Open Bug 1641882 Opened 4 years ago Updated 3 years ago

Infinite loop when POP3 server replies with -Err to STLS command.

Categories

(Thunderbird :: General, defect, P3)

Product:
Thunderbird
Component:
General
Type:
defect

Tracking

(Not tracked)

People

(Reporter: poddebniak, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0

Steps to reproduce:

Answer with -Err to STLS command.

Actual results:

Thunderbird tries to issue the STLS command again, which results in the same -Err response. This loop continues indefinitely.

Expected results:

Thunderbird should not try to issue the command again and terminate the connection.

PS: I would also like to suggest that the showed error message is changed from "disable encryption" to "try POP3 with implicit TLS on port 995" (or something like that) instead. Related: https://bugzilla-dev.allizom.org/show_bug.cgi?id=962763

Ah, sorry. Nevermind about the error message. I confused that with SMTP. There is no message when the server responds with -Err.

Are you saying the server incorrectly advertises something it does not offer? or the certificate being presented is not valid for some reaon. What prompt the -err situation?

To be clear: I have not seen this in the real world and the server only advertises STARTTLS and then rejects it, because I configured it to do so. This was part of some test if I can bypass STARTTLS in POP3 in Thunderbird.

This is what happens:

S: +OK POP3 server ready.\r
C: CAPA\r
S: +OK\r
STLS\r
TOP\r
USER\r
SASL CRAM-MD5 KERBEROS_V4\r
RESP-CODES\r
LOGIN-DELAY 900\r
PIPELINING\r
EXPIRE 60\r
UIDL\r
IMPLEMENTATION fake_mail_server\r
.\r
C: STLS\r
S: -ERR STARTTLS not supported.\r
C: STLS\r
S: -ERR STARTTLS not supported.\r
C: STLS\r
S: -ERR STARTTLS not supported.\r
C: STLS\r
S: -ERR STARTTLS not supported.\r
C: STLS\r
...

I assume that a real POP3 server will terminate the connection when a certain count of errors is reached, so this might not be super important.

But I figured you still might be interested in this, because RFC2595 defines that "+OK" and "-ERR" are two of the possible responses to the STLS command and Thunderbird should handle both of them in an appropriate way.

I was just trying to clarify. As you say, the server has to be misconfigured to get to this point, but a nice hndling of the error would be appropriate in an ideal work.

Status: UNCONFIRMED → NEW
Component: Untriaged → General
Ever confirmed: true
Version: 68 → Trunk
Priority: -- → P2
Priority: P2 → P3

This bug was mentioned on https://nostarttls.secvuln.info/

I noticed the link in the See Also field is incorrect. Instead, it should go to bug 962763.

You need to log in before you can comment on or make changes to this bug.