Bug#761245: icedove: STARTTLS regression: "connection to SMTP server was lost in the middle of the transaction"

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#761245: icedove: STARTTLS regression: "connection to SMTP server was lost in the middle of the transaction"

Dmitry Smirnov
Package: icedove
Version: 31.0-3
Severity: serious

Today I upgraded icedove 24.7.0-1~deb7u1 to 31.0-3 and immediately lost
ability to send messages (connection security: STARTTLS):

    connection to SMTP server was lost in the middle of the transaction.

Luckily I have access to server log where exim4 4.80-7 logged the following:

    TLS error on connection from [...]
    (gnutls_handshake): Could not negotiate a supported cipher suite.

Downgrading icedove back to 24.7.0-1~deb7u1 fixed the problem.

--
Cheers,
 Dmitry Smirnov
 GPG key : 4096R/53968D1B

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#761245: icedove: STARTTLS regression: "connection to SMTP server was lost in the middle of the transaction"

Carsten Schoenert
Hello Dmitry,

On Fri, Sep 12, 2014 at 11:17:59AM +1000, Dmitry Smirnov wrote:
> Package: icedove
> Version: 31.0-3
> Severity: serious
>
> Today I upgraded icedove 24.7.0-1~deb7u1 to 31.0-3 and immediately lost
> ability to send messages (connection security: STARTTLS):
>
>     connection to SMTP server was lost in the middle of the transaction.

can you please make some logs about the activity of Icedove (after you
have checked the points following)?
https://wiki.debian.org/Icedove#Debugging_Icedove_Activity

Please check also the Error Console inside Icedove (Ctrl+Shift+j).

BTW: You really mean 24.7.0? This version is only available via
stable-security! Which distribution you are running on?

> Luckily I have access to server log where exim4 4.80-7 logged the following:
>
>     TLS error on connection from [...]
>     (gnutls_handshake): Could not negotiate a supported cipher suite.
>
> Downgrading icedove back to 24.7.0-1~deb7u1 fixed the problem.

There are several bugs around this error message that mostly related to
GNUtls (on the server side). For example

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737921

What cipher suite is configured inside the exim configuration?
Please also read this article to see which cipher suite Mozilla is
supporting
https://wiki.mozilla.org/Security/Server_Side_TLS

What kind of CA you are using? If it is a md5 signature you have to use
an other not md5 hashed certificate.
Do you have checked your settings for security.tls.version.min and
security.tls.version.max? The *.min should be 0 and *.max should be 3,
if not your client will not support all version for SSL/TLS.
http://kb.mozillazine.org/Security.tls.version.*

I strongly believe this report is not a Icedove/Thunderbird related
problem.

Regards
Carsten


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#761245: icedove: STARTTLS regression: "connection to SMTP server was lost in the middle of the transaction"

Dmitry Smirnov
On Fri, 12 Sep 2014 19:39:30 Carsten Schoenert wrote:
> can you please make some logs about the activity of Icedove (after you
> have checked the points following)?
> https://wiki.debian.org/Icedove#Debugging_Icedove_Activity
>
> Please check also the Error Console inside Icedove (Ctrl+Shift+j).

Thanks for helpful hints but I couldn't spot anything useful in MCE log or in
error console...


> BTW: You really mean 24.7.0?

Yes, this is correct.

> This version is only available via
> stable-security! Which distribution you are running on?

I noticed the problem following upgrade to "testing" on amd64. When it became
obvious that Icedove can't be used any more I downgraded it to the latest
available version which happened to be the exact version I was using before
upgrade...


> There are several bugs around this error message that mostly related to
> GNUtls (on the server side). For example
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737921

I'm not 100% sure but from the brief look it appears to be a different
problem...


> What cipher suite is configured inside the exim configuration?

I'm not sure where to find this information... Whatever cipher settings are
they would be default for Wheezy. As far as I'm aware there were no cipher
customisations on server side.


> Please also read this article to see which cipher suite Mozilla is
> supporting
> https://wiki.mozilla.org/Security/Server_Side_TLS

Thanks but I know little about TLS and I don't understand how it can be
helpful in my case...


> What kind of CA you are using? If it is a md5 signature you have to use
> an other not md5 hashed certificate.

cacert.org.

Certificate:
    Data:
        Version: 3 (0x2)
        Signature Algorithm: sha512WithRSAEncryption
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)


> Do you have checked your settings for security.tls.version.min and
> security.tls.version.max? The *.min should be 0 and *.max should be 3,
> if not your client will not support all version for SSL/TLS.
> http://kb.mozillazine.org/Security.tls.version.*

Where are those settings? Anyway I've never touched them...


> I strongly believe this report is not a Icedove/Thunderbird related
> problem.

I disagree. Otherwise how would you explain why downgrade of icedove fixed the
problem?
If icedove from Jessie can't talk to SMTP server on Wheezy it is a serious
regression on the client side i.e. in the Icedove.

