Open Bug 1377102 Opened 7 years ago Updated 2 years ago

TLS 1.2 client Hello in Thunderbird v50, v52.2, v52.3 missing "server-name" and "ALPN" extensions in Client Hello. Firefox works fine

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
52 Branch
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: abentley, Unassigned, NeedInfo)

Details

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170613080547

Steps to reproduce:

Start Thunderbird, Attempt to get email.   Been using Thunderbird for 15yrs.  Worked fine up-until April 23.  Been waiting on V52 hoping things got fixed. Didn't get fixed, so reporting this now.


Actual results:

No logon prompt.  Performed wireshark capture of both thunderbird TLS handshake & FireFox TLS handshake to same server.  FireFox TLS client hello is fine & FF connects fine. Thunderbird starting with v50.1? & now 52.2.0_x64 both fail to include "server_name" and "ALPN" extension in Client Hello.  OS=Fedora25(4.11.6-201.fc25.x86_64) , nss-3.30.2-1.1.fc25, firefox-54.0-2.fc25, thunderbird-52.2.0-1.fc25, 


Expected results:

logon prompt should have come up after sucessful TLS negotiation.
What version of TLS is being negotiated?
Component: Untriaged → Security
Flags: needinfo?(abentley)
ha, my bad, the version is in the summary.

ref https://bugzilla.mozilla.org/show_bug.cgi?id=1361411
Flags: needinfo?(abentley)
I discovered a temp workaround...

I had gone into Edit->Prefrences, Advanced, General, Config Editor
and changed :
require_safe_negotiation   		true  
treat_unsafe_negotiation_as_broken	true     

OCSP.enabled				true      
OCSP.GET.enabled			true      
OCSP.require				true      
enable_ocsp_stapling			true     

tls.version.min				3(TLS1.2) 
tls.version.max				4

ecdhe_ecdsa_aes_128_gcm_sha256		true  
ecdhe_rsa_aes_128_gcm_sha256		true 	  


and disabled :
security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha
security.ssl3.dhe_rsa_des_ede3_sha
security.ssl3.ecdhe_ecdsa_aes_128_sha
security.ssl3.ecdhe_ecdsa_aes_256_sha
security.ssl3.ecdhe_rsa_aes_128_sha
security.ssl3.ecdhe_rsa_aes_256_sha
security.ssl3.ecdhe_rsa_des_ede3_sha
security.ssl3.rsa_aes_256_sha
security.ssl3.rsa_des_ede3_sha
security.ssl3.rsa_aes_256_sha	
because they are broken.

------
I changed those setting back to :
tls.version.min				1(TLS1.0) ****BAD***
and it works now. 

This seems like its still a bug. The workaround is to disable security, not a great workaround.
I had moved over to Evolution because this bug was so long lived.  Looks like its still not fixed in Fedora 26 Thunderbird 52.3.  let me know when its fixed.
Summary: TLS 1.2 client Hello from Thunderbird v50 & v52.2 missing "server-name" and "ALPN" extensions. Firefox works fine → TLS 1.2 client Hello in Thunderbird v50, v52.2, v52.3 missing "server-name" and "ALPN" extensions. Firefox works fine
Andy,

Can you test the beta from http://www.mozilla.org/en-US/thunderbird/channel/ ?
Flags: needinfo?(abentley)
Summary: TLS 1.2 client Hello in Thunderbird v50, v52.2, v52.3 missing "server-name" and "ALPN" extensions. Firefox works fine → TLS 1.2 client Hello in Thunderbird v50, v52.2, v52.3 missing "server-name" and "ALPN" extensions in Client Hello. Firefox works fine
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.