Open Bug 1335421 Opened 8 years ago Updated 2 years ago

Unable to send when smartcard is active, STARTTLS fails. Error "unknown connection problem"

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
52 Branch
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: birdfund, Unassigned)

References

Details

Attachments

(2 files)

tbird_ssldump.log
(deleted), text/plain
Details
dovecot.log
(deleted), text/plain
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0 Build ID: 20170131030205 Steps to reproduce: Thunderbird updated to the latest beta 52.0b1 Application Build ID: 20170126105536 I am a PKCS 11 smart card user and have been on beta for a while due to previous issues. After update, I attempted to send mail. Mail failed to send with "unknown connection problem" (further info below). I then tried a number of versions - prior beta works, current fails, latest nightly fails. Actual results: I also run the remote smtp server. The logs show first SSL_accept error, then a lost connection after STARTTLS. Looking at the connection in wireshark shows a local request to the remote to STARTTLS, a response from the remote 220 Ready and then the local immediately FIN,ACK the connection. I then restarted Thunderbird (52.0b1) but with smartcard removed from reader. All mail is sent normally. I then restarted Thunderbird, inserted smartcard and attempted to send both a signed and unsigned message. Both fail in same manner as described above. I then tried to send from another account using a different SMTP server with SSL/TLS and that connection also failed. Next, I reverted to the prior beta build (51). Everything works fine. I then installed the lastest NIGHTLY build (54). Outgoing again fails "for an unknown reason" w/ same errors on the SMTP server side. Finally, I again reverted to prior beta (51) and sending again works normally with smart card activated. Expected results: Sending of messages should not be affected by the presence or absence of pkcs11 smartcard.
Blocks: TB52found
https://mzl.la/2th8OrR
Component: Untriaged → Security
Larry, does your issue still occur with 58 beta? http://www.mozilla.org/en-US/thunderbird/channel/
Flags: needinfo?(birdfund)
This is still not fixed in 58.0b3: "Sending of the message failed. The message could not be sent using Outgoing server (SMTP) xxxx.xxx for an unknown reason. Please verify that your Outgoing server (SMTP) settings are correct and try again." This error message occurs for all accounts, even when not signing or encrypting the message. Once the card is pulled mail is able to be sent normally. Outgoing smtp use two different servers: Port 587, normal password, starttls; Port 465, normal pwd, ssl/tls Reverting back to 51.
Flags: needinfo?(birdfund)
Hello - I tried the latest nightly today (64.0a1) and this problem still exists. In fact, it is slightly more serious in that though I first had it happen trying to send a message, it also prevents mail pickup. So to revise, open thunderbird check servers for mail mail check returns ok read mesage -> request for security device pin -> pin entered -> message displayed check servers for new messages connection hangs Note, this apparently effects all versions after 52.9.1 I tried quite a few, but it first appears in 53.0b1 so I imagine someting changed there. If it helps, the servers I am trying to connect to are port 995 SSL/TLS POP3 and STARTTLS 587 for outgoing I have attached two files, tbird_ssldump.log and dovecot.log that have been sanitized and show a good connection (this is when the security card is removed) and a bad connection attempt (after the security card has been inserted and the pin requested and entered)
Attached file tbird_ssldump.log (deleted) —
from remote server capture of ssl connection attempt for both a good connection and one that fails after initializing the security card
Attached file dovecot.log (deleted) —
log info from the dovecot program for both a successful and a failed connection

Larry, do you still see this problem when using a current version?

Gene, this has a log.

Flags: needinfo?(birdfund)
Summary: Unable to send when smartcard is active, STARTTLS fails → Unable to send when smartcard is active, STARTTLS fails. Error "unknown connection problem"

Wayne, I'm not familiar with what a "smart card" is or does and definitely don't have one to test. Is it possible to simulate a smart card without actually having one to test? Also, can't tell much from the logs except that something failed (FIN'd the connection).

The reporter wrote:

Note, this apparently effects all versions after 52.9.1 I tried quite a few, but it first appears in 53.0b1 so I imagine someting changed there.

Just a wild guess but the release notes for 60.0 mention something about TLS certificates with a certain date or earlier from several vendors being now rejected. https://www.thunderbird.net/en-US/thunderbird/60.0/releasenotes/
(52.9.1 is the last release in the ESR 52 series before 60.x was released.)

Also, I don't know if it was an issue then but the pref security.tls.version.min has recently been an issue and some users have had to reduce the number to allow tb to tolerate an older tls/ssl version at the server.

(In reply to Wayne Mery (:wsmwk) from comment #7)

Larry, do you still see this problem when using a current version?

Yes.

850b1 64 bit /w Gemalto 64 bit PKCS

with card key active: fails on send "Sending of message failed. Unable to generate public/private key pair. The configuration related to SERVERNAME must be corrected.

pull card key after clicking 'ok' on above dialogue. Click send. Message sends no issue.

Note that the message above was sent with NO encryption and NOT signed by the card. That should (?) rule out the PKCS11 module from Gemalto. The reader is Gelmato Ezio though same issues at another location with a Cherry reader and the IDPrime card.

I did not try to capture new server logs on the other side as this is the same pattern as the previous report and you have that log info.

85.0b1 both fail to exit cleanly. Window closes but process remains 'active' and eventually terminates with request to send bug report. You should have a least one such report.

Reverted back to 51.0b2 32 bit (with Gemalto 32b PKCS11) , the last known to work. Harmless except the loss of all passwords (apparently the master pw file) though all other profile info was fine.

Potential difference of note: for 51.0b2 I must be careful NOT to have the card in the reader prior to starting Thunderbird as the program will hang if it downloads any messages. However, 85.0b1 will not work with the card in any manner if it is not inserted PRIOR to starting thunderbird (ie, it will open a dialogue to ask for the pin but that message never gets to the card reader)

Flags: needinfo?(birdfund)

(In reply to larrybird from comment #10)

I was not clear - I tested both 85.0b1 64 bit and 32 bit with the corresponding Gemalto PKCS11 drivers. Both fail the same way as described.

Severity: normal → S3

Just as an update - in testing against another bug (now fixed) I can confirm the above issue remains in 109.0b4.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: