975380 - Hang while adding recipients (ldap lookup) to composed message

Status: RESOLVED INCOMPLETE

(MailNews Core :: LDAP Integration, defect)

Description

[Maketsi]

Attachment: thunderbird-hang.txt

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 (Beta/Release)
Build ID: 20140212131424

Steps to reproduce:

Using latest Thunderbird v27.0b1 (beta), Win7 64bit. Also tried with the latest release version.

Thunderbird ramdomly hangs when adding new recipients into "To" field. The hang is probably related to LDAP lookups, as it happens after entering some characters that should initiate a LDAP lookup, and that would normally produce a list of names to choose from.

The problem started a couple of months ago, around at the same time when our corporation added some new nodes to its LDAP cluster, having wrong CN names in their certificates. Console ramdomly shows "The certificate is only valid for X. Error code: ssl_error_bad_cert_domain.", depending which server was actually reached.
If the issues are related, then Thunderbird GUI can be hanged by starting a MITM attack.

Stack trace attached. I don't have enough knowledge about innerworkings of TB to analyse it.



Actual results:

Thunderbird hangs (stops responding) and must be forcibly closed via task manager.



Expected results:

LDAP lookup should be performed for the halfly written name, that should then produce a list of addresses to choose from.

Comment 1

[Maketsi]

It seems that the SSL error mentioned above is another Thunderbird's bug, and happens when the LDAP server returns reference keys to other servers. For some reason, TB expects that those referred servers should have the same certificate, even though on many cases they just can't. Server A might respond that I know this base exists, but you should ask from server B, which might be on a totally separate company.

On the example above, that X referred in the error message "certificate is only valid for X" is one of nodes for the referred cluster B. I confirmed with wireshark that TB connects to all the referred addresses, saying in Client Hello that it expects them to be the same server that I configured as my primary ldap server. Well, they aren't. They are not even on the same country, and the referred fqdn is not the same either.

I don't know yet if the hang issue is related to this, but I probably changed my base search path around at the same time when this hang issue started.

I probably should file another bug report about the SSL problem, but I'll keep it just here for now.

Comment 2

[Wayne Mery (:wsmwk)]

Yeah, I don't think we need an additional bug report.

Is your problem in this list https://bugzilla.mozilla.org/buglist.cgi?j_top=OR&f1=short_desc&list_id=10631383&short_desc=ssl%20cert&o1=substring&resolution=---&o2=substring&query_format=advanced&f2=component&short_desc_type=anywordssubstr&v1=ldap&v2=ldap&product=Directory&product=MailNews%20Core&product=Thunderbird  ??

Comment 3

[Maketsi]

No, it doesn't seem to be. Does not seem to be related, nor the effects are the same.

Comment 4

[Wayne Mery (:wsmwk)]

have another look. there's a newer bug now

Comment 5

[Maketsi]

The SSL cert problem in this issue is still valid in Thunderbird 31: still get the error in log and no any kind of visible indication of invalid cert. This seems to be (partly) duplicate of #586585, while this bug just covers several different bugs.

On my case this error was/is caused by ldap xref to a server on a different domain. As the xref is on our ldap root, I managed to workaround this bug a year ago by extending my search basedn to avoid searching the root. After that hangs stopped too, and I haven't poked with it since.

Comment 6

[Wayne Mery (:wsmwk)]

Jan 2019 reporter writes "I don't think I have experienced the hangs (often at least) after my latest comment and the related workaround on the matter. I have not tested whether the bug still exists without the workaround, and can't anymore either."