Open
Bug 1185344
Opened 9 years ago
Updated 2 years ago
connect to courier-imap-ssl doesn't work since I upgraded to v 38.0.1
Categories
(MailNews Core :: Security, defect)
Tracking
(Not tracked)
UNCONFIRMED
People
(Reporter: mozilla, Unassigned)
Details
(Keywords: regression)
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Build ID: 20150630154324 Steps to reproduce: I have courier IMAP running for years and I cannot access my mails since I upgraded Thunderbird to v 38.0.1 on my Windows Notebook. it still works with my Desktop running the older Thunderbird from Ubuntu LTS. Some additional Information can be found in a Gentoo Forums post I made: https://forums.gentoo.org/viewtopic-t-608756-start-0.html Actual results: Mails are not displayed, Thunderbird shows a timeout popup Expected results: successfully connect to my IMAP server
Sorry. this was actually the wrong Gentoo Forums Link. I mixed it up. this is actually right: https://forums.gentoo.org/viewtopic-t-1023582.html
now I'm in the office and I've been able to check with an older TB on my Ubuntu desktop v 31.7.0 still connects fine so I doubt there's a problem with the server
another hint. I think there's something seriously broken with the SSL implementation. I deleted my self signed certificate from the Thunderbird certificate store and restarted. I got no SSL warning about a self signed certificate AND no connect so I ran this on the server: $ openssl s_client -host localhost -port 993 | tee imap.log 2>&1 here's imap.log: CONNECTED(00000003) --- Certificate chain 0 s:/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMA P SSL key/CN=localhost/emailAddress=postmaster@example.com i:/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMA P SSL key/CN=localhost/emailAddress=postmaster@example.com --- Server certificate -----BEGIN CERTIFICATE----- MIIGBDCCA+ygAwIBAgIJAJfQ/QfalUEQMA0GCSqGSIb3DQEBBQUAMIG1MQswCQYD VQQGEwJVUzELMAkGA1UECAwCTlkxETAPBgNVBAcMCE5ldyBZb3JrMRwwGgYDVQQK DBNDb3VyaWVyIE1haWwgU2VydmVyMS0wKwYDVQQLDCRBdXRvbWF0aWNhbGx5LWdl bmVyYXRlZCBJTUFQIFNTTCBrZXkxEjAQBgNVBAMMCWxvY2FsaG9zdDElMCMGCSqG SIb3DQEJARYWcG9zdG1hc3RlckBleGFtcGxlLmNvbTAeFw0xNDExMDYxODQ2NTBa Fw0xNTExMDYxODQ2NTBaMIG1MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxETAP BgNVBAcMCE5ldyBZb3JrMRwwGgYDVQQKDBNDb3VyaWVyIE1haWwgU2VydmVyMS0w KwYDVQQLDCRBdXRvbWF0aWNhbGx5LWdlbmVyYXRlZCBJTUFQIFNTTCBrZXkxEjAQ BgNVBAMMCWxvY2FsaG9zdDElMCMGCSqGSIb3DQEJARYWcG9zdG1hc3RlckBleGFt cGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKzpGa2TbaYP hnLnYP5qPvFZWDcCTC3e3Twd2KULwDYZl0wlLew354Ohutb/VSjhKp+BSPSaoQ5e /0MLNw92L/e5fRn8BFcS5JaymqnM/j4SRt/M3iA/9nNuB0cFWPQchrwgPGhVrHDu sMcRWHFt+Th4k8TEmWiK1OpQfvzQ9qRIn83ecDoY5GTQwGihPCjD2OFqSnO3DzlZ 9uUMhRy4RNfLHoyLDhaJk7hWel+S9dm29+ydR5E2+b+KlNnz6UApfnZEwaVyVaEu BccS5UNhzAEmq/NeylQFJ/D24kwfXZYYTPEciVvhQr7cr4+y4ugXU16h2/98O1cT Wyixfa25dbhYGayVq0c2n14egse3KJfkHdBuP1ynb/j++0vg+yeyNsrOv1PoEKIB NqaAcz1zhRtn23WUSau3MsbNN60KghWMJbj04A/M1JekD6h8b7PDobtDXP8Chwn7 fO2uQvYU8w6WbMgieTWs4XjZa/CK7QzBMCX2l4cvurVTCP/Q0CHD8ou/ok0uouYU ogYoXB61BowISUrvpPXMPEYjkw6E/IElMViyg2C4FNQu+5qP8obIdwckI5EorOae 