1209803 - FIPS / Security Module / Master Password in Iceweasel + Icedove 38.x broken (when upgrading from 37.x)

Status: RESOLVED INVALID

(Core :: Permission Manager, defect)

Description

[fettucini]

As I reported to Christoph Goehre, maintainer of the corresponding Debian package last month:

- due to the latest Icedove Update 31.8.0-1~deb8u1 all my own and imported S/MIME certs vanished and I was unable to:
- get mails from any server; very long "connected to" message in footer, but no error is shown, no mails are retrieved (due to vanished passwords)
- re-importing of S/MIME certs involves activating FIPS, which needs a master password
- FIPS cannot be enabled anymore
- once logging out of the Security Module, re-login is impossible
- no passwords are in the password storage anymore and no master password is set
- trying to set a new master password fails with message: failed_pw_change=Unable to change Master Password.
- trying to reset all passwords will not change the behavior, neither safe mode, deleting key3.db + cert8.db + signon.sqlite or thise suggestions will help:
http://kb.mozillazine.org/Master_password#Resetting_the_master_password

Reverting to version 31.7.0 temporarily restored the functionality at cost of freezing the package version and security updates. Certs re-appeared, passwords were lost during the downgrade process.

As it turned out today, Iceweasel / Firefox is affected, too, by this regression: updated to version 38.2.1 earlier and now to version 38.3.0, the latter showing exactly the same issues as Icedove / Thunderbird. Downgrading to 38.2.1 (stable) got me nowhere, but obviously wiped all passwords from the safe (or replaced the Master Password by something different). An indication for that assumption would be, that I can access my certs, but can't enable FIPS anymore, nor can I change the master password.

Obviously, the misery of borked Security Module / Master Password functionality starts with branch 38.x for both Iceweasel / Icedove (and supposedly also for Firefox / Thunderbird), leaving us with broken S/MIME and password manager support. 

Possibly linked to 1130405, 1131475 patches?

Comment 1

[fettucini]

Update:
after reverting to Iceweasel 38.2.1, the certs and Master Password actually ARE still in place, and it's possible to log into the Software Security Device. After trying to enable FIPS, an error message pops up: "Unable to change the FIPS mode for the security device. It is recommended that you exit and restart this application." and the behavior above is displayed again. After re-starting the application, the certs and Master Password are accessible once more.

Still, it's impossible for some important websites that enforce certification-based authorization, to authenticate (via FIPS?). 
I'm stuck here!

Comment 2

[fettucini]

Update2:
I cannot confirm the issues with Firefox 39.0 - certs, Software Security Device, Master Password and FIPS seem to work here.

Still, it's not yet possible to use the required cert-based website authentication for the sites in question. Investigating further...

Comment 3

[Kaspar]

Don't add me to the Cc unsolicitedly (and randomly).

Comment 4

[Wayne Mery (:wsmwk)]

(In reply to fettucini from comment #0)
> ...
> Possibly linked to bug 1130405, bug 1131475 patches?

Have you built and found Thunderbird to work without those patches?
(note, there are currently no regressions filed against those bugs)

Comment 5

[fettucini]

Hello, sorry if Cc'ing was not welcome. I figured, it might be helpful, to address such a critical bug directly to somebody I suspected to having the skills and understanding in the certificate management modules of firefox.
Even more, since it seems to be Mozilla's 38esr branch core that's affected.

No, I didn't, since I figured, a Blocker like this would get immediately fixed and backported, if necessary - and the patch would be already in place in the latest 38esr releases... apart from that, I'm not sure, if building FF manually will work for me.

Comment 6

[fettucini]

Hello Wayne, I haven't built Icedove or Thunderbird from scratch so far - do you have an extensive description how to do that and about the dependencies needed?
Though I cannot promise to look into it too soon, since I'm rather busy currently.

Comment 7

[fettucini]

Update:

I've tested Firefox 38.2.1esr on Windows without the problems described above.

Comment 8

[fettucini]

Iceweasel 38.4.0 still the same issue - consider it broken for now and switching to Firefox.

Comment 9

[fettucini]

UPDATE:
in the security devices tab, there're two FIPS module entries, with path pointing to null (FIPS module not loaded, disabled and unable to change that states) and another entry for the builting root module, which seems o.k.

