Closed Bug 723551 Opened 12 years ago Closed 7 years ago

LDAPS connection broken starting with version 10 and Kerio Connect. Server isn't coping.

Categories

(MailNews Core :: LDAP Integration, defect)

x86
Windows XP
defect
Not set
major

Tracking

(thunderbird10? affected)

RESOLVED INVALID
Tracking Status
thunderbird10 ? affected

People

(Reporter: mayhemer, Unassigned)

References

Details

(Whiteboard: [server needs updating, see comment 13])

+++ This bug was initially created as a clone of Bug #708813 +++

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Build ID: 20111120135848

Steps to reproduce:

Starting with version 9, I can't no longer establish the LDAP connection; it is however still working fine in version 8. 


Actual results:

After I created a new Directory Server, with same configuration in version 8, going to Offline tab, click on Download Now and it causes a lockup or indicates that the connection to the LDAP server has failed. I've to kill the task to get out of Thunderbird. 

This has been going on since the first release of version 9,10 and 11. They always behave in the same manner accross the versions. The only version that is still working with LDAP is version 8.
(Hit enter too soon)

The proper description:

(In reply to wisspur from Bug #708813 comment #48)
> Sad to report that the LDAP in this ESR version failed. For now, it seems
> the TB 9.0.1 is the most stable version.
> 
> http://ftp.mozilla.org/pub/mozilla.org/thunderbird/nightly/10.0esr-
> candidates/build1/win32/en-US/

wisspur, it would be great if you would be able to find the revision that is first broken.  Please see http://www.rumblingedge.com/2009/02/24/howto-find-regression-windows-through-manual-binary-search/
Summary: LDAP connection broken (application deadlocks) starting with version 9 → LDAP connection broken starting with version 10
(In reply to Honza Bambas (:mayhemer) from comment #1)
> (Hit enter too soon)
> 
> The proper description:
> 
> (In reply to wisspur from Bug #708813 comment #48)
> > Sad to report that the LDAP in this ESR version failed. For now, it seems
> > the TB 9.0.1 is the most stable version.
> > 
> > http://ftp.mozilla.org/pub/mozilla.org/thunderbird/nightly/10.0esr-
> > candidates/build1/win32/en-US/
> 
> wisspur, it would be great if you would be able to find the revision that is
> first broken.  Please see
> http://www.rumblingedge.com/2009/02/24/howto-find-regression-windows-through-
> manual-binary-search/

(In reply to Mark Banner (:standard8) from comment #17)
> (In reply to wisspur from comment #16)
> > I hope you're not going to put the next final version, 10, in the release
> > channel. It is now at 10b2 and the ldap is still broken; I don't want it to
> > update by accident and mess up my good working version 9.0.1
> 
> So you reported this bug in comment 0 as broken against Thunderbird 9.0, but
> you are saying it works in 9.0.1? Or that it always worked in 9.0 as well?
> 
It started working in beta 4 and up to the final release. I believe I reported this incident began with the beta release of version 9.

The LDAP replication process failed starting with version 9 Beta 1-3
(In reply to Honza Bambas (:mayhemer) from comment #1)
> (Hit enter too soon)
> 
> The proper description:
> 
> (In reply to wisspur from Bug #708813 comment #48)
> > Sad to report that the LDAP in this ESR version failed. For now, it seems
> > the TB 9.0.1 is the most stable version.
> > 
> > http://ftp.mozilla.org/pub/mozilla.org/thunderbird/nightly/10.0esr-
> > candidates/build1/win32/en-US/
> 
> wisspur, it would be great if you would be able to find the revision that is
> first broken.  Please see
> http://www.rumblingedge.com/2009/02/24/howto-find-regression-windows-through-
> manual-binary-search/

(In reply to Mark Banner (:standard8) from comment #17)
> (In reply to wisspur from comment #16)
> > I hope you're not going to put the next final version, 10, in the release
> > channel. It is now at 10b2 and the ldap is still broken; I don't want it to
> > update by accident and mess up my good working version 9.0.1
> 
> So you reported this bug in comment 0 as broken against Thunderbird 9.0, but
> you are saying it works in 9.0.1? Or that it always worked in 9.0 as well?
> 
It started working in beta 4 and up to the final release. I believe I reported this incident began with the beta release of version 9.