--
All the best,
 Dmitry Smirnov.

---

Without doubt you are not sane.
        -- Tage Danielsson

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#761245: icedove: STARTTLS regression: "connection to SMTP server was lost in the middle of the transaction"

Carsten Schoenert
On Sat, Sep 13, 2014 at 11:47:07AM +1000, Dmitry Smirnov wrote:
> > What cipher suite is configured inside the exim configuration?
>
> I'm not sure where to find this information... Whatever cipher settings are
> they would be default for Wheezy. As far as I'm aware there were no cipher
> customisations on server side.

That may be the problem, as far as I have read the exim package has to be
configured to use ciphers if it get communication via TLS.

I found a arcticle on serverfault.com that gives some background
informations on that and on cipher suites also.
http://serverfault.com/questions/615855/exim-after-thunderbird-update-could-not-negotiate-a-supported-cipher-suite

But I don't know how to exactely configure a exim setup, so I can't give
better hints there. Maybe we should involve the Exim maintainers to. I
add them to the CC list, hopefully they can give some hints there to
look also.

@Andreas Metzler and Marc Haber
Dmitry gets various messages inside the exim log while trying to send
mails from Icedove 31 with enabled TLS.
>    TLS error on connection from [...]
>        (gnutls_handshake): Could not negotiate a supported cipher suite.

Looks for me like a missconfigured exim configuration. Can you please
give some useful light for this error message?

> > Please also read this article to see which cipher suite Mozilla is
> > supporting
> > https://wiki.mozilla.org/Security/Server_Side_TLS
>
> Thanks but I know little about TLS and I don't understand how it can be
> helpful in my case...

Well, Mozilla has removed the support for weaker cipher suites in
Thunderbird >= 31 and I think this plus the exim config together ends in
a not working communication between Icedove and Exim.


> > What kind of CA you are using? If it is a md5 signature you have to use
> > an other not md5 hashed certificate.
>
> cacert.org.
>
> Certificate:
>     Data:
>         Version: 3 (0x2)
> Signature Algorithm: sha512WithRSAEncryption
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)

CaCert was removed from the CA list inside Debian, but this does not
belong to your report I think. Also the signature is not done by md5.

> > Do you have checked your settings for security.tls.version.min and
> > security.tls.version.max? The *.min should be 0 and *.max should be 3,
> > if not your client will not support all version for SSL/TLS.
> > http://kb.mozillazine.org/Security.tls.version.*
>
> Where are those settings? Anyway I've never touched them...

That's explained on top of the website. ;)
http://kb.mozillazine.org/Editing_configuration

These settings are inside Icedove, you get the configs by Tools –>
Options –> Advanced –> General and press the Config Editor... button

Please play around with the security.tls.version.max option, with a
setting of "1" you say Icedove to explicit use a weak cipher suite.

> > I strongly believe this report is not a Icedove/Thunderbird related
> > problem.
>
> I disagree. Otherwise how would you explain why downgrade of icedove fixed the
> problem?
> If icedove from Jessie can't talk to SMTP server on Wheezy it is a serious
> regression on the client side i.e. in the Icedove.

I agree it's a user regression but you will have a missconfiguration on
the server side I still believe.
I work on various clients with Icedove/Thunderbird >=31 against T-Online
(a really big ISP in Germany), Google and a own root server with a
running exim 4.72 without any changes on my Icedove settings. So I
disagree until now this issue a Icedove related. But yes, I could be
wrong.

Regards
Carsten


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#761245: icedove: STARTTLS regression: "connection to SMTP server was lost in the middle of the transaction"

Dmitry Smirnov
Hi Carsten,

Thank you for quick and thorough reply.


On Sat, 13 Sep 2014 09:05:48 Carsten Schoenert wrote:
> I found a arcticle on serverfault.com that gives some background
> informations on that and on cipher suites also.
> http://serverfault.com/questions/615855/exim-after-thunderbird-update-could-> not-negotiate-a-supported-cipher-suite

Thank you, that seems to be very similar to my problem. :)


> But I don't know how to exactely configure a exim setup, so I can't give
> better hints there. Maybe we should involve the Exim maintainers to. I
> add them to the CC list, hopefully they can give some hints there to
> look also.
 
Thanks. I merely have "MAIN_TLS_ENABLE = true" in
"/etc/exim4/exim4.conf.localmacros".


> Well, Mozilla has removed the support for weaker cipher suites in
> Thunderbird >= 31 and I think this plus the exim config together ends in
> a not working communication between Icedove and Exim.

In such case I wish there was a NEWS file with warning regarding potential
implications...


> CaCert was removed from the CA list inside Debian, but this does not
> belong to your report I think. Also the signature is not done by md5.

I'm aware of (painful and perhaps unnecessary) CaCert removal. I doubt that CA
is relevant to this bug because (up|down)grade of Icedove demonstrate
different behaviour without any CA-related warnings/errors...