9XVeYDj85XKuTC99dacGoS4mXhHfyMlvIJCLpxy/qXADxgvsgb6EVd3E7g+4R8k4 UoJ1N0jg92fmLdzZQFoVAQPNjvPQH24pAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQE AwIGQDANBgkqhkiG9w0BAQUFAAOCAgEAB7j+mFBgRRsgw6mPNskoyOiMs+LX/jEX 2wX2seArLLjNYSqMR4spL3gefK61hY9kCEqAK5cAtgiW28u0Wl6TxF3KsaPkimDg kD/LmudrTZMFg7QEw702oZCI33aPjwwRu5+L4CohyUttAQ1mnW0r8jkT1kXi/JZ1 FaV165Y8sTlCamuXC2832eiju28Y5Mn9Uni/tK6fZfUAGFhdhgJt6rzvrQuVJhaP rnq4QQxyThXLL2TjTdAeEbkgPrTH995CR7nFIZB8H/EyILnVuuxP9VWTjRLs6Pc+ crJECJvLA48Xh6NEgCtMg3uEvm07jMj+iuzyrxAbqzxE6T31Cl8odnibSunkPmFK 3APOOkg3jeBI+CJC7Wk9ZqHZsDWuVVOlISkDqv/CLneBnvn0KpAeIYKhwnPQjwjE aO8YTXGrfIvZR15fOf0CGUBjjUhWEgJXJ+56UrgNNqDzzeWmvBV1a7OLh0W/QLM8 SvkUZmsDpI1eGnVAeCIi+n/JY882/tlD/7pSNpLlflHo+sQkU9fpSbFejmMvq3iG PfVTTtZ461z7F32s6LCDW2BMK83r6+8roJHGcqaH31QGNaTdLESCvNQUNyXDFaHN 5uRvKGDauONvfeMGZEOWZQ5YenQJ+kzUU2EKRyk0zoCY7/31hjpmvfo0QLdhbr6w DiyThvExoBQ= -----END CERTIFICATE----- subject=/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com issuer=/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com --- No client certificate CA names sent --- SSL handshake has read 2585 bytes and written 460 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: 3969AC008255C5B4F627A49412CB63DCA34BC1BFE61465FE8583EC9582990F7F Session-ID-ctx: Master-Key: 3E7B8B582A96939933BEF2B2F7C4952227B7679E5D3342DBA67BDA7379D0AAA2D93262922672DF634B146D2A4EE869B4 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - d0 50 24 1c 95 bc 81 53-7e 63 b3 36 af 44 cd 6f .P$....S~c.6.D.o 0010 - 27 ad 5b ea f0 b7 72 36-c9 79 8e 6b 5c 7b 07 13 '.[...r6.y.k\{.. 0020 - 00 72 db ae 38 64 47 68-28 12 48 2a 8a a9 f3 87 .r..8dGh(.H*.... 0030 - a7 8c 44 ae f2 28 49 54-b7 41 b7 16 e2 86 0d da ..D..(IT.A...... 0040 - f7 55 e0 96 f3 23 4b 62-74 b3 79 10 06 96 3d 36 .U...#Kbt.y...=6 0050 - 2d 98 5c 6b 14 d6 00 71-c5 37 a8 86 4c 01 c0 53 -.\k...q.7..L..S 0060 - 8b b6 33 40 61 eb 69 65-5d a8 28 29 2c c6 77 94 ..3@a.ie].(),.w. 0070 - ec ea f1 83 63 27 d5 e6-45 25 a9 4c 83 cf 5d b1 ....c'..E%.L..]. 0080 - 56 56 0a 8f 45 6d 16 6a-92 b4 b2 c7 46 88 c9 78 VV..Em.j....F..x 0090 - 5a e3 d9 1d df 51 51 75-22 3d 46 75 b6 cd cd 9c Z....QQu"=Fu.... Compression: 1 (zlib compression) Start Time: 1437504644 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc. See COPYING for distribution information. Seems like SSL is running fine
Updated•9 years ago
|
Component: Untriaged → Security
Product: Thunderbird → MailNews Core
I keep digging and I have another server as my home archive running Dovecot also with a self signed certificate and I can still login to this server so I did the same SSL test I did with the other server. here's the log: CONNECTED(00000003) --- Certificate chain 0 s:/O=Dovecot mail server/OU=maggie.lan/CN=maggie.lan/emailAddress=root@maggie.lan i:/O=Dovecot mail server/OU=maggie.lan/CN=maggie.lan/emailAddress=root@maggie.lan --- Server certificate -----BEGIN CERTIFICATE----- MIIEITCCAwmgAwIBAgIJAJhQ0xdBonUlMA0GCSqGSIb3DQEBBQUAMGgxHDAaBgNV BAoTE0RvdmVjb3QgbWFpbCBzZXJ2ZXIxEzARBgNVBAsTCm1hZ2dpZS5sYW4xEzAR BgNVBAMTCm1hZ2dpZS5sYW4xHjAcBgkqhkiG9w0BCQEWD3Jvb3RAbWFnZ2llLmxh