1441601 – thunderbird: No longer accepts TLS server certificate

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1441601 - thunderbird: No longer accepts TLS server certificate

Summary: thunderbird: No longer accepts TLS server certificate

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	thunderbird
Sub Component:
Version:	25
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Gecko Maintainer
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-04-12 10:20 UTC by Florian Weimer
Modified:	2017-04-27 05:51 UTC (History)
CC List:	6 users (show)
Fixed In Version:	thunderbird-52.0-2.fc26 thunderbird-52.0-2.fc25
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-04-20 12:02:05 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1400293	0	unspecified	CLOSED	Firefox does not accept remote server's certificate if self-signed root cert installed via update-ca-trust	2022-05-16 11:32:56 UTC

Internal Links: 1400293

Description Florian Weimer 2017-04-12 10:20:06 UTC

Description of problem:

Thunderbird no longer accepts a certificate from an IMAP server.

Version-Release number of selected component (if applicable):

thunderbird-52.0-1.fc25.x86_64
nss-3.29.3-1.1.fc25.x86_64
crypto-policies-20160921-4.gitf3018dd.fc25.noarch

How reproducible:

Always.


Steps to Reproduce:
1. Start Thunderbird, which is configured to connect to a certain IMAP server.  The server presents a SHA-1 certificate and uses DH (not ECDH) for forward security.

Actual results:

Certificate confirmation dialog appears.

Expected results:

Connection is successful.

Additional info:

The server uses a certificate from the system certification store.  I do not know if this is the cause for the certification validation failure, or the SHA-1 signature.  The dialog does not say.

Comment 3 Kai Engert (:kaie) (inactive account) 2017-04-12 12:32:31 UTC

What's the ca-certificates package version you have installed?

Comment 5 Florian Weimer 2017-04-12 12:36:10 UTC

(In reply to Kai Engert (:kaie) from comment #3)
> What's the ca-certificates package version you have installed?

ca-certificates-2017.2.11-1.0.fc25.noarch

Comment 8 Kai Engert (:kaie) (inactive account) 2017-04-12 12:39:55 UTC

Florian, I assume you were previously using Thunderbird 45?

Mozilla 52 introduces new constraints for public CAs.

We need patches for p11-kit + nss + ca-certificates + thunderbird to allow thunderbird to correctly distinguish private CAs from public CAs, to make it possible that the stricter requirements aren't enforced for private CAs, like in your situation.

Comment 9 Kai Engert (:kaie) (inactive account) 2017-04-12 12:41:47 UTC

So far, we had intended to deliver the fix to Fedora stable with the upcoming Firefox 54.

I had not considered Thunderbird. Because Thunderbird will probably remain at the version 52.x, Thunderbird requires the backported patch that we already have added to Firefox in Fedora 26.

Note that we're still working on required base dependencies, they aren't stable yet. I'll doublecheck how close we are already.

Comment 10 Florian Weimer 2017-04-12 12:44:49 UTC

(In reply to Kai Engert (:kaie) from comment #8)
> Florian, I assume you were previously using Thunderbird 45?

Yes, I upgraded from Thunderbird 45:

Apr 12 12:10:12 DEBUG ---> Package thunderbird.x86_64 45.8.0-1.fc25 will be upgraded
Apr 12 12:10:12 DEBUG ---> Package thunderbird.x86_64 52.0-1.fc25 will be an upgrade

> Mozilla 52 introduces new constraints for public CAs.
> 
> We need patches for p11-kit + nss + ca-certificates + thunderbird to allow
> thunderbird to correctly distinguish private CAs from public CAs, to make it
> possible that the stricter requirements aren't enforced for private CAs,
> like in your situation.

Thanks for the explanation.

Note that the upstream approach is quite bizarre because it turns impossible-to-attack SHA-1 certificates into trivial MITM opportunities.

Comment 11 Kai Engert (:kaie) (inactive account) 2017-04-12 12:49:42 UTC

Daiki has already backported the fix required for NSS,
stable in F25 (F25 still testing):
https://bodhi.fedoraproject.org/updates/FEDORA-2017-83de9e1c7c

Daiki has already backported the fix required for p11-kit,
stable in F25 (F25 still testing):
https://bodhi.fedoraproject.org/updates/FEDORA-2017-0dc6f0c054

I have already prepared the fixes for ca-certificates,
still in testing:
https://bodhi.fedoraproject.org/updates/FEDORA-2017-a11057f70e

Thunderbird could add the backported patch from firefox 26, filename:
  rhbz-1400293-fix-mozilla-1324096.patch

Thunderbird requires version dependencies on the above packages builds.
(please include the "build" number in the requirement, because for nss/p11-kit, there were earlier "versions" that didn't include the required fixes.)

Comment 12 Kai Engert (:kaie) (inactive account) 2017-04-12 12:51:59 UTC

(In my previous comment, for nss and p11-kit, I intended to say that the *F24* packages are still in testing.)

Regarding ca-certificates, it seems we have gotten sufficient test feedback. I'm fine to push them to stable soon.


Thunderbird team: You could go ahead, pick up the patch I mentioned, and build for all Fedora branches. But please disable auto-stable. Please wait until after all base packages have been pushed to stable, prior to pushing thunderbird to stable.

Comment 13 Fedora Update System 2017-04-13 10:53:55 UTC

thunderbird-52.0-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4efaae68fe

Comment 14 Fedora Update System 2017-04-13 10:54:04 UTC

thunderbird-52.0-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-525d9c8af2

Comment 15 Fedora Update System 2017-04-13 15:20:32 UTC

thunderbird-52.0-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4efaae68fe

Comment 16 Fedora Update System 2017-04-13 17:22:31 UTC

thunderbird-52.0-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-525d9c8af2

Comment 17 Fedora Update System 2017-04-20 12:02:05 UTC

thunderbird-52.0-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2017-04-27 05:51:09 UTC

thunderbird-52.0-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.