Bug 2229981

Summary: TLS broken for POP3 and SMTP connections [7.9.z]
Product: Red Hat Enterprise Linux 7 Reporter: Phil Perry <phil>
Component: thunderbirdAssignee: Jan Horak <jhorak>
Status: CLOSED ERRATA QA Contact: Vladimir Benes <vbenes>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.9CC: abobrov, amike, erack, jwboyer, om, pasik, toracat, vbenes
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-09 20:31:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Phil Perry 2023-08-08 11:22:31 UTC 
Description of problem:
TLS is broken on the latest thunderbird release

Version-Release number of selected component (if applicable):
thunderbird-102.14.0-1.el7_9.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure thunderbird to use TLS for pop3 or smtp connections
2. Update thunderbird to 102.14.0-1.el7_9.x86_64
3. Launch thunderbird and attempt tls connection

Actual results:
TLS connection fails with the following entry in maillog:

Aug  7 19:06:15 mail_server dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.0.1, lip=192.168.0.1, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<ddk1GlkCBqjAqAAB>

Expected results:
tls connections work as expected

Additional info:
Downgrading to thunderbird-102.13.0-2.el7_9.x86_64 fixes the issue
Disabling SSL/TLS security and sending authentication in plain text (highly undesirable) also works
TLS cert is self signed and imported into thunderbird, with expiry date 2028
Comment 3 Phil Perry 2023-08-08 11:24:48 UTC 
Same issue for latest thunderbird release on RHEL9: https://bugzilla.redhat.com/show_bug.cgi?id=2229906
Comment 4 Phil Perry 2023-08-08 11:28:28 UTC 
Severity -> high as workaround is to disable encryption and send credentials in plain text, or downgrade to vulnerable version
Comment 5 Otto J. Makela 2023-08-08 11:53:11 UTC 
The same issue exists with thunderbird-102.14.0-1.el8_8.x86_64 under RHEL8, also.
Comment 11 Vladimir Benes 2023-08-09 17:58:57 UTC 
I can log in and download emails from my email.cz mailbox via IMAP using thunderbird-102.14.0-3.el7_9. This was not possible with 102.14.0-1.el7_9. Considering this verified.
Comment 15 errata-xmlrpc 2023-08-09 20:31:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (thunderbird bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:4599