Last Comment Bug 723551 - LDAP connection broken starting with version 10 and Kerio Connect
: LDAP connection broken starting with version 10 and Kerio Connect
Status: NEW
[server needs updating, see comment 13]
:
Product: MailNews Core
Classification: Components
Component: LDAP Integration (show other bugs)
: 10
: x86 Windows XP
: -- major with 1 vote (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
: 698787 (view as bug list)
Depends on: 702111
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-02 08:35 PST by Honza Bambas (:mayhemer)
Modified: 2015-09-30 06:26 PDT (History)
9 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
?
affected


Attachments

Description Honza Bambas (:mayhemer) 2012-02-02 08:35:07 PST
+++ This bug was initially created as a clone of Bug #708813 +++

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Build ID: 20111120135848

Steps to reproduce:

Starting with version 9, I can't no longer establish the LDAP connection; it is however still working fine in version 8. 


Actual results:

After I created a new Directory Server, with same configuration in version 8, going to Offline tab, click on Download Now and it causes a lockup or indicates that the connection to the LDAP server has failed. I've to kill the task to get out of Thunderbird. 

This has been going on since the first release of version 9,10 and 11. They always behave in the same manner accross the versions. The only version that is still working with LDAP is version 8.
Comment 1 Honza Bambas (:mayhemer) 2012-02-02 08:39:20 PST
(Hit enter too soon)

The proper description:

(In reply to wisspur from Bug #708813 comment #48)
> Sad to report that the LDAP in this ESR version failed. For now, it seems
> the TB 9.0.1 is the most stable version.
> 
> http://ftp.mozilla.org/pub/mozilla.org/thunderbird/nightly/10.0esr-
> candidates/build1/win32/en-US/

wisspur, it would be great if you would be able to find the revision that is first broken.  Please see http://www.rumblingedge.com/2009/02/24/howto-find-regression-windows-through-manual-binary-search/
Comment 2 wisspur 2012-02-02 10:12:01 PST
(In reply to Honza Bambas (:mayhemer) from comment #1)
> (Hit enter too soon)
> 
> The proper description:
> 
> (In reply to wisspur from Bug #708813 comment #48)
> > Sad to report that the LDAP in this ESR version failed. For now, it seems
> > the TB 9.0.1 is the most stable version.
> > 
> > http://ftp.mozilla.org/pub/mozilla.org/thunderbird/nightly/10.0esr-
> > candidates/build1/win32/en-US/
> 
> wisspur, it would be great if you would be able to find the revision that is
> first broken.  Please see
> http://www.rumblingedge.com/2009/02/24/howto-find-regression-windows-through-
> manual-binary-search/

(In reply to Mark Banner (:standard8) from comment #17)
> (In reply to wisspur from comment #16)
> > I hope you're not going to put the next final version, 10, in the release
> > channel. It is now at 10b2 and the ldap is still broken; I don't want it to
> > update by accident and mess up my good working version 9.0.1
> 
> So you reported this bug in comment 0 as broken against Thunderbird 9.0, but
> you are saying it works in 9.0.1? Or that it always worked in 9.0 as well?
> 
It started working in beta 4 and up to the final release. I believe I reported this incident began with the beta release of version 9.

The LDAP replication process failed starting with version 9 Beta 1-3
Comment 3 wisspur 2012-02-02 10:14:58 PST
(In reply to Honza Bambas (:mayhemer) from comment #1)
> (Hit enter too soon)
> 
> The proper description:
> 
> (In reply to wisspur from Bug #708813 comment #48)
> > Sad to report that the LDAP in this ESR version failed. For now, it seems
> > the TB 9.0.1 is the most stable version.
> > 
> > http://ftp.mozilla.org/pub/mozilla.org/thunderbird/nightly/10.0esr-
> > candidates/build1/win32/en-US/
> 
> wisspur, it would be great if you would be able to find the revision that is
> first broken.  Please see
> http://www.rumblingedge.com/2009/02/24/howto-find-regression-windows-through-
> manual-binary-search/

(In reply to Mark Banner (:standard8) from comment #17)
> (In reply to wisspur from comment #16)
> > I hope you're not going to put the next final version, 10, in the release
> > channel. It is now at 10b2 and the ldap is still broken; I don't want it to
> > update by accident and mess up my good working version 9.0.1
> 
> So you reported this bug in comment 0 as broken against Thunderbird 9.0, but
> you are saying it works in 9.0.1? Or that it always worked in 9.0 as well?
> 
It started working in beta 4 and up to the final release. I believe I reported this incident began with the beta release of version 9.

