bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

IMAPS secure password authentication broken starting in 1.6b

RESOLVED INVALID

Status

MailNews Core
Security
--
major
RESOLVED INVALID
15 years ago
10 years ago

People

(Reporter: Thomas Brown, Assigned: (not reading, please use seth@sspitzer.org instead))

Tracking

Trunk
x86
Windows XP

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031030
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031208

Starting with the Mozilla 1.6b final release I am no longer able to log in to my
UW IMAP server using SSL.  Mozilla complains that "Secure Password
Authentication has been selected but is not supported by the server."  If I
uncheck SPA in the server settings it logs in OK.  Everything up through the
Mozilla 1.6a final release works OK.

Could it be that SPA truly never worked with UW IMAP and older Mozilla releases
just ignored it and authenticated some other way, or is this a bug starting with
1.6b?

I'm running the latest release of UW IMAP 2003:
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN] localhost
IMAP4rev1 2003.339 at Mon, 15 Dec 2003 01:00:15 -0500 (EST)


Reproducible: Always

Steps to Reproduce:

Actual Results:  
No IMAP connection is possible unless you disable SPA or SSL altogether.


I can privately provide the address of the IMAPS server in question if you need
this for testing.  The error comes up immediately after connecting, so it can be
reproduced by anyone.

Comment 1

15 years ago
Thomas, you're right, SPA supposably never worked on the server. With fix bug
225809 we changed our strategy of fallback if "use secure authentication" is
turned on.
It's a little bit annoying, but reliably really performing secure authentication
when this option is checked improves security. Please see the mentioned bug for
more information.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → INVALID
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.