Open Bug 1187797 Opened 9 years ago Updated 2 years ago

Thunderbird UI should report rejected SSL/TLS connections

Categories

(MailNews Core :: Networking, enhancement)

Product:
MailNews Core
Component:
Networking
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: rimas, Assigned: KaiE)

References

Details

(Keywords: regression) 

Quoting Bug #1184488 Comment #47:

Thunderbird IMAP unhelpful reporting of weak DH-params

When an IMAP server has been configured or built with "weak" ephemeral Diffie-Hellman paramaters, which until recently were considered adequate, Thunderbird gives (and logs) highly misleading error messages referring to unrelated aspects of the server configuration.

While the countermeasures against the LogJam attack prevent making an SSL/TLS connection to such servers, the error reporting should be clear as to what error is actually occurring (connection aborted by NSS due to DH key length less than 1024), not nonsense messages resulting from IMAP code ignoring the failure and attempting to communicate over an already dead connection.

This is much more urgent than normal error message issues, as the upgrade from Tb 38.0 to Tb 38.1 introduced this failure mode for many existing real world servers.  Regardless of the security reasoning, this leaves Tb 38.1 in an unreleasable state, and it needs to be fixed or recalled.
From myself, I would like to add that this "weak" server configuration is currently the default on Debian 8.1 which was released just weeks ago, so it IS an important problem indeed.

At the moment, when DH params are week, Thunderbird complains about the server not supporting chosen AUTH mechanism, while in fact this issue has nothing to do with that.
Blocks: 1184488
No longer depends on: 1184488
See Also: → 1185060
Fedora 28 (coming out on Tuesday) has stricter default settings that will consider many real world DH parameters to be weak.
(In reply to Randy Barlow from comment #3)
> Fedora 28 (coming out on Tuesday) has stricter default settings that will
> consider many real world DH parameters to be weak.

wonder how much this will bite us

IMHO Thunderbird should display a notification in the user interface whenever a SSL/TLS connection is rejected.

In the past, we had an error notification popup dialog in the common Mozilla networking code.

However, that popup did occur in some unwanted scenarios, for example, when a firefox browser tab was closed quickly. This caused a network connection to terminate early, and the security networking code incorrectly concluded there's a problem with the security level.

Ideally, we'd have a notification API in the SSL/TLS networking code, which triggered a notification whenever we deliberatly terminate a connection, because the security parameters are deemed insecure. Then Thunderbird could watch for those alerts, and have just one location where we handle it.

Unfortunately, a couple of years ago, the Mozilla core developers refused such a general callback. (We could try to ask again.)

Without such an API, we'd have to touch every place in Thunderbird that implements network connections, and add the appropriate handlers. Potentially we'll have to do that anyway, because of bug 1547096.

Once we have implemented a way to catch those notifications, we'll also need to decide how those errors shall be reported in the user interface. It might be difficult to find an answer that fits all scenarios, as these kind of errors could be triggered from network connections of any purpose, like mail retrieval, sending, rss feeds, chat server connections, ...

Severity: major → normal
Type: defect → enhancement
Component: Networking: IMAP → Networking
Summary: Weak DH parameters should be reported properly → Thunderbird UI should report rejected SSL/TLS connections
Assignee: nobody → kaie
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.