ldap over ssl doesn't work with self signed certificate
Categories
(MailNews Core :: Address Book, defect)
Tracking
(thunderbird_esr91+ fixed, thunderbird96 fixed)
People
(Reporter: applesolvent, Assigned: rnons)
References
(Regression)
Details
(Keywords: regression)
Attachments
(3 files)
36.91 KB,
image/png
|
Details | |
241.87 KB,
image/png
|
Details | |
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
wsmwk
:
approval-comm-esr91+
|
Details | Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Steps to reproduce:
i switched on tls-is-mandatory. since then ldap(s) is not working
Actual results:
in german health system, doctors and patients, even the whole system will be more technological, more digital. every doctor office or dental office has to be connected already. otherwise the government will force you to earn lower as a punishment. this so called project "Telematik" is huge and one part of it is KIM. kim is the e-mail-part of it, where only doctors can send e-mails to each other, highly encrypted.
e-mail works great so far if you follow the manual and understand everything. my os is windows server 2012, normal and small network, one dsl-router from avm (fritzbox 7270), one konnektor (medical gadget) from secunet, kim-adress had been bought from telekom.
in the beginning tls was not mandatory and i could not only sent emails to other doctors and receive them, but also search every medical institute and doctor in germany, very fast, with ldap. i wrote the konnektor ip-adress with some other stuff and without encryption and et voila it was done (look at chapter 5.2.4.3 here the kim manual by telekom https://geschaeftskunden.telekom.de/vernetzung-digitalisierung/innovative-produkte/telematikinfrastruktur/kim-client-installation-betriebshandbuch
in october i had to activate tls so that every program, every client, who wants to communicate with the konnektor, it has to be encrypted. in the beginning nothing worked. then from update to update of the kim-client by telekom, i was able to write emails to myself and other doctors, especially the version 19782 was good, very well programmed, just like thundebird since 1.0, 19782 kim-client by telecom.
however, ldap has nothing to do with the kim-client, so it must be because of the tls-must-be-mandatory switch. i didn't try to turn it off. it has to be enabled because of other parts of telematik. but there is also a switch which says "for access to LDAP please don't use tls" which is also enabled so ldap should not be with tls established.
http://<konnektor>/connector.sds
with this link you can see a site similar in this post https://www.ti-community.de/t126f82-Neuer-Telekom-KIM-Client-Version-1.html#msg1048
like an xml-file displayed in firefox. <konnektor> means konnektor-ip-adress in lan.
this guy said it's better to install thunderbird 78 then setup ldap then upgrade to 91 as here https://www.ti-community.de/t133f82-LDAP-Konfiguration-mit-T-KIM-Client-Module-und-Outlook.html#msg1025
all in all it's easier to understand this problem if you understand the brutality of german health system.
Expected results:
i can find doctors, dentists and psychotherapist with a few letters while typing (just like i remembered it in september 2021)
Comment 1•2 years ago
|
||
ldaps works fine for me
Does your problem go away after help > troubleshoot mode?
If it does not, please describe all your settings - where they are set, and precise value. Screen shots preferred.
Reporter | ||
Comment 2•2 years ago
|
||
Reporter | ||
Comment 3•2 years ago
|
||
troubleshoot mode did not help. (In reply to Wayne Mery (:wsmwk) from comment #1)
Created attachment 9255399 [details]
ldaps.pngldaps works fine for me
Does your problem go away after help > troubleshoot mode?
If it does not, please describe all your settings - where they are set, and precise value. Screen shots preferred.
troubleshoot mode doesn't help
Assignee | ||
Comment 4•2 years ago
|
||
Hi, you need to enable the checkbox on the bottom left, like the image in comment 1. The checkbox label says "Use secure connection (SSL)" in English. BTW, are you sure the port-number is correct? 389 is often used for non-SSL connection.
So please try again with the checkbox turned on first, if not working, set the port number to 636.
Reporter | ||
Comment 5•2 years ago
|
||
(In reply to Ping Chen (:rnons) from comment #4)
Hi, you need to enable the checkbox on the bottom left, like the image in comment 1. The checkbox label says "Use secure connection (SSL)" in English. BTW, are you sure the port-number is correct? 389 is often used for non-SSL connection.
