Open
Bug 1377102
Opened 7 years ago
Updated 2 years ago
TLS 1.2 client Hello in Thunderbird v50, v52.2, v52.3 missing "server-name" and "ALPN" extensions in Client Hello. Firefox works fine
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
UNCONFIRMED
People
(Reporter: abentley, Unassigned, NeedInfo)
Details
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0 Build ID: 20170613080547 Steps to reproduce: Start Thunderbird, Attempt to get email. Been using Thunderbird for 15yrs. Worked fine up-until April 23. Been waiting on V52 hoping things got fixed. Didn't get fixed, so reporting this now. Actual results: No logon prompt. Performed wireshark capture of both thunderbird TLS handshake & FireFox TLS handshake to same server. FireFox TLS client hello is fine & FF connects fine. Thunderbird starting with v50.1? & now 52.2.0_x64 both fail to include "server_name" and "ALPN" extension in Client Hello. OS=Fedora25(4.11.6-201.fc25.x86_64) , nss-3.30.2-1.1.fc25, firefox-54.0-2.fc25, thunderbird-52.2.0-1.fc25, Expected results: logon prompt should have come up after sucessful TLS negotiation.
Comment 1•7 years ago
|
||
What version of TLS is being negotiated?
Component: Untriaged → Security
Flags: needinfo?(abentley)
Comment 2•7 years ago
|
||
ha, my bad, the version is in the summary. ref https://bugzilla.mozilla.org/show_bug.cgi?id=1361411
Flags: needinfo?(abentley)
Reporter | ||
Comment 3•7 years ago
|
||
I discovered a temp workaround... I had gone into Edit->Prefrences, Advanced, General, Config Editor and changed : require_safe_negotiation true treat_unsafe_negotiation_as_broken true OCSP.enabled true OCSP.GET.enabled true OCSP.require true enable_ocsp_stapling true tls.version.min 3(TLS1.2) tls.version.max 4 ecdhe_ecdsa_aes_128_gcm_sha256 true ecdhe_rsa_aes_128_gcm_sha256 true and disabled : security.ssl3.dhe_rsa_aes_128_sha security.ssl3.dhe_rsa_aes_256_sha security.ssl3.dhe_rsa_des_ede3_sha security.ssl3.ecdhe_ecdsa_aes_128_sha security.ssl3.ecdhe_ecdsa_aes_256_sha security.ssl3.ecdhe_rsa_aes_128_sha security.ssl3.ecdhe_rsa_aes_256_sha security.ssl3.ecdhe_rsa_des_ede3_sha security.ssl3.rsa_aes_256_sha security.ssl3.rsa_des_ede3_sha security.ssl3.rsa_aes_256_sha because they are broken. ------ I changed those setting back to : tls.version.min 1(TLS1.0) ****BAD*** and it works now. This seems like its still a bug. The workaround is to disable security, not a great workaround. I had moved over to Evolution because this bug was so long lived. Looks like its still not fixed in Fedora 26 Thunderbird 52.3. let me know when its fixed.
Summary: TLS 1.2 client Hello from Thunderbird v50 & v52.2 missing "server-name" and "ALPN" extensions. Firefox works fine → TLS 1.2 client Hello in Thunderbird v50, v52.2, v52.3 missing "server-name" and "ALPN" extensions. Firefox works fine
Comment 4•6 years ago
|
||
Andy, Can you test the beta from http://www.mozilla.org/en-US/thunderbird/channel/ ?
Flags: needinfo?(abentley)
Summary: TLS 1.2 client Hello in Thunderbird v50, v52.2, v52.3 missing "server-name" and "ALPN" extensions. Firefox works fine → TLS 1.2 client Hello in Thunderbird v50, v52.2, v52.3 missing "server-name" and "ALPN" extensions in Client Hello. Firefox works fine
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•