Starttls 1.1 IMAP (company server) connection does not work anymore after update to 52.1.1 (2017-05-22; no configuration settings have changed)

RESOLVED INVALID

Status

Thunderbird
Untriaged
RESOLVED INVALID
11 months ago
10 months ago

People

(Reporter: Dorin CHIRA, Unassigned)

Tracking

52 Branch

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [support])

Attachments

(1 attachment)

(Reporter)

Description

11 months ago
Created attachment 8870007 [details]
trace.txt

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20170504105526

Steps to reproduce:

Upgraded from 45.8.0 / 20170305125302 to 52.1.1 / 20170509142926

Initially I was receiving "Unable to connect to your IMAP server. You may have exceeded the maximum number of connections to this server. If so, use the Advanced IMAP Server Settings dialog to reduce the number of cached connec..." but later on (after changing servers and trying to make things work) I am receiving "Server xxx@xxx.xxx has disconnected. The server may have gone down or there may be a network problem."....

I also had proxy authentication problems (company uses HTTP proxy with authentication), yet I ignore them for this bug (the thing is that Thunderbird does not prompt for user and password (required to check certificates) unless help > about is accesse so that thunderbird will check for updates.... lol...

see a more detailed version of this bug report, with more information (yet, not sure if useful, but at least it`s the walkthrough) at: https://support.mozilla.org/en-US/questions/1161016


Actual results:

company email server unreachable... IMAP over STARTTLS with TLSv1.1 certificate no longer working (I have the "security.tls.version.fallback-limit" set to "1")




Expected results:

There should be no problems with the actual connections...

Comment 1

11 months ago
Requests of the type: We upgraded and things stopped working are a typical problem. In this case, some security requirements have been increased, so TB can no longer connect to non-compliant servers. See for example bug 1359187 or bug 1359179.

There's little hope we can assist, so maybe you have more luck in the support forum.

As you know, Thunderbird is free community/volunteer-based software and we have no resources to debug the individual setup of commercial companies.

If I'm correctly informed, TLS 1.1 is not supported any more (but I could be wrong on that one).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → INVALID

Updated

11 months ago
Whiteboard: [support]
(Reporter)

Comment 2

11 months ago
Thank you, Jorg, for your input.

I do know TB has community-driven development, I did contribute to other community-supported software in the past, but now I have a small child which consumes all my free time.

I wanted to make this problem report (I won`t call it a bug) as much detailed as possible, therefore I really put some time into its investigation.

Indeed, switching from TLS1.1 server to a newly created TLS1.2-endpoint solved the issue, but it required IT to create this endpoint and it was not very "instant"... It seems Ms Outlook works flawlessly and does not puke when using such an outdated connection security.. I am the only one left in our company using TB, and trust me, I do promote it.. The 2+ days of email blackout turned everybody else away from TB....

Regarding the TLS issue TB had with the email server, it never occurred to me such a thing, especially that TB auto-updates (I am on the release channel)... Once TB stopped working, I did read the release notes, the fixed bugs list, the security advisory, but there is nothing about TLS.. However, what seems even more "cryptic" to me is that TB never mentioned anything about any TLS1.1 connection problems and I could not understand what is TB`s problem from the generated traces:

7128[18b49250]: try to log in
7128[18b49250]: IMAP auth: server caps 0x481025, pref 0x1006, failed 0x0, avail caps 0x1004
7128[18b49250]: (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, MSN = 0x200000, PLAIN = 0x1000,
  LOGIN = 0x2, old-style IMAP login = 0x4, auth external IMAP login = 0x20000000, OAUTH2 = 0x800000000)
7128[18b49250]: trying auth method 0x1000
7128[18b49250]: login failed entirely

Some tracing improvement won`t harm.

A different problem is that TB doesn`t ask for autnehtication proxy credentials when it requires to validate a server certificate, yet opening help>about does request the credentials and certificate validation works afterwards..

Anyway, thank you all for your time!

Comment 3

11 months ago
So basically you're saying that your colleagues prefer to use less secure software that "just works". I'm sure TB 38 or 45 would still have worked as well.

Can you please file a bug for the other issues (logging improvement and certificate validation) giving exact steps to reproduce the problem.

Updated

10 months ago
Summary: Starttls IMAP (company server) connection does not work anymore after update to 52.1.1 (2017-05-22; no configuration settings have changed) → Starttls 1.1 IMAP (company server) connection does not work anymore after update to 52.1.1 (2017-05-22; no configuration settings have changed)
You need to log in before you can comment on or make changes to this bug.