bjAeFw0xMzA1MDQwNzQxMzlaFw0yMzA1MDQwNzQxMzlaMGgxHDAaBgNVBAoTE0Rv dmVjb3QgbWFpbCBzZXJ2ZXIxEzARBgNVBAsTCm1hZ2dpZS5sYW4xEzARBgNVBAMT Cm1hZ2dpZS5sYW4xHjAcBgkqhkiG9w0BCQEWD3Jvb3RAbWFnZ2llLmxhbjCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOBe/BvfuP59+np18ctc6FgszhDD mldkPjJkYK0UNt0PLbpVZhcuDj9x7Q0Blb6VWc8g+rJzlX5SUxmijHq5PKHcJD/e omAx9YhXROJqcAl6cef49KPmGpBjKymyP96HZ9UF0jilIJU874cEjTloUYeiSZY2 vT42ziARr1O6wBMo6A3y/rtgbs3Y/fnIxzzZelDUhQSzehSvL+17QFdcDMZVfP1C rvqr7uke35NEBAl2wmnb0xlM7bRAGTXetevD3KBXuXXZvmIHIg+tdsVXOuSDckTR 4P32OOmv5aMHkKwhlealpmfxtGnuvxvMXAOUzjHnp6tTE8uULc9pSSoRndsCAwEA AaOBzTCByjAdBgNVHQ4EFgQUWOeosEiDo8fOckx19NY73wWDvfEwgZoGA1UdIwSB kjCBj4AUWOeosEiDo8fOckx19NY73wWDvfGhbKRqMGgxHDAaBgNVBAoTE0RvdmVj b3QgbWFpbCBzZXJ2ZXIxEzARBgNVBAsTCm1hZ2dpZS5sYW4xEzARBgNVBAMTCm1h Z2dpZS5sYW4xHjAcBgkqhkiG9w0BCQEWD3Jvb3RAbWFnZ2llLmxhboIJAJhQ0xdB onUlMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAGOvlpx3F8LSAsDy S0Znz2AWf6jewLAsGa0gK2f9LhGDrVr6vcab89OV1eyP6EEhyBNr5TRwdhIqJVCp vAtKsdxx8VMQuIFQKCMM5BsjaxrjcVctIYt6D/gqBEOrHEaSgnHhv8AGoXT3LezF jkDgpOAbBWzPQyzEgbgIuKfOljyHYsg/k4qdgPc6C65Tiu7jESkr7e3zsnZMb1Rh wTdiZPWCQZvk2TGqCjMj4piy6Y+xmegMKz3d0caXN+kunXm9tpcChUduibxyinCG oP3KfMxVTw4KGV/TeL2/CHxQahaaKryokB5GIRJI0Pm+ZFiBKRyCnoNG7JxAQY+w oIHw2to= -----END CERTIFICATE----- subject=/O=Dovecot mail server/OU=maggie.lan/CN=maggie.lan/emailAddress=root@maggie.lan issuer=/O=Dovecot mail server/OU=maggie.lan/CN=maggie.lan/emailAddress=root@maggie.lan --- No client certificate CA names sent --- SSL handshake has read 1915 bytes and written 497 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: 7580D45F539931D33604E3CE32C01B375B163F62F86D7818BE8239887174A829 Session-ID-ctx: Master-Key: 4A080E7B4A2357EA00A37609980C481FA7A4A2D4C2438DFB105FC11148F448B7A7D5613A911C56597CCEB1D471358FB9 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - e0 1c c7 38 5a 60 09 77-08 0a ed b9 9c 18 ef d8 ...8Z`.w........ 0010 - c3 48 50 ca 2f 12 7d da-cd b4 7d 35 eb b8 cf c4 .HP./.}...}5.... 0020 - 4c a3 a9 60 39 8a d9 fa-b3 c9 b5 c3 4b cb e7 e4 L..`9.......K... 0030 - 35 d1 ac 47 7d 7a 9f 76-e8 d7 ba 47 0a ea c3 9f 5..G}z.v...G.... 0040 - 65 8b 40 82 d3 75 76 28-1c f8 08 74 6d 34 a3 23 e.@..uv(...tm4.# 0050 - d9 0b 5b 46 23 6f e5 7f-a5 b8 44 00 af 5a 92 e1 ..[F#o....D..Z.. 0060 - 14 76 45 5c 04 a8 d8 6f-75 e4 e7 ae a5 1f e5 66 .vE\...ou......f 0070 - c9 42 e7 ee 1e 77 b5 7f-27 b7 c0 9d f1 ff 50 87 .B...w..'.....P. 0080 - 6b ad d0 dd 28 c7 41 69-27 58 da 57 a1 c5 01 97 k...(.Ai'X.W.... 0090 - 88 8d 04 bf cf 1d 69 ac-fb 43 46 82 67 9d 51 57 ......i..CF.g.QW Compression: 1 (zlib compression) Start Time: 1437643831 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.^M so not all self signed certificates seem to be affected
Updated•9 years ago
|
Keywords: regression
Comment 5•9 years ago
|
||
I experienced the same problem with Gentoo Linux thunderbird-bin 31.8.0 and with Linux Mint 31.8.0. Temporarily solved the problem by downgrading both to 31.7.0. Server courier-imap-ssl installation where problem happens is running 4.15-r1.
