Bug 251327

Summary: mail/thunderbird fails to connect over ssl/tls
Product: Ports & Packages Reporter: Shane <FreeBSD>
Component: Individual Port(s)Assignee: freebsd-gecko (Nobody) <gecko>
Status: Closed Works As Intended    
Severity: Affects Only Me CC: cmt
Priority: --- Flags: bugzilla: maintainer-feedback? (gecko)
Version: Latest   
Hardware: Any   
OS: Any   

Description Shane 2020-11-23 11:29:52 UTC
Having used thunderbird for some years, last week I upgraded system and ports and thunderbird has stopped collecting mail using pop over ssl/tls.

I can disable security and collect email, but with ssl/tls enabled there is no mail retrieved. It would appear that the ssl connection fails.

There is no error messages given, the status line at the bottom runs through the steps but fails to collect mail.

I can connect to the email server using gnutls-cli and STAT, LIST without issue.

old system was stable/12 at ~12/feb new is stable/12 r367144
old thunderbird was 68.5 new is 78.5.0, also tried 78.4.0 and have been unable rebuild 68.5 to test that.
Comment 1 Andriy Gapon freebsd_committer 2020-11-23 19:29:14 UTC
I think that you shared too little about servers and their configurations.

Also, you might want to double check that the issue occurs only with FreeBSD.
If not, then it's better to report it to the Thunderbird bug tracker directly.
Comment 2 Christoph Moench-Tegeder freebsd_committer 2020-11-23 22:28:27 UTC
Generally speaking, thunderbird seems to work well against SSL servers (I use IMAP+SSL (the stuff on port 993)).
Do you use a custom CA? (maybe thunderbird doesn't like that CA anymore since the upgrade - 68/78 was a big jump, including all the mess with the profiles). Anythin in the Error Console?
Comment 3 Shane 2020-11-24 02:43:41 UTC
The email server is a shared host from the ISP. I had been using mail.shaneware.biz but using gnutls-cli it fails as the cert doesn't match domain, thinking being more secure was the issue I have changed the server name to mail.superb.net but while that works for connecting with gnutls-cli it does not help thunderbird.

Issue started the day I installed 78.5.0. I have rebuilt tbird with all options on and options off. Currently on are LIBPROXY OPTIMIZED_CFLAGS

I have tried 78.5.0 and 78.4.0 but I can't get 78.3.[23] or 68.5.0 to build now

I use xfce4

Don't use any other system to check against.

I did find some lib errors, ldd shows some libs as not found even though they are in the same directory. Setting LD_LIBRARY_PATH fixes ldd output but doesn't change anything in thunderbird.

ldd ./libxul.so
./libxul.so:
	libldap60.so => not found (0)
	libprldap60.so => not found (0)
	liblgpllibs.so => not found (0)
	libmozsqlite3.so => not found (0)
	libmozgtk.so => not found (0)
	libmozwayland.so => not found (0)
	libplds4.so => /usr/local/lib/libplds4.so (0x800688000)
	...

setenv LD_LIBRARY_PATH /usr/local/lib/thunderbird
ldd ./libxul.so
./libxul.so:
	libldap60.so => /usr/local/lib/thunderbird/libldap60.so (0x800679000)
	libprldap60.so => /usr/local/lib/thunderbird/libprldap60.so (0x8006b3000)
	liblgpllibs.so => /usr/local/lib/thunderbird/liblgpllibs.so (0x8006bb000)
	libmozsqlite3.so => /usr/local/lib/thunderbird/libmozsqlite3.so (0x808436000)
	libmozgtk.so => /usr/local/lib/thunderbird/libmozgtk.so (0x8006c8000)
	libmozwayland.so => /usr/local/lib/thunderbird/libmozwayland.so (0x8006cc000)
	libplds4.so => /usr/local/lib/libplds4.so (0x8006d2000)
	...

There are some errors in the thunderbird error log when starting, I don't see anything added when collecting email. Same errors listed even when not using ssl.