So please try again with the checkbox turned on first, if not working, set the port number to 636.
still doesnt work. i also set it enabled with port 389 and unselected with port 636
Reporter | ||
Comment 6•2 years ago
|
||
as i said programs can access the konnektors ldap without tls because of the extra feature "access ldap (diensteverzeichnisdienst dvd) without tls". there is one another program called solutio charly (it organizes the dates for patients) which has access to ldap but with encrption. so it can not be because of konnektor, network, windows, certificates, ... something went wrong in thunderbird and i think i should try 78 first then upgrade to 91 then configure pop3s and smtps again. isnt there an error log? i love logs
Assignee | ||
Comment 7•2 years ago
|
||
Open Settings page, find and open Config Editor, set mailnews.ldap.loglevel
to All
, logs should be printed to the Console tab of DevTools.
Reporter | ||
Comment 8•2 years ago
|
||
mailnews.ldap.loglevel was Warn
where is the console tab? where is devtools?
Reporter | ||
Comment 9•2 years ago
|
||
(In reply to applesolvent from comment #8)
mailnews.ldap.loglevel was Warn
where is the console tab? where is devtools?
settings (hamburger-symbol) => extras => developer-tools => console
Reporter | ||
Comment 10•2 years ago
|
||
error console:
LDAPClient.jsm:43:18
mailnews.ldap: Connecting to ldap://192.168.178.8:389 LDAPClient.jsm:43:18
new msg: LDAPClient.jsm:240:18
mailnews.ldap:
error { target: TCPSocket, isTrusted: true, name: "ConnectionRefusedError", message: "Network", errorCode: 2152398861, srcElement: TCPSocket, currentTarget: TCPSocket, eventPhase: 2, bubbles: false, cancelable: false, … }
bubbles: false
cancelBubble: false
cancelable: false
composed: false
composedTarget: TCPSocket { host: "192.168.178.8", port: 389, ssl: false, … }
currentTarget: null
defaultPrevented: false
defaultPreventedByChrome: false
defaultPreventedByContent: false
errorCode: 2152398861
eventPhase: 0
explicitOriginalTarget: TCPSocket { host: "192.168.178.8", port: 389, ssl: false, … }
isReplyEventFromRemoteContent: false
isSynthesized: false
isTrusted: true
isWaitingReplyFromRemoteContent: false
message: "Network"
multipleActionsPrevented: false
name: "ConnectionRefusedError"
originalTarget: TCPSocket { host: "192.168.178.8", port: 389, ssl: false, … }
returnValue: true
srcElement: TCPSocket { host: "192.168.178.8", port: 389, ssl: false, … }
target: TCPSocket { host: "192.168.178.8", port: 389, ssl: false, … }
timeStamp: 0
type: "error"
<get isTrusted()>: function isTrusted()
<prototype>: TCPSocketErrorEventPrototype { name: Getter, message: Getter, errorCode: Getter, … }
LDAPClient.jsm:240:18
_onError resource:///modules/LDAPClient.jsm:240
new msg: react-redux.js:881:13
<Provider> does not support changing store
on the fly. It is most likely that you see this error because you updated to Redux 2.x and React Redux 2.x which no longer hot reload reducers automatically. See https://github.com/reactjs/react-redux/releases/tag/v2.0.0 for the migration instructions. react-redux.js:881:13
Redux 3
React 38
renderApp resource://devtools/client/webconsole/webconsole-wrapper.js:41
init resource://devtools/client/webconsole/webconsole-wrapper.js:121
init resource://devtools/client/webconsole/webconsole-wrapper.js:85
_initializer resource://devtools/client/webconsole/webconsole-ui.js:162
Reporter | ||
Comment 11•2 years ago
|
||
new msg: i switched tls in thunderbird ldap (don't forget that tls kim mail works flawlessly!)
