Closed Bug 1746087 Opened 2 years ago Closed 2 years ago

ldap over ssl doesn't work with self signed certificate

Categories

(MailNews Core :: Address Book, defect)

Product:
MailNews Core
Component:
Address Book
Version:
Thunderbird 91
Type:
defect

Tracking

(thunderbird_esr91+ fixed, thunderbird96 fixed)

Status:
RESOLVED FIXED
Milestone:
97 Branch
Tracking Flags:
Tracking Status
thunderbird_esr91 + fixed
thunderbird96 --- fixed

People

(Reporter: applesolvent, Assigned: rnons)

References

(Regression)

Details

(Keywords: regression)

Attachments

(3 files)

ldaps.png
36.91 KB, image/png
Details
Capture+_2021-12-15-06-32-12.png
241.87 KB, image/png
Details
Bug 1746087 - Support self signed certificate by passing secInfo to onLDAPError. r=mkmelin
48 bytes, text/x-phabricator-request
wsmwk
: approval-comm-beta+
wsmwk
: approval-comm-esr91+
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0

Steps to reproduce:

i switched on tls-is-mandatory. since then ldap(s) is not working

Actual results:

in german health system, doctors and patients, even the whole system will be more technological, more digital. every doctor office or dental office has to be connected already. otherwise the government will force you to earn lower as a punishment. this so called project "Telematik" is huge and one part of it is KIM. kim is the e-mail-part of it, where only doctors can send e-mails to each other, highly encrypted.

e-mail works great so far if you follow the manual and understand everything. my os is windows server 2012, normal and small network, one dsl-router from avm (fritzbox 7270), one konnektor (medical gadget) from secunet, kim-adress had been bought from telekom.

in the beginning tls was not mandatory and i could not only sent emails to other doctors and receive them, but also search every medical institute and doctor in germany, very fast, with ldap. i wrote the konnektor ip-adress with some other stuff and without encryption and et voila it was done (look at chapter 5.2.4.3 here the kim manual by telekom https://geschaeftskunden.telekom.de/vernetzung-digitalisierung/innovative-produkte/telematikinfrastruktur/kim-client-installation-betriebshandbuch

in october i had to activate tls so that every program, every client, who wants to communicate with the konnektor, it has to be encrypted. in the beginning nothing worked. then from update to update of the kim-client by telekom, i was able to write emails to myself and other doctors, especially the version 19782 was good, very well programmed, just like thundebird since 1.0, 19782 kim-client by telecom.

however, ldap has nothing to do with the kim-client, so it must be because of the tls-must-be-mandatory switch. i didn't try to turn it off. it has to be enabled because of other parts of telematik. but there is also a switch which says "for access to LDAP please don't use tls" which is also enabled so ldap should not be with tls established.

http://<konnektor>/connector.sds

with this link you can see a site similar in this post https://www.ti-community.de/t126f82-Neuer-Telekom-KIM-Client-Version-1.html#msg1048

like an xml-file displayed in firefox. <konnektor> means konnektor-ip-adress in lan.

this guy said it's better to install thunderbird 78 then setup ldap then upgrade to 91 as here https://www.ti-community.de/t133f82-LDAP-Konfiguration-mit-T-KIM-Client-Module-und-Outlook.html#msg1025

all in all it's easier to understand this problem if you understand the brutality of german health system.

Expected results:

i can find doctors, dentists and psychotherapist with a few letters while typing (just like i remembered it in september 2021)

Attached image ldaps.png

ldaps works fine for me

Does your problem go away after help > troubleshoot mode?

If it does not, please describe all your settings - where they are set, and precise value. Screen shots preferred.

Flags: needinfo?(applesolvent)
Flags: needinfo?(applesolvent)

troubleshoot mode did not help. (In reply to Wayne Mery (:wsmwk) from comment #1)

Created attachment 9255399 [details]
ldaps.png

ldaps works fine for me

Does your problem go away after help > troubleshoot mode?

If it does not, please describe all your settings - where they are set, and precise value. Screen shots preferred.
troubleshoot mode doesn't help

Hi, you need to enable the checkbox on the bottom left, like the image in comment 1. The checkbox label says "Use secure connection (SSL)" in English. BTW, are you sure the port-number is correct? 389 is often used for non-SSL connection.

So please try again with the checkbox turned on first, if not working, set the port number to 636.