Comment 10

[fettucini]

The bug at least in parts still exists for Icedove 38.8 (and probably for the whole 38.x branch). 

I was not able to just upgrade from Icdeove 37.x to 38.8, which made all my personal S/MIME certs vanish and displaying strange doublet entries in the security modules tab, leaving no option to enable FIPS mode.

In order to benefit from security updates, while still keeping my personal and imported S/MIME certs and PGP keys, I had to deinstall Iceweasel 37.x after renaming the .icedove folder.

Then I made the upgrade of the locked version to 38.8 and manually copied over some, but not all of the folders and files, containing the mails and settings, into the new profile folder.

After this, I got rid of the doublet security module entries, still being able to access my S/MIME certs and PGP keys. FIPS mode remains dead, but I only need that for some website authentification, and for that purpose, I've switched from the broken Iceweasel 38.x to Firefox 39, which still works.

Comment 11

[Liz Henry (:lizzard) (relman/hg->git project)]

I'm not sure if this is relevant to esr45 or not. But esr38 is near the end of support, as esr45.1.0 should be released in a couple of weeks. Wayne, what do you think? Is this on your radar at all? Still unconfirmed.

Comment 12

[Wayne Mery (:wsmwk)]

Liz, thanks for updating. This isn't especially on my radar and not a area of expertise for me. Hopefully onno or eddy can offer advise.

certainly nothing further will change in 38.*.  But we released Thunderbird 45.1.0 about 2 weeks ago and 45.1.1 will be out soon

Comment 13

[Onno Ekker [:nONoNonO UTC+1]]

I don't have Debian but tried it with Thunderbird 45.1.0 64-bits under Ubuntu 16.04 LTS and there it works for me. Did you succeed in setting a master password? That's required in order to enable FIPS.

Comment 14

[Onno Ekker [:nONoNonO UTC+1]]

If you still have this problem, can you also please check your error console and see if there's any messages related to the problem and/or occurring at startup of Thunderbird or around the same time the problem happens?

Comment 15

[fettucini]

Hello, and thanks for looking into this.

I'm using Icedove on Debian here and the latest stable version is 38.8.0, which is probably unlikely to change, until Debian's next stable release (which would be some 2 years from now), because it seems to focus on the ESR version. 

When first encountering the problem, resetting and applying a new master password did not succeed, as far as I can remember, so I had to revert to the last stable version and lock that one. Afterwards, my stored passords were gone, though.

Some minor releases later, it was possible to reset the master password, but the strange doublet entries in the security modules tab remained, and it was at least not possible to activate FIPS anymore, and I think also not to log on to the PKCS#11 security module. 

I even tested Icedove with debugging symbols at that time, which resulted in zero usable information, though.

At any time, upgrading the version, would have made my S/MIME certs vanish from the personal certs list, reverting would've brought them back again. 

Now, after finally switching over to 38.8.0, I can log on to the internal PKCS#11 Module again, but not activate FIPS.

Having digested some information on FIPS, this is probably not a bad thing anyway, since it seems to mainly be used in US-based governmental facilities, and does not add any real security. And I've yet to discover a situation where something will not work because of lacking FIPS support.

That said, I can't go back to reproduce these steps anymore, unfortunately, so someone else with the same upgrading problem would need to jump in and do that.
I also date not touching anything currently, since I need my system up and running.

Regards, 
fettucini

Comment 16

[fettucini]

Update:

After clicking on "load module" of the internal and libnsscki module entries in the security modules tab, Iceweasel obviously temporarily "forgot" the stored passwords. Not before restarting the application, I was able to send a mail.
Could not reproduce it, though. Generally, the security module section seems to be a fragile area of Thunderbird/Iceweasel to me.

Comment 17

[fettucini]

URGENT UPDATE:

As previously, it likewisely happened with the migration of TB 1:52.8.0-1~deb9u1 from stable to 1:60.2.1-2~deb9u1.

Same symptoms, no mail passwords are stored due to missing master password, with in turn cannot be stored with the aforementioned error message. Did not check for S/MIME problems, which most likely would also occur for the same reasons.

Retrieving new mails is only possible for single mail accounts, without storing the password.

Comment 18

[BugBot [:suhaib / :marco/ :calixte]]

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Comment 19

[Tim Huang[:timhuang]]

Feel free to reopen it if needed.