The LDAP replication process failed starting with version 9 Beta 1-3
Carrying the comment over:

(In reply to Honza Bambas (:mayhemer) from comment #52)
> (In reply to wisspur from comment #48)
> > Sad to report that the LDAP in this ESR version failed. For now, it seems
> > the TB 9.0.1 is the most stable version.
> > 
> > http://ftp.mozilla.org/pub/mozilla.org/thunderbird/nightly/10.0esr-
> > candidates/build1/win32/en-US/
> 
> A debug build using the source code for the 10 esr build1 works for me well.
> No deadlocks, accessing a secure LDAP with OCSP'ed cert works as expected
> (success when the CA is trusted, failure when not trusted).
> 
One thing is worth mentioning that my mail server is using self-signed certificate. Does it have anything to do with this LDAP replication failure? It still works well on TB 9.0.1
(In reply to Honza Bambas (:mayhemer) from comment #4)
> One thing is worth mentioning that my mail server is using self-signed
> certificate. Does it have anything to do with this LDAP replication failure?
> It still works well on TB 9.0.1

This is interesting and very important to mention.

Have you added an exception for the certificate?

Or, have you ever added the certificate to your Authorities in Thunderbird?  (Tools/Options/Advanced/Certificates/View Certificates/Authorities).
(In reply to Honza Bambas (:mayhemer) from comment #5)
> (In reply to Honza Bambas (:mayhemer) from comment #4)
> > One thing is worth mentioning that my mail server is using self-signed
> > certificate. Does it have anything to do with this LDAP replication failure?
> > It still works well on TB 9.0.1
> 
> This is interesting and very important to mention.
> 
> Have you added an exception for the certificate?
> 
> Or, have you ever added the certificate to your Authorities in Thunderbird? 
> (Tools/Options/Advanced/Certificates/View Certificates/Authorities).

It was in the Servers section all this time. There was no "Add Exception" in the Authorities section to add my certificate.
(In reply to wisspur from comment #6)
> (In reply to Honza Bambas (:mayhemer) from comment #5)
> > (In reply to Honza Bambas (:mayhemer) from comment #4)
> > > One thing is worth mentioning that my mail server is using self-signed
> > > certificate. Does it have anything to do with this LDAP replication failure?
> > > It still works well on TB 9.0.1
> > 
> > This is interesting and very important to mention.
> > 
> > Have you added an exception for the certificate?
> > 
> > Or, have you ever added the certificate to your Authorities in Thunderbird? 
> > (Tools/Options/Advanced/Certificates/View Certificates/Authorities).
> 
> It was in the Servers section all this time. There was no "Add Exception" in
> the Authorities section to add my certificate.

FYI. I just try to use the "Import" function to install the certificate to the Authorities section and the response I get is "This certificate is already installed as a certificate authority".
Hello, all.

I have the same bug in Thunderbird 10, but concerning only secure LDAP (LDAPS) connections. Plain LDAP works fine for me both with Thunderbird 9-th and 10-th versions. Also, 9-th thunderbird has no problems with LDAPS too.

My OS is Windows XP, my server is Kerio Connect 7.1.2.

I am ready provide a test account on my server for developers on private demand for the purpose of faster fixing this bug.
(In reply to Stanislav from comment #8)
> I am ready provide a test account on my server for developers on private
> demand for the purpose of faster fixing this bug.

Thanks!  That would be a great benefit.  Please send the credentials to my bugmail directly.  Thank you.
Done.

By the way, I'll try to check in which nightly build LDAP became broken. But I'm not sure that I'll have success.
Please run Thunderbird with NSS_SSL_CBC_RANDOM_IV=0 set in the environment. On Windows:

1. Start a command prompt
2. type set NSS_SSL_CBC_RANDOM_IV=0
3. "C:\Program Files (x86)\Thunderbird\thunderbird.exe" (or, whatever your path to Thunderbird is)

And report back whether the problem still occurs.
Just occurred to me as well.  NSS_SSL_CBC_RANDOM_IV=0 resolves the issue here, I just cannot add an exception for the certificate to go on and check LDAP fully works - the exception dialog doesn't appear.
(In reply to Honza Bambas (:mayhemer) from comment #12)
> Just occurred to me as well.  NSS_SSL_CBC_RANDOM_IV=0 resolves the issue
> here, I just cannot add an exception for the certificate to go on and check
> LDAP fully works - the exception dialog doesn't appear.
...
(In reply to Stanislav from comment #8)
> My OS is Windows XP, my server is Kerio Connect 7.1.2.

Given these two comments, this helps greatly.

The issue is that due to a vulnerability in the SSL/TLS protocols (see here for more details: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389, http://technet.microsoft.com/en-us/security/bulletin/ms12-006), we have in Thunderbird 10 changed how the protocol works to make it more secure.