(In reply to Ping Chen (:rnons) from comment #4)

Hi, you need to enable the checkbox on the bottom left, like the image in comment 1. The checkbox label says "Use secure connection (SSL)" in English. BTW, are you sure the port-number is correct? 389 is often used for non-SSL connection.

So please try again with the checkbox turned on first, if not working, set the port number to 636.

still doesnt work. i also set it enabled with port 389 and unselected with port 636

as i said programs can access the konnektors ldap without tls because of the extra feature "access ldap (diensteverzeichnisdienst dvd) without tls". there is one another program called solutio charly (it organizes the dates for patients) which has access to ldap but with encrption. so it can not be because of konnektor, network, windows, certificates, ... something went wrong in thunderbird and i think i should try 78 first then upgrade to 91 then configure pop3s and smtps again. isnt there an error log? i love logs

Open Settings page, find and open Config Editor, set mailnews.ldap.loglevel to All, logs should be printed to the Console tab of DevTools.

mailnews.ldap.loglevel was Warn

where is the console tab? where is devtools?

(In reply to applesolvent from comment #8)

mailnews.ldap.loglevel was Warn

where is the console tab? where is devtools?

settings (hamburger-symbol) => extras => developer-tools => console

error console:
LDAPClient.jsm:43:18
mailnews.ldap: Connecting to ldap://192.168.178.8:389 LDAPClient.jsm:43:18

new msg: LDAPClient.jsm:240:18
mailnews.ldap:
error { target: TCPSocket, isTrusted: true, name: "ConnectionRefusedError", message: "Network", errorCode: 2152398861, srcElement: TCPSocket, currentTarget: TCPSocket, eventPhase: 2, bubbles: false, cancelable: false, … }

bubbles: false

cancelBubble: false

cancelable: false

composed: false

composedTarget: TCPSocket { host: "192.168.178.8", port: 389, ssl: false, … }

currentTarget: null

defaultPrevented: false

defaultPreventedByChrome: false

defaultPreventedByContent: false

errorCode: 2152398861

eventPhase: 0

explicitOriginalTarget: TCPSocket { host: "192.168.178.8", port: 389, ssl: false, … }

isReplyEventFromRemoteContent: false

isSynthesized: false

isTrusted: true

isWaitingReplyFromRemoteContent: false

message: "Network"

multipleActionsPrevented: false

name: "ConnectionRefusedError"

originalTarget: TCPSocket { host: "192.168.178.8", port: 389, ssl: false, … }

returnValue: true

srcElement: TCPSocket { host: "192.168.178.8", port: 389, ssl: false, … }

target: TCPSocket { host: "192.168.178.8", port: 389, ssl: false, … }

timeStamp: 0

type: "error"

<get isTrusted()>: function isTrusted()

<prototype>: TCPSocketErrorEventPrototype { name: Getter, message: Getter, errorCode: Getter, … }
LDAPClient.jsm:240:18
_onError resource:///modules/LDAPClient.jsm:240

new msg: react-redux.js:881:13
<Provider> does not support changing store on the fly. It is most likely that you see this error because you updated to Redux 2.x and React Redux 2.x which no longer hot reload reducers automatically. See https://github.com/reactjs/react-redux/releases/tag/v2.0.0 for the migration instructions. react-redux.js:881:13
Redux 3
React 38
renderApp resource://devtools/client/webconsole/webconsole-wrapper.js:41
init resource://devtools/client/webconsole/webconsole-wrapper.js:121
init resource://devtools/client/webconsole/webconsole-wrapper.js:85
_initializer resource://devtools/client/webconsole/webconsole-ui.js:162

new msg: i switched tls in thunderbird ldap (don't forget that tls kim mail works flawlessly!)

mailnews.ldap: Connecting to ldaps://192.168.178.8:636 LDAPClient.jsm:43:18
mailnews.ldap: Connected LDAPClient.jsm:144:18
mailnews.ldap: Binding LDAPClient.jsm:64:18
mailnews.ldap: C: [1] BindRequest LDAPClient.jsm:254:18

mailnews.ldap:
error { target: TCPSocket, isTrusted: true, name: "SecurityError", message: "SecurityCertificate", errorCode: 2153390067, srcElement: TCPSocket, currentTarget: TCPSocket, eventPhase: 2, bubbles: false, cancelable: false, … }

