Regression: v16 introduced problem with SSL connections to imaps

RESOLVED INVALID

Status

RESOLVED INVALID
6 years ago
6 years ago

People

(Reporter: bugzillamozilla, Unassigned)

Tracking

16 Branch
x86
Windows XP

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0
Build ID: 20121010144125

Steps to reproduce:

I run my own CA. I've issued certificate for my imap server and imported CA certificate into Thunderbird. It worked as expected from Thunderbird 2.0 to 15.0.

Since version 16.0 I'm getting "Unknown Identity" on location imap.mydomain.com:993. When I open View in Certificate Status I got "Could not verify this certificate for unknown reasons.". In Details tab Certificate Hierarchy is ok, my CA certificate on top and under it wildcard (*.mydomain.com) certificate of my imaps.

I use Courier 4.10.0 on this server. This may be important, because my other mail server (which runs dovecot) works fine with Thunerdbird 16. Connection from Thunderbird 16 leave a trace in Courier's log:

imapd-ssl: couriertls: read: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate

Test with openssl shows that certificate chain is ok:

openssl s_client -showcerts -host imap.mydomain.com -port 993 -CAfile /etc/ssl/myca.crt
CONNECTED(00000003)
depth=1 /details not important
verify return:1
depth=0 /CN=*.mydomain.com
verify return:1

I've downloaded Earlybird, the problem still exists. Mail client built in Opera browser works fine with this server, just like older Thunerbird versions.

I can provide more info or access to this mail server upon request.
sounds close to 800876 :(
(Reporter)

Comment 2

6 years ago
(In reply to Ludovic Hirlimann [:Usul] from comment #1)
> sounds close to 800876 :(

You're right, seems like the same issue.

BTW: I'm having this problem on TB 16.0 and 16.0.1 on Windows XP 32bit, Windows 7 32bit and Windows 7 64bit.
Please attach your certificates to this bug. Also, please email me (bsmith@mozilla.com) with the host:port of your mail server. I don't need any account details because the SSL handshake happens before the user authentication.

Comment 4

6 years ago
Lukasz, you should replace the cert with serial 0x4 (valid from 2008-06-27 through 2018-06-25, SHA-1 fingerprint 49:37:27:34:FE:96:7E:D7:8E:B9:F1:AA:0E:8B:23:AA:AA:4B:AC:83) by the one with serial 0x9 (valid from 2009-02-06 through 2019-02-04, SHA-1 fingerprint BA:9D:B1:3D:8B:3B:95:FE:F1:5C:5B:2A:FF:EA:EE:FB:61:1C:99:14). This will solve your issue. Alternatively, set the security.enable_md5_signatures pref to true (see bug 650355).
(Reporter)

Comment 5

6 years ago
(In reply to Kaspar Brand from comment #4)
> Lukasz, you should replace the cert with serial 0x4 (valid from 2008-06-27
> through 2018-06-25, SHA-1 fingerprint
> 49:37:27:34:FE:96:7E:D7:8E:B9:F1:AA:0E:8B:23:AA:AA:4B:AC:83) by the one with
> serial 0x9 (valid from 2009-02-06 through 2019-02-04, SHA-1 fingerprint
> BA:9D:B1:3D:8B:3B:95:FE:F1:5C:5B:2A:FF:EA:EE:FB:61:1C:99:14). This will
> solve your issue. Alternatively, set the security.enable_md5_signatures pref
> to true (see bug 650355).

You're absolutely right, that was my mistake. Some time ago I've issued new certificate (to change message digest from md5 to sha1) and forgot to:

a) revoke old one
b) change PEM file that Courier use

So, as you've stated, I've indeed hit a bug 650355. Thank you very much and sorry for the noise :)
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.