> > > Do you have checked your settings for security.tls.version.min and
> > > security.tls.version.max? The *.min should be 0 and *.max should be 3,
> > > if not your client will not support all version for SSL/TLS.
> > > http://kb.mozillazine.org/Security.tls.version.*
> >
> > Where are those settings? Anyway I've never touched them...
>
> That's explained on top of the website. ;)
> http://kb.mozillazine.org/Editing_configuration
>
> These settings are inside Icedove, you get the configs by Tools –>
> Options –> Advanced –> General and press the Config Editor... button
Well, there is nothing there starting with "Tools –> Options" so even you got
the path wrong... :)
I finally found it under

 * Edit
   * Preferences
     * Advanced
       * General
         * Config Editor
   
where "security.tls.version.min==0" and "security.tls.version.max==3".


> Please play around with the security.tls.version.max option, with a
> setting of "1" you say Icedove to explicit use a weak cipher suite.

I doubt this would be a good idea as it may affect other servers...
I tried to set "security.tls.version.max" to 1 and it allowed me to sent email
successfully after confirming server certificate.
"security.tls.version.max==2" also worked for me but problem returned with
"security.tls.version.max==3". It seems that troubles might be due to
malfunction in TLS fallback (upstream)...


> > > I strongly believe this report is not a Icedove/Thunderbird related
> > > problem.
> >
> > I disagree. Otherwise how would you explain why downgrade of icedove fixed
> > the problem?
> > If icedove from Jessie can't talk to SMTP server on Wheezy it is a serious
> > regression on the client side i.e. in the Icedove.
>
> I agree it's a user regression but you will have a missconfiguration on
> the server side I still believe.
> I work on various clients with Icedove/Thunderbird >=31 against T-Online
> (a really big ISP in Germany), Google and a own root server with a
> running exim 4.72 without any changes on my Icedove settings. So I
> disagree until now this issue a Icedove related. But yes, I could be
> wrong.
So you suggest that the problem is on server side (i.e. SMTP) which could be
the case. However I have TLS enabled in exim4 using "MAIN_TLS_ENABLE = true"
as advised by

 * https://wiki.debian.org/Exim%C2%A0#TLS_and_Authentication
 * http://pkg-exim4.alioth.debian.org/README/README.Debian.html#TLS

which is hardly a misconfiguration. It works with other email clients for a
while (I primarily use kmail).

--
Regards,
 Dmitry Smirnov.

---

What can be asserted without proof can be dismissed without proof.
        -- Christopher Hitchens, 2004

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#761245: icedove: STARTTLS regression: "connection to SMTP server was lost in the middle of the transaction"

Carsten Schoenert
tags 761245 + pending
thanks

Hello Dimitry,

On Sat, Sep 13, 2014 at 06:18:48PM +1000, Dmitry Smirnov wrote:
 
> > But I don't know how to exactely configure a exim setup, so I can't give
> > better hints there. Maybe we should involve the Exim maintainers to. I
> > add them to the CC list, hopefully they can give some hints there to
> > look also.
>  
> Thanks. I merely have "MAIN_TLS_ENABLE = true" in
> "/etc/exim4/exim4.conf.localmacros".

unfortunately the exim maintainers haven'd written some message about
this problem. Please try to contact them to ask further to them. I can't
say absolutely nothing related to exim configurations ... :(

> > Well, Mozilla has removed the support for weaker cipher suites in
> > Thunderbird >= 31 and I think this plus the exim config together ends in
> > a not working communication between Icedove and Exim.
>
> In such case I wish there was a NEWS file with warning regarding potential
> implications...

We have prepared something for the upload of version 31.2.0.

> > These settings are inside Icedove, you get the configs by Tools –>
> > Options –> Advanced –> General and press the Config Editor... button
>
> Well, there is nothing there starting with "Tools –> Options" so even you got
> the path wrong... :)
> I finally found it under
>
>  * Edit
>    * Preferences
>      * Advanced
>        * General
>          * Config Editor
>    
> where "security.tls.version.min==0" and "security.tls.version.max==3".

Yes, that's my fault, sorry. That happens if you use something related
to a M$ version. ;)

> So you suggest that the problem is on server side (i.e. SMTP) which could be
> the case. However I have TLS enabled in exim4 using "MAIN_TLS_ENABLE = true"
> as advised by
>
>  * https://wiki.debian.org/Exim%C2%A0#TLS_and_Authentication
>  * http://pkg-exim4.alioth.debian.org/README/README.Debian.html#TLS
>
> which is hardly a misconfiguration. It works with other email clients for a
> while (I primarily use kmail).

Yes, it is a problem related to not clearly configured MTA's. The topic
around TLS isn't easy to understand and is challeging the admins every
day. But I'm not a exim admin, so I can't say really something more
useful for you.

Regards
Carsten


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]