bubbles: false

cancelBubble: false

cancelable: false

composed: false

composedTarget: TCPSocket { host: "192.168.178.8", port: 636, ssl: true, … }

currentTarget: null

defaultPrevented: false

defaultPreventedByChrome: false

defaultPreventedByContent: false

errorCode: 2153390067

eventPhase: 0

explicitOriginalTarget: TCPSocket { host: "192.168.178.8", port: 636, ssl: true, … }

isReplyEventFromRemoteContent: false

isSynthesized: false

isTrusted: true

isWaitingReplyFromRemoteContent: false

message: "SecurityCertificate"

multipleActionsPrevented: false

name: "SecurityError"

originalTarget: TCPSocket { host: "192.168.178.8", port: 636, ssl: true, … }

returnValue: true

srcElement: TCPSocket { host: "192.168.178.8", port: 636, ssl: true, … }

target: TCPSocket { host: "192.168.178.8", port: 636, ssl: true, … }

timeStamp: 0

type: "error"

<get isTrusted()>: function isTrusted()

<prototype>: TCPSocketErrorEventPrototype { name: Getter, message: Getter, errorCode: Getter, … }
LDAPClient.jsm:240:18

new msg:
mailnews.ldap: Connection closed LDAPClient.jsm:232:18

I can confirm LDAP to servers with self signed doesn't seem to work anymore (xref bug 1659947), at least on trunk.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: regression
Summary: ldap and the german technology in health systems (telematik and konnektor) → ldap over ssl doesn't work with self signed certificate
Component: Untriaged → Address Book
Product: Thunderbird → MailNews Core

but why not without tls?

this picture https://files.homepagemodules.de/b838218/resize/300x300/f82t126p1045n2_FOhGwCQn.jpg says "allow no-need of tls to access vzd over ldap" ungesicherter zugriff means access without tls.

when i try this i find: ConnectionRefusedError . but i can open http://192.168.178.8/connector.sds in firefox and with httpS://192.168.178.8/connector.sds i can install 2 certificates as .pem but i can't open the site, i get PR_END_OF_FILE_ERROR maybe because self-signed or tls1.2 tls1.3 errors i don't know. please try to understand this post https://www.ti-community.de/t126f82-Neuer-Telekom-KIM-Client-Version-1.html#msg1048

it says when i can access http://192.168.178.8/connector.sds (non-http) with firefox, then thunderbird should work too (with non-http).

btw this is what i get when i use 636 as port but no tls (means konnektor allows non-tls-connections BUT the port is fixed to 636):

mailnews.ldap: Connecting to ldap://192.168.178.8:636 LDAPClient.jsm:43:18
mailnews.ldap: Connected LDAPClient.jsm:144:18
mailnews.ldap: Binding LDAPClient.jsm:64:18
mailnews.ldap: C: [1] BindRequest LDAPClient.jsm:254:18
mailnews.ldap: Connection closed LDAPClient.jsm:232:18

this is a little bit more interesting but still no results when i search for somebody/something while typing.

i tested jxplorer for ldap non-tls and it also doesn't work. the konnektor has a problem, not thunderbird.

Assignee: nobody → remotenonsense
Status: NEW → ASSIGNED
tracking-thunderbird_esr91: --- → +
Keywords: checkin-needed-tb
Target Milestone: --- → 97 Branch

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/9c3885f190a7
Support self signed certificate by passing secInfo to onLDAPError. r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

Comment on attachment 9255642 [details]
Bug 1746087 - Support self signed certificate by passing secInfo to onLDAPError. r=mkmelin

[Approval Request Comment]
Regression caused by (bug #): bug 1696625
User impact if declined: self signed certificate doesn't work for LDAP
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): low

Attachment #9255642 - Flags: approval-comm-esr91?
Attachment #9255642 - Flags: approval-comm-beta?

Comment on attachment 9255642 [details]
Bug 1746087 - Support self signed certificate by passing secInfo to onLDAPError. r=mkmelin

[Triage Comment]
Approved for beta

Attachment #9255642 - Flags: approval-comm-beta? → approval-comm-beta+
Whiteboard: [TM:91.5.1]
Whiteboard: [TM:91.5.1]

Comment on attachment 9255642 [details]
Bug 1746087 - Support self signed certificate by passing secInfo to onLDAPError. r=mkmelin

[Triage Comment]
Approved for esr91

Attachment #9255642 - Flags: approval-comm-esr91? → approval-comm-esr91+
See Also: → 1841544
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: