Open Bug 1641882 Opened 4 years ago Updated 6 months ago

Infinite loop when POP3 server replies with -Err to STLS command.

Categories

(Thunderbird :: General, defect, P3)

Product:
Thunderbird
Component:
General
Type:
defect

Tracking

(Not tracked)

People

(Reporter: poddebniak, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0

Steps to reproduce:

Answer with -Err to STLS command.

Actual results:

Thunderbird tries to issue the STLS command again, which results in the same -Err response. This loop continues indefinitely.

Expected results:

Thunderbird should not try to issue the command again and terminate the connection.

PS: I would also like to suggest that the showed error message is changed from "disable encryption" to "try POP3 with implicit TLS on port 995" (or something like that) instead. Related: https://bugzilla-dev.allizom.org/show_bug.cgi?id=962763

Ah, sorry. Nevermind about the error message. I confused that with SMTP. There is no message when the server responds with -Err.

Are you saying the server incorrectly advertises something it does not offer? or the certificate being presented is not valid for some reaon. What prompt the -err situation?

To be clear: I have not seen this in the real world and the server only advertises STARTTLS and then rejects it, because I configured it to do so. This was part of some test if I can bypass STARTTLS in POP3 in Thunderbird.

This is what happens:

S: +OK POP3 server ready.\r
C: CAPA\r
S: +OK\r
STLS\r
TOP\r
USER\r
SASL CRAM-MD5 KERBEROS_V4\r
RESP-CODES\r
LOGIN-DELAY 900\r
PIPELINING\r
EXPIRE 60\r
UIDL\r
IMPLEMENTATION fake_mail_server\r
.\r
C: STLS\r
S: -ERR STARTTLS not supported.\r
C: STLS\r
S: -ERR STARTTLS not supported.\r
C: STLS\r
S: -ERR STARTTLS not supported.\r
C: STLS\r
S: -ERR STARTTLS not supported.\r
C: STLS\r
...

I assume that a real POP3 server will terminate the connection when a certain count of errors is reached, so this might not be super important.

But I figured you still might be interested in this, because RFC2595 defines that "+OK" and "-ERR" are two of the possible responses to the STLS command and Thunderbird should handle both of them in an appropriate way.

I was just trying to clarify. As you say, the server has to be misconfigured to get to this point, but a nice hndling of the error would be appropriate in an ideal work.

Status: UNCONFIRMED → NEW
Component: Untriaged → General
Ever confirmed: true
Version: 68 → Trunk
Priority: -- → P2
Priority: P2 → P3

This bug was mentioned on https://nostarttls.secvuln.info/

I noticed the link in the See Also field is incorrect. Instead, it should go to bug 962763.

Blocks: 1898134
You need to log in before you can comment on or make changes to this bug.