Comment 6•9 years ago
|
||
Andrew: Your issue as most likely bug 1184488, which would also apply to Thunderbird 31.8.0 since the Logjam-preventing code was landed there as well. Please read that bug and possible workarounds and issues. This bug should be restricted to issues that appear first in Thunderbird 38.0.1
thanks for the hint Kent. I tried the workarounds too but unfortunately it's still broken. what did I do? I added this line to the courier config: TLS_DHPARAMS=/usr/share/dhparams.pem and executed this line: rm /usr/share/dhparams.pem ; DH_BITS=2048 mkdhparams it took about 2 hours on my server until openssl finished but after a restart of the courier-imap-ssl service Thunderbird still runs in a timeout the errorconsole shows nothing related to this and I'm out of ideas there should be at least some message :/
Comment 8•9 years ago
|
||
Uwe, your bug (starting with Thunderbird 38.0.1) is probably NOT bug 1184488, as that was due to code first landed in 38.1.0 (and 31.8.0). There have been a few reports of issues on 38.0.1 but I don't think that we have a good handle on them (an I am no expert, just they guy who has to deal with random issues on the release). If you check out Bug 1184457 - "SSL negotiation fails with private CA in Thunderbird 38.1" there were some ciphers removed in Thunderbird 38, so that is one possible issue.
Yeah this could be the same issue only perhaps dovecot does a better job at logging than courier so I only get imapd-ssl[4308]: couriertls: accept: Connection timed out I tried experimenting with different cipher suites earlier but also no luck. Now I'm leaving this config option commented so it's whatever courier choses as default (again: which used to work fine)
Reporter | ||
Comment 10•9 years ago
|
||
Before I forget to mention this: if a developer needs a test account to debug this issue I'll be happy to provide it but this needs to happen before next week because I'll be an vacation then and I don't know if I have Internet access
Reporter | ||
Comment 11•9 years ago
|
||
I observed a strange new thing. first off there was a Thunderbird update on Ubuntu on my office computer. After it has been installed the connection to my server stopped working (as on my Windows Notebook) but suddenly in the past days the connection started to work again - I don't remember changing anything nor do I remember another Ubuntu update. but wait - there's one difference between Ubuntu and Windows in my case: I didn't delete my self-signed certificate on Ubuntu and certificates contain dates: expiration date, date of creation and so on. So there may be the reason it "suddenly" worked again. My friend experienced the same on his Windows notebook: B was broken with my server and then suddenly it worked again. So there's this and maybe it helps to localize the problem
Comment 12•9 years ago
|
||
Hallo, we have similar strange problems for a week or two (probably since the machines update to TB 38.x). We use STARTTLS option for connection security. There is Courier IMAP on server side and I'm quite sure that we have already 2048bit DH parameters up and running, You can check this at imap.misbb.sk:143 We are quite unable to get handle on this problem, because the TB is less than helpful - it just times out, or freezes with "getting server capabilities" on status bar. There is no meaningful error message and THIS I consider big issue itself. There is also near to nothing indicative in mailserver log. Next time I will probably be forced to do the lowlevel per-user debugging. We worry because there are some 400+ copies of TB running here and we don't know, whether, how many and when will they fail. Usually it helps to downgrade the TB to 31.x and switch off automatic upgrade (yep, seems that Mozilla's attempts to enhance security are forcing us to go quite opposite way). We cannot see any pattern, most instances just upgrade seamlessly and keep working. I can't tell so far what makes the difference, but it would seem that the problem is not strictly server-client related. Today I have dealt with the problem again. I have downgraded the TB to 31, however the old profile still did NOT work. I must have created a fresh new profile. Then the TB automatically upgraded to 38.3, and for my surprise, it still works, but only with the newer profile. Reverting to the old one, it does NOT work. This is again indicative that there is likely something going on with local user profiles too. There might be handful of similar bugs because we also have an instance where the TB 38 did not work out of fresh installation, only TB 31 was able to takeoff. Does anybody have a clue? Is there something that we can test or do to help resolve this issue?
Reporter | ||
Comment 13•9 years ago
|
||
even though this bug seems to be ignored I thought I should share the workaround I found in case somebody ever stumbles upon this while researching the problem. I changed the account configuration in Thunderbird from using STARTTLS to static SSL on port 993 and I was able to connect again
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•