Topic: Thunderbird 31.3.0 Disabled SSL - Can't get Thunderbird to receive emails

[ghorst352]

I got a bit of confusion regarding SSL/TLS in combination with Thunderbird version 31.3.0 and SME Server 8.1.  I am fully aware of the vulnerability in SSL 3 and Thunderbird effective yesterday or thereabouts completely disabled SSL in Thunderbird version 31.3.0.  Great, that needed to be done so let's move on.  Anyways, perhaps due to my lack of knowledge in this area I thought that TLS would be the fallback?  I cannot receive emails using secure POP or IMAP due to Thunderbird killing off SSL so what in the heck am I suppose to do?  I thought TLS 1.2 is what we are suppose to be using?  My version is only TLS 1.0 on SME SERVER 8.1 w/ all updates?  How am I suppose to erect a secure path for receiving email in combination w/ Thunderbird 31.3.0 and SME Server 8.1 + TLS?

Any help is greatly appreciated 

[Daniel B.]

Please open a bug with as much details (log files, Thunderbird error message etc...) as possible

[particle]

Just to say that this isn't a one off experience, I've got the same problem with 8.1 and latest version of Thunderbird (31.3.0). Thunderbird's error log is:

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

Seems we need a higher version of TLS which isn't in the repositories. How do I check which version of TLS is currently installed? If all we have is 1.0 like bhay3s suggests, that is a vulnerable version and no longer supported.

[Daniel B.]

And without a bug opened, this issue won't be worked on.....

[particle]

http://bugs.contribs.org/show_bug.cgi?id=8707

[ghorst352]

Just as a side note I pushed out TB ver 24.4.0 to my stations until this issue is resolved.  I do not get any helpful information like "particle" did in the error console the only thing I see is the status saying "connected to (my mail server)" and just sits there without ever successfully pulling email due to SSL being disabled in 31.3.0.  I have combed my logs in SME but don't have anything else helpful to add at this time.

[particle]

Well, I'm kind of pissed now. I did a vulnerability check over at ssllabs.com and the server failed miserably. The server is completely current with the repositories (all yum updates are done), and all the SSL things that were supposed to be patched and fixed aren't. There is no TLS 1.1 or 1.2 on the server:

Protocols
TLS 1.2    No
TLS 1.1    No
TLS 1.0    Yes
SSL 3   INSECURE    Yes
SSL 2    Yes

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate.
The server supports only older protocols, but not the current best TLS 1.2.
The server does not support Forward Secrecy with the reference browsers.
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.

I'll be updating the bug report later today when I have a better picture. In the meantime, it'd be nice to know why these security updates haven't been pushed out.

[Daniel B.]

So, you're pissed because an opensource product you got for free is not as good as you'd like it to be am I correct ?
Anyway, please add your informations into the bug, not here

[particle]

Actually, we paid Mitel a lot of money back in the day. After all the updates over the last year, I did not expect these vulnerabilities to still exist on this platform. Apologies for any bad feeling.

[guest22]

FWIW:


To me this issue seems to be a compatibility issue. Mozilla decided to disable SSLv3 in their products and made a new version available. If I was running a production environment, I would keep myself up to date with the announcements and change logs of the most used daily tools, such as an email/calendaring client, so I am fully aware of upcoming changes. Also I would test new updates thoroughly before approving it for daily usage in the production environment, for I would need to support all clients.


SME Server did not yet disable all the SSLv3 in the server components, and devs are working hard to do this for the same reasons as all other vendors are doing. SME Server is checked against SSLLABS.com and other tools regularly by many SME Server users. And also notice that any security check will change their methods based on market developments, such as POODLE.


So my best guest is that what used to work, e.g. SME Server and Thunderbird, became incompatible due to a significant change in one of the components. And I could have know that if I read announcements, did regular checks and especially did thorough testing before deploying a change in important production tools.

[TerryF]

Its free, but the effort by Daniel is worth more than thank you, http://bugs.contribs.org/show_bug.cgi?id=8707 and http://bugs.contribs.org/show_bug.cgi?id=8716

[particle]

FWIW:

To me this issue seems to be a compatibility issue. Mozilla decided to disable SSLv3 in their products and made a new version available. If I was running a production environment, I would keep myself up to date with the announcements and change logs of the most used daily tools, such as an email/calendaring client, so I am fully aware of upcoming changes. Also I would test new updates thoroughly before approving it for daily usage in the production environment, for I would need to support all clients.

You're right. It's a compatibility issue. SSLv3 is 18 years old. It's very old and not very good and got turned off. People have been turning it off since Firefox 22 a year and a half ago. There are THREE successive versions. Two of which aren't supported in 8.1 (TLS 1.1 & 1.2). That leaves us with TLS 1.0 only - which is vulnerable too. I can't find the end of life announcement so we could make plans...

Even SME 9.0 with yum updates (which supports TLS 1.1 & 1.2) still gives the error message server does not support RFC 5746, see CVE-2009-3555 and these errors come from 2009 and 2010.

I don't mind supporting people like Daniel who have provided a rock star response (see tip jar). But pointing fault with people who are responsibly updating clients by incremental minor versions (which is what caused this) is just preposterous. Otherwise you're basically saying that SME will only work with old vulnerable software.

[TerryF]

There is a fix for this waiting to be verified in Bug 8707 it needs to be verified before it is released as an update. It needs a user who uses the mail features of SME and the latest thunderbird. The verification needs to confirm that the system still operates correctly with other mail clients and older versions of TB as well as the latest release. Update for SME9 has been verified (Thanks Jim )

See HERE for the format that should be followed for a verification, hopefully this prevents other bugs being introduced via an update.

[ghorst352]

I can verify for my network after installing the upgraded POP3 package that TB ver 31.3.0 works successfully with SME Server 8.1.  Thanks.

[Franco]

I can verify for my network after installing the upgraded POP3 package that TB ver 31.3.0 works successfully with SME Server 8.1.  Thanks.

Edit: Tested on SME9 and works!