mailnews.ldap: Connecting to ldaps://192.168.178.8:636 LDAPClient.jsm:43:18
mailnews.ldap: Connected LDAPClient.jsm:144:18
mailnews.ldap: Binding LDAPClient.jsm:64:18
mailnews.ldap: C: [1] BindRequest LDAPClient.jsm:254:18
mailnews.ldap:
error { target: TCPSocket, isTrusted: true, name: "SecurityError", message: "SecurityCertificate", errorCode: 2153390067, srcElement: TCPSocket, currentTarget: TCPSocket, eventPhase: 2, bubbles: false, cancelable: false, … }
bubbles: false
cancelBubble: false
cancelable: false
composed: false
composedTarget: TCPSocket { host: "192.168.178.8", port: 636, ssl: true, … }
currentTarget: null
defaultPrevented: false
defaultPreventedByChrome: false
defaultPreventedByContent: false
errorCode: 2153390067
eventPhase: 0
explicitOriginalTarget: TCPSocket { host: "192.168.178.8", port: 636, ssl: true, … }
isReplyEventFromRemoteContent: false
isSynthesized: false
isTrusted: true
isWaitingReplyFromRemoteContent: false
message: "SecurityCertificate"
multipleActionsPrevented: false
name: "SecurityError"
originalTarget: TCPSocket { host: "192.168.178.8", port: 636, ssl: true, … }
returnValue: true
srcElement: TCPSocket { host: "192.168.178.8", port: 636, ssl: true, … }
target: TCPSocket { host: "192.168.178.8", port: 636, ssl: true, … }
timeStamp: 0
type: "error"
<get isTrusted()>: function isTrusted()
<prototype>: TCPSocketErrorEventPrototype { name: Getter, message: Getter, errorCode: Getter, … }
LDAPClient.jsm:240:18
new msg:
mailnews.ldap: Connection closed LDAPClient.jsm:232:18
Comment 12•2 years ago
|
||
I can confirm LDAP to servers with self signed doesn't seem to work anymore (xref bug 1659947), at least on trunk.
Updated•2 years ago
|
Reporter | ||
Comment 13•2 years ago
|
||
but why not without tls?
this picture https://files.homepagemodules.de/b838218/resize/300x300/f82t126p1045n2_FOhGwCQn.jpg says "allow no-need of tls to access vzd over ldap" ungesicherter zugriff means access without tls.
when i try this i find: ConnectionRefusedError . but i can open http://192.168.178.8/connector.sds in firefox and with httpS://192.168.178.8/connector.sds i can install 2 certificates as .pem but i can't open the site, i get PR_END_OF_FILE_ERROR maybe because self-signed or tls1.2 tls1.3 errors i don't know. please try to understand this post https://www.ti-community.de/t126f82-Neuer-Telekom-KIM-Client-Version-1.html#msg1048
it says when i can access http://192.168.178.8/connector.sds (non-http) with firefox, then thunderbird should work too (with non-http).
Reporter | ||
Comment 14•2 years ago
|
||
btw this is what i get when i use 636 as port but no tls (means konnektor allows non-tls-connections BUT the port is fixed to 636):
mailnews.ldap: Connecting to ldap://192.168.178.8:636 LDAPClient.jsm:43:18
mailnews.ldap: Connected LDAPClient.jsm:144:18
mailnews.ldap: Binding LDAPClient.jsm:64:18
mailnews.ldap: C: [1] BindRequest LDAPClient.jsm:254:18
mailnews.ldap: Connection closed LDAPClient.jsm:232:18
this is a little bit more interesting but still no results when i search for somebody/something while typing.
Reporter | ||
Comment 15•2 years ago
|
||
i tested jxplorer for ldap non-tls and it also doesn't work. the konnektor has a problem, not thunderbird.
Assignee | ||
Comment 16•2 years ago
|
||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 17•2 years ago
|
||
Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/9c3885f190a7
Support self signed certificate by passing secInfo to onLDAPError. r=mkmelin
Reporter | ||
Comment 18•2 years ago
|
||
Assignee | ||
Comment 19•2 years ago
|
||
Comment on attachment 9255642 [details]
Bug 1746087 - Support self signed certificate by passing secInfo to onLDAPError. r=mkmelin
[Approval Request Comment]
Regression caused by (bug #): bug 1696625
User impact if declined: self signed certificate doesn't work for LDAP
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): low
Comment 20•2 years ago
|
||
Comment on attachment 9255642 [details]
Bug 1746087 - Support self signed certificate by passing secInfo to onLDAPError. r=mkmelin
[Triage Comment]
Approved for beta
Updated•2 years ago
|
Comment 21•2 years ago
|
||
bugherder uplift |
Thunderbird 96.0b4:
https://hg.mozilla.org/releases/comm-beta/rev/b6a825463656
Updated•2 years ago
|
Comment 22•2 years ago
|
||
Comment on attachment 9255642 [details]
Bug 1746087 - Support self signed certificate by passing secInfo to onLDAPError. r=mkmelin
[Triage Comment]
Approved for esr91
Comment 23•2 years ago
|
||
bugherder uplift |
Thunderbird 91.5.1:
https://hg.mozilla.org/releases/comm-esr91/rev/e6d43a9f5c7e
Description
•