TLS 1.2 client Hello in Thunderbird v50, v52.2, v52.3 missing "server-name" and "ALPN" extensions. Firefox works fine

UNCONFIRMED
Unassigned

Status

Thunderbird
Security
UNCONFIRMED
5 months ago
2 months ago

People

(Reporter: Andy bentley, Unassigned)

Tracking

52 Branch

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 months ago
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170613080547

Steps to reproduce:

Start Thunderbird, Attempt to get email.   Been using Thunderbird for 15yrs.  Worked fine up-until April 23.  Been waiting on V52 hoping things got fixed. Didn't get fixed, so reporting this now.


Actual results:

No logon prompt.  Performed wireshark capture of both thunderbird TLS handshake & FireFox TLS handshake to same server.  FireFox TLS client hello is fine & FF connects fine. Thunderbird starting with v50.1? & now 52.2.0_x64 both fail to include "server_name" and "ALPN" extension in Client Hello.  OS=Fedora25(4.11.6-201.fc25.x86_64) , nss-3.30.2-1.1.fc25, firefox-54.0-2.fc25, thunderbird-52.2.0-1.fc25, 


Expected results:

logon prompt should have come up after sucessful TLS negotiation.

Comment 1

5 months ago
What version of TLS is being negotiated?
Component: Untriaged → Security
Flags: needinfo?(abentley)

Comment 2

5 months ago
ha, my bad, the version is in the summary.

ref https://bugzilla.mozilla.org/show_bug.cgi?id=1361411
Flags: needinfo?(abentley)
(Reporter)

Comment 3

2 months ago
I discovered a temp workaround...

I had gone into Edit->Prefrences, Advanced, General, Config Editor
and changed :
require_safe_negotiation   		true  
treat_unsafe_negotiation_as_broken	true     

OCSP.enabled				true      
OCSP.GET.enabled			true      
OCSP.require				true      
enable_ocsp_stapling			true     

tls.version.min				3(TLS1.2) 
tls.version.max				4

ecdhe_ecdsa_aes_128_gcm_sha256		true  
ecdhe_rsa_aes_128_gcm_sha256		true 	  


and disabled :
security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha
security.ssl3.dhe_rsa_des_ede3_sha
security.ssl3.ecdhe_ecdsa_aes_128_sha
security.ssl3.ecdhe_ecdsa_aes_256_sha
security.ssl3.ecdhe_rsa_aes_128_sha
security.ssl3.ecdhe_rsa_aes_256_sha
security.ssl3.ecdhe_rsa_des_ede3_sha
security.ssl3.rsa_aes_256_sha
security.ssl3.rsa_des_ede3_sha
security.ssl3.rsa_aes_256_sha	
because they are broken.

------
I changed those setting back to :
tls.version.min				1(TLS1.0) ****BAD***
and it works now. 

This seems like its still a bug. The workaround is to disable security, not a great workaround.
I had moved over to Evolution because this bug was so long lived.  Looks like its still not fixed in Fedora 26 Thunderbird 52.3.  let me know when its fixed.
Summary: TLS 1.2 client Hello from Thunderbird v50 & v52.2 missing "server-name" and "ALPN" extensions. Firefox works fine → TLS 1.2 client Hello in Thunderbird v50, v52.2, v52.3 missing "server-name" and "ALPN" extensions. Firefox works fine
You need to log in before you can comment on or make changes to this bug.