Open Bug 1187797 Opened 4 years ago Updated 2 months ago
Thunderbird UI should report rejected SSL/TLS connections
Quoting Bug #1184488 Comment #47: Thunderbird IMAP unhelpful reporting of weak DH-params When an IMAP server has been configured or built with "weak" ephemeral Diffie-Hellman paramaters, which until recently were considered adequate, Thunderbird gives (and logs) highly misleading error messages referring to unrelated aspects of the server configuration. While the countermeasures against the LogJam attack prevent making an SSL/TLS connection to such servers, the error reporting should be clear as to what error is actually occurring (connection aborted by NSS due to DH key length less than 1024), not nonsense messages resulting from IMAP code ignoring the failure and attempting to communicate over an already dead connection. This is much more urgent than normal error message issues, as the upgrade from Tb 38.0 to Tb 38.1 introduced this failure mode for many existing real world servers. Regardless of the security reasoning, this leaves Tb 38.1 in an unreleasable state, and it needs to be fixed or recalled.
From myself, I would like to add that this "weak" server configuration is currently the default on Debian 8.1 which was released just weeks ago, so it IS an important problem indeed. At the moment, when DH params are week, Thunderbird complains about the server not supporting chosen AUTH mechanism, while in fact this issue has nothing to do with that.
Fedora 28 (coming out on Tuesday) has stricter default settings that will consider many real world DH parameters to be weak.
(In reply to Randy Barlow from comment #3) > Fedora 28 (coming out on Tuesday) has stricter default settings that will > consider many real world DH parameters to be weak. wonder how much this will bite us
Severity: major → normal
Type: defect → enhancement
Component: Networking: IMAP → Networking
Summary: Weak DH parameters should be reported properly → Thunderbird UI should report rejected SSL/TLS connections
You need to log in before you can comment on or make changes to this bug.