e6-45 25 a9 4c 83 cf 5d b1   ....c'..E%.L..].
    0080 - 56 56 0a 8f 45 6d 16 6a-92 b4 b2 c7 46 88 c9 78   VV..Em.j....F..x
    0090 - 5a e3 d9 1d df 51 51 75-22 3d 46 75 b6 cd cd 9c   Z....QQu"=Fu....

    Compression: 1 (zlib compression)
    Start Time: 1437504644
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution information.


Seems like SSL is running fine
Component: Untriaged → Security
Product: Thunderbird → MailNews Core
I keep digging and I have another server as my home archive running Dovecot also with a self signed certificate and I can still login to this server so I did the same SSL test I did with the other server. here's the log:
CONNECTED(00000003)
---
Certificate chain
 0 s:/O=Dovecot mail server/OU=maggie.lan/CN=maggie.lan/emailAddress=root@maggie.lan
   i:/O=Dovecot mail server/OU=maggie.lan/CN=maggie.lan/emailAddress=root@maggie.lan
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEITCCAwmgAwIBAgIJAJhQ0xdBonUlMA0GCSqGSIb3DQEBBQUAMGgxHDAaBgNV
BAoTE0RvdmVjb3QgbWFpbCBzZXJ2ZXIxEzARBgNVBAsTCm1hZ2dpZS5sYW4xEzAR
BgNVBAMTCm1hZ2dpZS5sYW4xHjAcBgkqhkiG9w0BCQEWD3Jvb3RAbWFnZ2llLmxh
bjAeFw0xMzA1MDQwNzQxMzlaFw0yMzA1MDQwNzQxMzlaMGgxHDAaBgNVBAoTE0Rv
dmVjb3QgbWFpbCBzZXJ2ZXIxEzARBgNVBAsTCm1hZ2dpZS5sYW4xEzARBgNVBAMT
Cm1hZ2dpZS5sYW4xHjAcBgkqhkiG9w0BCQEWD3Jvb3RAbWFnZ2llLmxhbjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOBe/BvfuP59+np18ctc6FgszhDD
mldkPjJkYK0UNt0PLbpVZhcuDj9x7Q0Blb6VWc8g+rJzlX5SUxmijHq5PKHcJD/e
omAx9YhXROJqcAl6cef49KPmGpBjKymyP96HZ9UF0jilIJU874cEjTloUYeiSZY2
vT42ziARr1O6wBMo6A3y/rtgbs3Y/fnIxzzZelDUhQSzehSvL+17QFdcDMZVfP1C
rvqr7uke35NEBAl2wmnb0xlM7bRAGTXetevD3KBXuXXZvmIHIg+tdsVXOuSDckTR
4P32OOmv5aMHkKwhlealpmfxtGnuvxvMXAOUzjHnp6tTE8uULc9pSSoRndsCAwEA
AaOBzTCByjAdBgNVHQ4EFgQUWOeosEiDo8fOckx19NY73wWDvfEwgZoGA1UdIwSB
kjCBj4AUWOeosEiDo8fOckx19NY73wWDvfGhbKRqMGgxHDAaBgNVBAoTE0RvdmVj
b3QgbWFpbCBzZXJ2ZXIxEzARBgNVBAsTCm1hZ2dpZS5sYW4xEzARBgNVBAMTCm1h
Z2dpZS5sYW4xHjAcBgkqhkiG9w0BCQEWD3Jvb3RAbWFnZ2llLmxhboIJAJhQ0xdB
onUlMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAGOvlpx3F8LSAsDy
S0Znz2AWf6jewLAsGa0gK2f9LhGDrVr6vcab89OV1eyP6EEhyBNr5TRwdhIqJVCp
vAtKsdxx8VMQuIFQKCMM5BsjaxrjcVctIYt6D/gqBEOrHEaSgnHhv8AGoXT3LezF
jkDgpOAbBWzPQyzEgbgIuKfOljyHYsg/k4qdgPc6C65Tiu7jESkr7e3zsnZMb1Rh
wTdiZPWCQZvk2TGqCjMj4piy6Y+xmegMKz3d0caXN+kunXm9tpcChUduibxyinCG
oP3KfMxVTw4KGV/TeL2/CHxQahaaKryokB5GIRJI0Pm+ZFiBKRyCnoNG7JxAQY+w
oIHw2to=
-----END CERTIFICATE-----
subject=/O=Dovecot mail server/OU=maggie.lan/CN=maggie.lan/emailAddress=root@maggie.lan
issuer=/O=Dovecot mail server/OU=maggie.lan/CN=maggie.lan/emailAddress=root@maggie.lan
---
No client certificate CA names sent
---
SSL handshake has read 1915 bytes and written 497 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: 7580D45F539931D33604E3CE32C01B375B163F62F86D7818BE8239887174A829
    Session-ID-ctx:
    Master-Key: 4A080E7B4A2357EA00A37609980C481FA7A4A2D4C2438DFB105FC11148F448B7A7D5613A911C56597CCEB1D471358FB9
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e0 1c c7 38 5a 60 09 77-08 0a ed b9 9c 18 ef d8   ...8Z`.w........
    0010 - c3 48 50 ca 2f 12 7d da-cd b4 7d 35 eb b8 cf c4   .HP./.}...}5....
    0020 - 4c a3 a9 60 39 8a d9 fa-b3 c9 b5 c3 4b cb e7 e4   L..`9.......K...
    0030 - 35 d1 ac 47 7d 7a 9f 76-e8 d7 ba 47 0a ea c3 9f   5..G}z.v...G....
    0040 - 65 8b 40 82 d3 75 76 28-1c f8 08 74 6d 34 a3 23   e.@..uv(...tm4.#
    0050 - d9 0b 5b 46 23 6f e5 7f-a5 b8 44 00 af 5a 92 e1   ..[F#o....D..Z..
    0060 - 14 76 45 5c 04 a8 d8 6f-75 e4 e7 ae a5 1f e5 66   .vE\...ou......f
    0070 - c9 42 e7 ee 1e 77 b5 7f-27 b7 c0 9d f1 ff 50 87   .B...w..'.....P.
    0080 - 6b ad d0 dd 28 c7 41 69-27 58 da 57 a1 c5 01 97   k...(.Ai'X.W....
    0090 - 88 8d 04 bf cf 1d 69 ac-fb 43 46 82 67 9d 51 57   ......i..CF.g.QW