Error: couldn't open library libc.so: /usr/lib/libc.so: invalid file format
    <anonymous> resource:///modules/CLib.jsm:46
    <anonymous> resource:///modules/OTR.jsm:11
    <anonymous> resource:///modules/OTRUI.jsm:8
    connectedCallback chrome://messenger/content/chat/chat-conversation-info.js:117
    <anonymous> chrome://global/content/customElements.js:217
customElements.js:220:19
    <anonymous> chrome://global/content/customElements.js:220

[Exception... "Component returned failure code: 0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]"  nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)"  location: "JS frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync :: line 658"  data: no] L10nRegistry.jsm:658:19
    loadSync resource://gre/modules/L10nRegistry.jsm:658
    fetchFile resource://gre/modules/L10nRegistry.jsm:573
    generateResourceSetSync resource://gre/modules/L10nRegistry.jsm:478
    map self-hosted:240
    generateResourceSetSync resource://gre/modules/L10nRegistry.jsm:473
    generateResourceSetsForLocaleSync resource://gre/modules/L10nRegistry.jsm:415
    InterpretGeneratorResume self-hosted:1151
    next self-hosted:1099
    generateBundlesSync resource://gre/modules/L10nRegistry.jsm:177
    InterpretGeneratorResume self-hosted:1151
    next self-hosted:1099
    touchNext resource://gre/modules/Localization.jsm:167
    regenerateBundles resource://gre/modules/Localization.jsm:552
    activate resource://gre/modules/Localization.jsm:243
    <anonymous> chrome://messenger/content/mailWidgets.js:37
    <anonymous> chrome://messenger/content/customElements.js:34
    <anonymous> chrome://messenger/content/customElements.js:37
    observe resource://gre/modules/MailGlue.jsm:201

[Exception... "Component returned failure code: 0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]"  nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)"  location: "JS frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync :: line 658"  data: no] L10nRegistry.jsm:658:19
    loadSync resource://gre/modules/L10nRegistry.jsm:658
    fetchFile resource://gre/modules/L10nRegistry.jsm:573
    generateResourceSetSync resource://gre/modules/L10nRegistry.jsm:478
    map self-hosted:240
    generateResourceSetSync resource://gre/modules/L10nRegistry.jsm:473
    generateResourceSetsForLocaleSync resource://gre/modules/L10nRegistry.jsm:415
    InterpretGeneratorResume self-hosted:1151
    next self-hosted:1099
    generateBundlesSync resource://gre/modules/L10nRegistry.jsm:177
    InterpretGeneratorResume self-hosted:1151
    next self-hosted:1099
    touchNext resource://gre/modules/Localization.jsm:167
    regenerateBundles resource://gre/modules/Localization.jsm:552
    activate resource://gre/modules/Localization.jsm:243
    <anonymous> chrome://openpgp/content/modules/trust.jsm:11
    <anonymous> chrome://openpgp/content/modules/keyRing.jsm:17
    <anonymous> chrome://openpgp/content/modules/windows.jsm:19
    <anonymous> chrome://messenger-smime/content/msgReadSMIMEOverlay.js:18

[Exception... "Component returned failure code: 0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]"  nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)"  location: "JS frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync :: line 658"  data: no] L10nRegistry.jsm:658:19
    loadSync resource://gre/modules/L10nRegistry.jsm:658
    fetchFile resource://gre/modules/L10nRegistry.jsm:573
    generateResourceSetSync resource://gre/modules/L10nRegistry.jsm:478
    map self-hosted:240
    generateResourceSetSync resource://gre/modules/L10nRegistry.jsm:473
    generateResourceSetsForLocaleSync resource://gre/modules/L10nRegistry.jsm:415
    next self-hosted:1099
    generateBundlesSync resource://gre/modules/L10nRegistry.jsm:177
    next self-hosted:1099
    touchNext resource://gre/modules/Localization.jsm:167
    regenerateBundles resource://gre/modules/Localization.jsm:552
    activate resource://gre/modules/Localization.jsm:243
    <anonymous> chrome://messenger-smime/content/msgReadSMIMEOverlay.js:32