The LDAP replication process failed starting with version 9 Beta 1-3
Comment 4 Honza Bambas (:mayhemer) 2012-02-02 10:37:43 PST
Carrying the comment over:

(In reply to Honza Bambas (:mayhemer) from comment #52)
> (In reply to wisspur from comment #48)
> > Sad to report that the LDAP in this ESR version failed. For now, it seems
> > the TB 9.0.1 is the most stable version.
> > 
> > http://ftp.mozilla.org/pub/mozilla.org/thunderbird/nightly/10.0esr-
> > candidates/build1/win32/en-US/
> 
> A debug build using the source code for the 10 esr build1 works for me well.
> No deadlocks, accessing a secure LDAP with OCSP'ed cert works as expected
> (success when the CA is trusted, failure when not trusted).
> 
One thing is worth mentioning that my mail server is using self-signed certificate. Does it have anything to do with this LDAP replication failure? It still works well on TB 9.0.1
Comment 5 Honza Bambas (:mayhemer) 2012-02-02 10:42:37 PST
(In reply to Honza Bambas (:mayhemer) from comment #4)
> One thing is worth mentioning that my mail server is using self-signed
> certificate. Does it have anything to do with this LDAP replication failure?
> It still works well on TB 9.0.1

This is interesting and very important to mention.

Have you added an exception for the certificate?

Or, have you ever added the certificate to your Authorities in Thunderbird?  (Tools/Options/Advanced/Certificates/View Certificates/Authorities).
Comment 6 wisspur 2012-02-02 10:48:51 PST
(In reply to Honza Bambas (:mayhemer) from comment #5)
> (In reply to Honza Bambas (:mayhemer) from comment #4)
> > One thing is worth mentioning that my mail server is using self-signed
> > certificate. Does it have anything to do with this LDAP replication failure?
> > It still works well on TB 9.0.1
> 
> This is interesting and very important to mention.
> 
> Have you added an exception for the certificate?
> 
> Or, have you ever added the certificate to your Authorities in Thunderbird? 
> (Tools/Options/Advanced/Certificates/View Certificates/Authorities).

It was in the Servers section all this time. There was no "Add Exception" in the Authorities section to add my certificate.
Comment 7 wisspur 2012-02-02 10:57:56 PST
(In reply to wisspur from comment #6)
> (In reply to Honza Bambas (:mayhemer) from comment #5)
> > (In reply to Honza Bambas (:mayhemer) from comment #4)
> > > One thing is worth mentioning that my mail server is using self-signed
> > > certificate. Does it have anything to do with this LDAP replication failure?
> > > It still works well on TB 9.0.1
> > 
> > This is interesting and very important to mention.
> > 
> > Have you added an exception for the certificate?
> > 
> > Or, have you ever added the certificate to your Authorities in Thunderbird? 
> > (Tools/Options/Advanced/Certificates/View Certificates/Authorities).
> 
> It was in the Servers section all this time. There was no "Add Exception" in
> the Authorities section to add my certificate.

FYI. I just try to use the "Import" function to install the certificate to the Authorities section and the response I get is "This certificate is already installed as a certificate authority".
Comment 8 Stanislav 2012-02-03 06:26:40 PST
Hello, all.

I have the same bug in Thunderbird 10, but concerning only secure LDAP (LDAPS) connections. Plain LDAP works fine for me both with Thunderbird 9-th and 10-th versions. Also, 9-th thunderbird has no problems with LDAPS too.

My OS is Windows XP, my server is Kerio Connect 7.1.2.

I am ready provide a test account on my server for developers on private demand for the purpose of faster fixing this bug.
Comment 9 Honza Bambas (:mayhemer) 2012-02-03 06:36:02 PST
(In reply to Stanislav from comment #8)
> I am ready provide a test account on my server for developers on private
> demand for the purpose of faster fixing this bug.

Thanks!  That would be a great benefit.  Please send the credentials to my bugmail directly.  Thank you.
Comment 10 Stanislav 2012-02-03 10:16:40 PST
Done.

By the way, I'll try to check in which nightly build LDAP became broken. But I'm not sure that I'll have success.
Comment 11 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-02-03 10:38:28 PST
Please run Thunderbird with NSS_SSL_CBC_RANDOM_IV=0 set in the environment. On Windows:

1. Start a command prompt
2. type set NSS_SSL_CBC_RANDOM_IV=0
3. "C:\Program Files (x86)\Thunderbird\thunderbird.exe" (or, whatever your path to Thunderbird is)

And report back whether the problem still occurs.
Comment 12 Honza Bambas (:mayhemer) 2012-02-03 10:48:00 PST
Just occurred to me as well.  NSS_SSL_CBC_RANDOM_IV=0 resolves the issue here, I just cannot add an exception for the certificate to go on and check LDAP fully works - the exception dialog doesn't appear.
Comment 13 Mark Banner (:standard8) (afk until 26th July) 2012-02-03 11:08:18 PST
(In reply to Honza Bambas (:mayhemer) from comment #12)
> Just occurred to me as well.  NSS_SSL_CBC_RANDOM_IV=0 resolves the issue
> here, I just cannot add an exception for the certificate to go on and check
> LDAP fully works - the exception dialog doesn't appear.
...
(In reply to Stanislav from comment #8)
> My OS is Windows XP, my server is Kerio Connect 7.1.2.

