Bug 1441601 - thunderbird: No longer accepts TLS server certificate
thunderbird: No longer accepts TLS server certificate
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: thunderbird (Show other bugs)
25
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Gecko Maintainer
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-12 06:20 EDT by Florian Weimer
Modified: 2017-04-20 08:02 EDT (History)
6 users (show)

See Also:
Fixed In Version: thunderbird-52.0-2.fc26
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-04-20 08:02:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Florian Weimer 2017-04-12 06:20:06 EDT
Description of problem:

Thunderbird no longer accepts a certificate from an IMAP server.

Version-Release number of selected component (if applicable):

thunderbird-52.0-1.fc25.x86_64
nss-3.29.3-1.1.fc25.x86_64
crypto-policies-20160921-4.gitf3018dd.fc25.noarch

How reproducible:

Always.


Steps to Reproduce:
1. Start Thunderbird, which is configured to connect to a certain IMAP server.  The server presents a SHA-1 certificate and uses DH (not ECDH) for forward security.

Actual results:

Certificate confirmation dialog appears.

Expected results:

Connection is successful.

Additional info:

The server uses a certificate from the system certification store.  I do not know if this is the cause for the certification validation failure, or the SHA-1 signature.  The dialog does not say.
Comment 3 Kai Engert (:kaie) 2017-04-12 08:32:31 EDT
What's the ca-certificates package version you have installed?
Comment 5 Florian Weimer 2017-04-12 08:36:10 EDT
(In reply to Kai Engert (:kaie) from comment #3)
> What's the ca-certificates package version you have installed?

ca-certificates-2017.2.11-1.0.fc25.noarch
Comment 8 Kai Engert (:kaie) 2017-04-12 08:39:55 EDT
Florian, I assume you were previously using Thunderbird 45?

Mozilla 52 introduces new constraints for public CAs.

We need patches for p11-kit + nss + ca-certificates + thunderbird to allow thunderbird to correctly distinguish private CAs from public CAs, to make it possible that the stricter requirements aren't enforced for private CAs, like in your situation.
Comment 9 Kai Engert (:kaie) 2017-04-12 08:41:47 EDT
So far, we had intended to deliver the fix to Fedora stable with the upcoming Firefox 54.

I had not considered Thunderbird. Because Thunderbird will probably remain at the version 52.x, Thunderbird requires the backported patch that we already have added to Firefox in Fedora 26.

Note that we're still working on required base dependencies, they aren't stable yet. I'll doublecheck how close we are already.
Comment 10 Florian Weimer 2017-04-12 08:44:49 EDT
(In reply to Kai Engert (:kaie) from comment #8)
> Florian, I assume you were previously using Thunderbird 45?

Yes, I upgraded from Thunderbird 45:

Apr 12 12:10:12 DEBUG ---> Package thunderbird.x86_64 45.8.0-1.fc25 will be upgraded
Apr 12 12:10:12 DEBUG ---> Package thunderbird.x86_64 52.0-1.fc25 will be an upgrade

> Mozilla 52 introduces new constraints for public CAs.
> 
> We need patches for p11-kit + nss + ca-certificates + thunderbird to allow
> thunderbird to correctly distinguish private CAs from public CAs, to make it
> possible that the stricter requirements aren't enforced for private CAs,
> like in your situation.

Thanks for the explanation.

Note that the upstream approach is quite bizarre because it turns impossible-to-attack SHA-1 certificates into trivial MITM opportunities.
Comment 11 Kai Engert (:kaie) 2017-04-12 08:49:42 EDT
Daiki has already backported the fix required for NSS,
stable in F25 (F25 still testing):
https://bodhi.fedoraproject.org/updates/FEDORA-2017-83de9e1c7c

Daiki has already backported the fix required for p11-kit,
stable in F25 (F25 still testing):
https://bodhi.fedoraproject.org/updates/FEDORA-2017-0dc6f0c054

I have already prepared the fixes for ca-certificates,
still in testing:
https://bodhi.fedoraproject.org/updates/FEDORA-2017-a11057f70e

Thunderbird could add the backported patch from firefox 26, filename:
  rhbz-1400293-fix-mozilla-1324096.patch

Thunderbird requires version dependencies on the above packages builds.
(please include the "build" number in the requirement, because for nss/p11-kit, there were earlier "versions" that didn't include the required fixes.)
Comment 12 Kai Engert (:kaie) 2017-04-12 08:51:59 EDT
(In my previous comment, for nss and p11-kit, I intended to say that the *F24* packages are still in testing.)

Regarding ca-certificates, it seems we have gotten sufficient test feedback. I'm fine to push them to stable soon.


Thunderbird team: You could go ahead, pick up the patch I mentioned, and build for all Fedora branches. But please disable auto-stable. Please wait until after all base packages have been pushed to stable, prior to pushing thunderbird to stable.
Comment 13 Fedora Update System 2017-04-13 06:53:55 EDT
thunderbird-52.0-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4efaae68fe
Comment 14 Fedora Update System 2017-04-13 06:54:04 EDT
thunderbird-52.0-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-525d9c8af2
Comment 15 Fedora Update System 2017-04-13 11:20:32 EDT
thunderbird-52.0-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4efaae68fe
Comment 16 Fedora Update System 2017-04-13 13:22:31 EDT
thunderbird-52.0-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-525d9c8af2
Comment 17 Fedora Update System 2017-04-20 08:02:05 EDT
thunderbird-52.0-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.