[Exception... "Component returned failure code: 0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]"  nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)"  location: "JS frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync :: line 658"  data: no] L10nRegistry.jsm:658:19
    loadSync resource://gre/modules/L10nRegistry.jsm:658
    fetchFile resource://gre/modules/L10nRegistry.jsm:573
    generateResourceSetSync resource://gre/modules/L10nRegistry.jsm:478
    map self-hosted:240
    generateResourceSetSync resource://gre/modules/L10nRegistry.jsm:473
    generateResourceSetsForLocaleSync resource://gre/modules/L10nRegistry.jsm:415
    next self-hosted:1099
    generateBundlesSync resource://gre/modules/L10nRegistry.jsm:177
    next self-hosted:1099
    touchNext resource://gre/modules/Localization.jsm:167
    regenerateBundles resource://gre/modules/Localization.jsm:552
    activate resource://gre/modules/Localization.jsm:243
    <anonymous> resource:///modules/calendar/calCalendarDeactivator.jsm:10
    <anonymous> chrome://calendar/content/calendar-chrome-startup.js:27

Error while loading 'jar:file:///usr/local/lib/thunderbird/omni.ja!/chrome/messenger/search-extensions/twitter/manifest.json' (NS_ERROR_FILE_NOT_FOUND) Extension.jsm:570
    readJSON resource://gre/modules/Extension.jsm:570
    onStopRequest resource://gre/modules/NetUtil.jsm:128

Uncaught (in promise) Error: couldn't open library libc.so: /usr/lib/libc.so: invalid file format
    <anonymous> resource:///modules/CLib.jsm:46
    <anonymous> resource:///modules/OTR.jsm:11
    <anonymous> resource:///modules/OTRUI.jsm:8
    init chrome://messenger/content/chat/chat-messenger.js:1632

TypeError: singletons is null3 ActorManagerChild.jsm:297:32
    init resource://gre/modules/ActorManagerChild.jsm:297
    <anonymous> resource://gre/modules/ActorManagerChild.jsm:349
    <anonymous> chrome://global/content/browser-content.js:12
    get browsingContext chrome://global/content/elements/browser-custom-element.js:627
    setFindbarInActor chrome://global/content/elements/findbar.js:316
    set browser chrome://global/content/elements/findbar.js:326
    connectedCallback chrome://global/content/elements/findbar.js:163
Comment 4 Andriy Gapon freebsd_committer 2020-11-25 08:17:52 UTC
I think that the new thunderbird doesn't prompt (at least in some cases) for security exceptions if it does not like a certificate for some reason (e.g., self signed).  I had to an exception manually though the settings.
A couple of links to save you some time:
https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/self-signed-certificates-in-mozilla-thunderbird-950.html
https://stackoverflow.com/questions/63947262/thunderbird-78-how-to-add-security-exception

Also, new thunderbird has some older TLS versions disabled by default.
Your problem could be related to that as well.
Comment 5 Christoph Moench-Tegeder freebsd_committer 2020-11-25 10:13:21 UTC
(In reply to Shane from comment #3)
> I have changed the server name to mail.superb.net

Aha. Checking that with openssl, I get, among others:
 - "Protocol  : TLSv1"
 - "Peer signing digest: MD5-SHA1"
or, when doing it right[tm]: "openssl s_client -no_ssl3 -no_tls1 -no_tls1_1 -connect mail.superb.net:995" yields "unsupported protocol".
May I suggest that your email provider is really behind the curve with their TLS configuration? Not offering TLSv1.2 is so... 2010?
Anyways, Mozilla disabled TLS 1.0 and 1.1 in the 78 versions, see release notes at https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/ .
You could use config settings security.tls.version.enable-deprecated and/or security.tls.version.min/max to re-enable the old protocols. Please note: THIS IS NOT A RECOMMENDED CONFIGURATION. There's (only slightly outdated) documentation on these settings in http://kb.mozillazine.org/Security.tls.version.* (I can only hope that you don't have any problems with completely unimplemented ciphers or similar, but in the end you really need to talk to your mail host provider).