Given these two comments, this helps greatly.

The issue is that due to a vulnerability in the SSL/TLS protocols (see here for more details: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389, http://technet.microsoft.com/en-us/security/bulletin/ms12-006), we have in Thunderbird 10 changed how the protocol works to make it more secure.

This in turn has broken compatibility with some servers.

I have just been looking at the Kerio Connect forums, and it appears there is already a fix for their server available - you need to update to 7.3.1 Patch 2. Please read these threads for more information:

http://forums.kerio.com/t/21177/-gt-gt-gt-important-jan-2012-microsoft-patch-kb2585542-breaks-kerio-outlook-connector-ssl/
http://forums.kerio.com/t/21194/kerio-connect-7-3-1-patch-2-released-/
Comment 14 Stanislav 2012-02-03 11:16:37 PST
Yes, "NSS_SSL_CBC_RANDOM_IV=0" solved the problem for me.

Unfortunately, I can not upgrade my Kerio mail server because the license has expired. :( So, I have no access to updates.

OK, will migrate my LDAP server to any opensource product. Thank you, gentlemen. I supposed the reason to be something security-related.
Comment 15 wisspur 2012-02-03 16:12:39 PST
(In reply to Mark Banner (:standard8) from comment #13)
> 
> I have just been looking at the Kerio Connect forums, and it appears there
> is already a fix for their server available - you need to update to 7.3.1
> Patch 2. Please read these threads for more information:
> 
> http://forums.kerio.com/t/21177/-gt-gt-gt-important-jan-2012-microsoft-patch-
> kb2585542-breaks-kerio-outlook-connector-ssl/
> http://forums.kerio.com/t/21194/kerio-connect-7-3-1-patch-2-released-/

FYI. The current version of my mail server is 7.3.1 Patch 2, and the LDAPS would not work on TB 10.0 without "NSS_SSL_CBC_RANDOM_IV=0" set.
Comment 16 wisspur 2012-02-03 16:17:01 PST
(In reply to wisspur from comment #15)
> (In reply to Mark Banner (:standard8) from comment #13)
> > 
> > I have just been looking at the Kerio Connect forums, and it appears there
> > is already a fix for their server available - you need to update to 7.3.1
> > Patch 2. Please read these threads for more information:
> > 
> > http://forums.kerio.com/t/21177/-gt-gt-gt-important-jan-2012-microsoft-patch-
> > kb2585542-breaks-kerio-outlook-connector-ssl/
> > http://forums.kerio.com/t/21194/kerio-connect-7-3-1-patch-2-released-/
> 
> FYI. The current version of my mail server is 7.3.1 Patch 2, and the LDAPS
> would not work on TB 10.0 without "NSS_SSL_CBC_RANDOM_IV=0" set.

Version 7.3.1 patch 2 - January 12, 2012
- Fixed compatibility of SSL connections from Microsoft Outlook after installing KB2585542 update.
Comment 17 wisspur 2012-02-05 14:44:59 PST
LDAP connection broken starting with version 10 and Kerio Connect; fixed in Kerio Connect 7.3.1 patch 2 .... this title mis-informed the progress of this bug. The TB 10.0 LDAPS wasn't fixed with Kerio Connect Patch 2. The problem with LDAPS remains on TB 10.0
Comment 18 Mark Banner (:standard8) (afk until 26th July) 2012-02-05 18:39:16 PST
wisspur, the issue is still server side. It is Thunderbird that is forcing the protocol to be more secure, and the server isn't coping.

I've updated the title of the bug, and will send email to their support tomorrow, however you are also welcome to contact their support as well.
Comment 19 wisspur 2012-02-06 19:25:13 PST
The release notes misinformed about the Kerio Connect 7.3.1 Patch 2 again. 

"Thunderbird 10 may stop working with some mail and LDAP servers that are incompatible with the workaround used to prevent CBC-related attacks on TLS 1.0 and SSL 3.0. Contact the server vendor for a fix. We have heard of issues with these servers:

    Kerio Connect - an update has already been provided, upgrade the server to version 7.3.1 patch 2. See Bug 723551 for more information and workarounds"

http://www.mozilla.org/en-US/thunderbird/10.0/releasenotes/

Please make clear to the users that upgrade to this patch 2 DID NOT fix the LDAPS issues in TB 10.0 and Kerio Connect.
Comment 20 Ludovic Hirlimann [:Usul] 2012-03-12 03:40:15 PDT
*** Bug 698787 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.