Bug 1441601
| Summary: | thunderbird: No longer accepts TLS server certificate | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Florian Weimer <fweimer> |
| Component: | thunderbird | Assignee: | Gecko Maintainer <gecko-bugs-nobody> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 25 | CC: | eblake, gecko-bugs-nobody, jhorak, kengert, mschmidt, pjasicek |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | thunderbird-52.0-2.fc26 thunderbird-52.0-2.fc25 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-04-20 12:02:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Florian Weimer
2017-04-12 10:20:06 UTC
What's the ca-certificates package version you have installed? (In reply to Kai Engert (:kaie) from comment #3) > What's the ca-certificates package version you have installed? ca-certificates-2017.2.11-1.0.fc25.noarch Florian, I assume you were previously using Thunderbird 45? Mozilla 52 introduces new constraints for public CAs. We need patches for p11-kit + nss + ca-certificates + thunderbird to allow thunderbird to correctly distinguish private CAs from public CAs, to make it possible that the stricter requirements aren't enforced for private CAs, like in your situation. So far, we had intended to deliver the fix to Fedora stable with the upcoming Firefox 54. I had not considered Thunderbird. Because Thunderbird will probably remain at the version 52.x, Thunderbird requires the backported patch that we already have added to Firefox in Fedora 26. Note that we're still working on required base dependencies, they aren't stable yet. I'll doublecheck how close we are already. (In reply to Kai Engert (:kaie) from comment #8) > Florian, I assume you were previously using Thunderbird 45? Yes, I upgraded from Thunderbird 45: Apr 12 12:10:12 DEBUG ---> Package thunderbird.x86_64 45.8.0-1.fc25 will be upgraded Apr 12 12:10:12 DEBUG ---> Package thunderbird.x86_64 52.0-1.fc25 will be an upgrade > Mozilla 52 introduces new constraints for public CAs. > > We need patches for p11-kit + nss + ca-certificates + thunderbird to allow > thunderbird to correctly distinguish private CAs from public CAs, to make it > possible that the stricter requirements aren't enforced for private CAs, > like in your situation. Thanks for the explanation. Note that the upstream approach is quite bizarre because it turns impossible-to-attack SHA-1 certificates into trivial MITM opportunities. Daiki has already backported the fix required for NSS, stable in F25 (F25 still testing): https://bodhi.fedoraproject.org/updates/FEDORA-2017-83de9e1c7c Daiki has already backported the fix required for p11-kit, stable in F25 (F25 still testing): https://bodhi.fedoraproject.org/updates/FEDORA-2017-0dc6f0c054 I have already prepared the fixes for ca-certificates, still in testing: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a11057f70e Thunderbird could add the backported patch from firefox 26, filename: rhbz-1400293-fix-mozilla-1324096.patch Thunderbird requires version dependencies on the above packages builds. (please include the "build" number in the requirement, because for nss/p11-kit, there were earlier "versions" that didn't include the required fixes.) (In my previous comment, for nss and p11-kit, I intended to say that the *F24* packages are still in testing.) Regarding ca-certificates, it seems we have gotten sufficient test feedback. I'm fine to push them to stable soon. Thunderbird team: You could go ahead, pick up the patch I mentioned, and build for all Fedora branches. But please disable auto-stable. Please wait until after all base packages have been pushed to stable, prior to pushing thunderbird to stable. thunderbird-52.0-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4efaae68fe thunderbird-52.0-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-525d9c8af2 thunderbird-52.0-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4efaae68fe thunderbird-52.0-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-525d9c8af2 thunderbird-52.0-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. thunderbird-52.0-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |