338243 - Enabling TLS for new IMAP connections doesn't close old connections

Status: RESOLVED FIXED

(Thunderbird :: Security, defect)

Description

[Dan Merillat]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20060205 Debian/1.7.12-1.1
Build Identifier: Thunderbird 1.5.0.2 (20060501) from Debian

Due to IMAP connection caching, enabling TLS does not take effect until you restart thunderbird.   This leads you to believe you're using an encrypted connection when in fact you are not, and no warning is given to this status.

I used tcpflow to watch the transaction, after setting TLS and hitting OK, I clicked on a new message in my inbox.  It showed up in my sniffer logs in plaintext.


Reproducible: Always

Steps to Reproduce:
Trivially reproducable.  
1 Start with TLS disabled.
2 click on Get Mail
3 Click on Edit/Account Settings
4 set security settings to "Use Secure connection: TLS"
5 OK out of Account Settings
6 Click on an email in your inbox.  


Actual Results:  
Messages are fetched in plaintext.

Expected Results:  
Issued STARTTLS and negotiated a secure connection.

Comment 1

[David :Bienvenu]

We could close cached connections when this setting is changed - 4.x might have even done that.

Comment 2

[Dan Merillat]

Should do it for any setting change, as that would alleviate a lot of mysterious failures due to WYS != WYG.   TLS, secure auth, username off the top of my head.  I think only changing the server name/port causes a new connection to be established now, but I could be wrong.

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

frightening!

Comment 4

[Daniel Veditz [:dveditz]]

*** This bug has been marked as a duplicate of 325379 ***

Comment 5

[Dan Merillat]

this is _NOT_ a duplicate of 325379. I read it before openening a seperate issue, and they are quite different.  325379 involved issuing a CAPABILITY before STARTTLS.   This is a seperate issue where a configuration change does not close current unencrypted connections and continues to transfer mail unencrypted until you close thunderbird and re-open.

I can't confirm that the patch fixes 338243 as well, please verify that it does indeed stop transmitting in cleartext when the settings are changed to TLS

Comment 6

[David :Bienvenu]

changing summary to be clearer.

Comment 7

[David :Bienvenu]

Attachment: close cached connections when socket type changes

Comment 8

[David :Bienvenu]

fixed on trunk and branch.

Comment 9

[neil@parkwaycc.co.uk]

Comment on attachment 237619 [details] [diff] [review]
close cached connections when socket type changes

>+      // don't call virtual method in case overrides call GetSocketType
>+      nsMsgIncomingServer::SetSocketType(*aSocketType);

>+  nsCAutoString fullPrefName;
>+  getPrefName(m_serverKey.get(), "socketType", fullPrefName);
>+  return m_prefBranch->SetIntPref(fullPrefName.get(), aSocketType);
It's better to forward this to nsMsgIncomingServer than copying code. It also avoid breaking my nsMsgIncomingServer cleanup patch ;-)

Comment 10

[neil@parkwaycc.co.uk]

(In reply to comment #9)
>It also avoids breaking my nsMsgIncomingServer cleanup patch ;-)
Hmm, it looks as if my cleanup touches nsImapIncomingServer.cpp anyway.

Comment 11

[Frank Wein [:mcsmurf]]

Is the approval-thunderbird2? request now obsolete?

Comment 12

[David :Bienvenu]

Comment on attachment 237619 [details] [diff] [review]
close cached connections when socket type changes

yes, I guess this request is obsolete...