This in turn has broken compatibility with some servers.

I have just been looking at the Kerio Connect forums, and it appears there is already a fix for their server available - you need to update to 7.3.1 Patch 2. Please read these threads for more information:

http://forums.kerio.com/t/21177/-gt-gt-gt-important-jan-2012-microsoft-patch-kb2585542-breaks-kerio-outlook-connector-ssl/
http://forums.kerio.com/t/21194/kerio-connect-7-3-1-patch-2-released-/
Yes, "NSS_SSL_CBC_RANDOM_IV=0" solved the problem for me.

Unfortunately, I can not upgrade my Kerio mail server because the license has expired. :( So, I have no access to updates.

OK, will migrate my LDAP server to any opensource product. Thank you, gentlemen. I supposed the reason to be something security-related.
Depends on: 702111
Summary: LDAP connection broken starting with version 10 → LDAP connection broken starting with version 10 and Kerio Connect
Whiteboard: [server needs updating, see comment 13]
Summary: LDAP connection broken starting with version 10 and Kerio Connect → LDAP connection broken starting with version 10 and Kerio Connect; fixed in Kerio Connect 7.3.1 patch 2
(In reply to Mark Banner (:standard8) from comment #13)
> 
> I have just been looking at the Kerio Connect forums, and it appears there
> is already a fix for their server available - you need to update to 7.3.1
> Patch 2. Please read these threads for more information:
> 
> http://forums.kerio.com/t/21177/-gt-gt-gt-important-jan-2012-microsoft-patch-
> kb2585542-breaks-kerio-outlook-connector-ssl/
> http://forums.kerio.com/t/21194/kerio-connect-7-3-1-patch-2-released-/

FYI. The current version of my mail server is 7.3.1 Patch 2, and the LDAPS would not work on TB 10.0 without "NSS_SSL_CBC_RANDOM_IV=0" set.
(In reply to wisspur from comment #15)
> (In reply to Mark Banner (:standard8) from comment #13)
> > 
> > I have just been looking at the Kerio Connect forums, and it appears there
> > is already a fix for their server available - you need to update to 7.3.1
> > Patch 2. Please read these threads for more information:
> > 
> > http://forums.kerio.com/t/21177/-gt-gt-gt-important-jan-2012-microsoft-patch-
> > kb2585542-breaks-kerio-outlook-connector-ssl/
> > http://forums.kerio.com/t/21194/kerio-connect-7-3-1-patch-2-released-/
> 
> FYI. The current version of my mail server is 7.3.1 Patch 2, and the LDAPS
> would not work on TB 10.0 without "NSS_SSL_CBC_RANDOM_IV=0" set.

Version 7.3.1 patch 2 - January 12, 2012
- Fixed compatibility of SSL connections from Microsoft Outlook after installing KB2585542 update.
LDAP connection broken starting with version 10 and Kerio Connect; fixed in Kerio Connect 7.3.1 patch 2 .... this title mis-informed the progress of this bug. The TB 10.0 LDAPS wasn't fixed with Kerio Connect Patch 2. The problem with LDAPS remains on TB 10.0
wisspur, the issue is still server side. It is Thunderbird that is forcing the protocol to be more secure, and the server isn't coping.

I've updated the title of the bug, and will send email to their support tomorrow, however you are also welcome to contact their support as well.
Summary: LDAP connection broken starting with version 10 and Kerio Connect; fixed in Kerio Connect 7.3.1 patch 2 → LDAP connection broken starting with version 10 and Kerio Connect
The release notes misinformed about the Kerio Connect 7.3.1 Patch 2 again. 

"Thunderbird 10 may stop working with some mail and LDAP servers that are incompatible with the workaround used to prevent CBC-related attacks on TLS 1.0 and SSL 3.0. Contact the server vendor for a fix. We have heard of issues with these servers:

    Kerio Connect - an update has already been provided, upgrade the server to version 7.3.1 patch 2. See Bug 723551 for more information and workarounds"

http://www.mozilla.org/en-US/thunderbird/10.0/releasenotes/

Please make clear to the users that upgrade to this patch 2 DID NOT fix the LDAPS issues in TB 10.0 and Kerio Connect.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Summary: LDAP connection broken starting with version 10 and Kerio Connect → LDAPS connection broken starting with version 10 and Kerio Connect. Server isn't coping.
You need to log in before you can comment on or make changes to this bug.