    Compression: 1 (zlib compression)
    Start Time: 1437643831
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.^M

so not all self signed certificates seem to be affected
Keywords: regression
I experienced the same problem with Gentoo Linux thunderbird-bin 31.8.0 and with Linux Mint 31.8.0. Temporarily solved the problem by downgrading both to 31.7.0.

Server courier-imap-ssl installation where problem happens is running 4.15-r1.
Andrew: Your issue as most likely bug 1184488, which would also apply to Thunderbird 31.8.0 since the Logjam-preventing code was landed there as well. Please read that bug and possible workarounds and issues.

This bug should be restricted to issues that appear first in Thunderbird 38.0.1
thanks for the hint Kent. I tried the workarounds too but unfortunately it's still broken. what did I do? I added this line to the courier config:
TLS_DHPARAMS=/usr/share/dhparams.pem
and executed this line:
rm  /usr/share/dhparams.pem ; DH_BITS=2048 mkdhparams
it took about 2 hours on my server until openssl finished but after a restart of the courier-imap-ssl service Thunderbird still runs in a timeout 
the errorconsole shows nothing related to this and I'm out of ideas there should be at least some  message :/
Uwe, your bug (starting with Thunderbird 38.0.1) is probably NOT bug 1184488, as that was due to code first landed in 38.1.0 (and 31.8.0).

There have been a few reports of issues on 38.0.1 but I don't think that we have a good handle on them (an I am no expert, just they guy who has to deal with random issues on the release). 

If you check out Bug 1184457 - "SSL negotiation fails with private CA in Thunderbird 38.1" there were some ciphers removed in Thunderbird 38, so that is one possible issue.
Yeah this could be the same issue only perhaps dovecot does a better job at logging than courier so I only get
imapd-ssl[4308]: couriertls: accept: Connection timed out
I tried experimenting with different cipher suites earlier but also no luck. Now I'm leaving this config option commented so it's whatever courier choses as default (again: which used to work fine)
Before I forget to mention this: if a developer needs a test account to debug this issue I'll be happy to provide it but this needs to happen before next week because I'll be an vacation then and I don't know if I have Internet access
I observed a strange new thing. first off there was a Thunderbird update on Ubuntu on my office computer. After it has been installed the connection to my server stopped working (as on my Windows Notebook) but suddenly in the past days the connection started to work again - I don't remember changing anything nor do I remember another Ubuntu update. but wait - there's one difference between Ubuntu and Windows in my case: I didn't delete my self-signed certificate on Ubuntu and certificates contain dates: expiration date, date of creation and so on. So there may be the reason it "suddenly" worked again. My friend experienced the same on his Windows notebook: B was broken with my server and then suddenly it worked again. So there's this and maybe it helps to localize the problem
Hallo,

we have similar strange problems for a week or two (probably since the machines update to TB 38.x). We use STARTTLS option for connection security. There is Courier IMAP on server side and I'm quite sure that we have already 2048bit DH parameters up and running, You can check this at imap.misbb.sk:143

We are quite unable to get handle on this problem, because the TB is less than helpful - it just times out, or freezes with "getting server capabilities" on status bar. There is no meaningful error message and THIS I consider big issue itself.

There is also near to nothing indicative in mailserver log. Next time I will probably be forced to do the lowlevel per-user debugging.

We worry because there are some 400+ copies of TB running here and we don't know, whether, how many and when will they fail. Usually it helps to downgrade the TB to 31.x and switch off automatic upgrade (yep, seems that Mozilla's attempts to enhance security are forcing us to go quite opposite way). We cannot see any pattern, most instances just upgrade seamlessly and keep working. I can't tell so far what makes the difference, but it would seem that the problem is not strictly server-client related.

Today I have dealt with the problem again. I have downgraded the TB to 31, however the old profile still did NOT work. I must have created a fresh new profile. Then the TB automatically upgraded to 38.3, and for my surprise, it still works, but only with the newer profile. Reverting to the old one, it does NOT work.

This is again indicative that there is likely something going on with local user profiles too.

There might be handful of similar bugs because we also have an instance where the TB 38 did not work out of fresh installation, only TB 31 was able to takeoff.

Does anybody have a clue? Is there something that we can test or do to help resolve this issue?
even though this bug seems to be ignored I thought I should share the workaround I found in case somebody ever stumbles upon this while researching the problem. I changed the account configuration in Thunderbird from using STARTTLS to static SSL on port 993 and I was able to connect again
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.