Discussion:
Attention: Thunderbird 52 and Kolab 16
Matthias Busch
2017-04-21 11:52:06 UTC
Permalink
Hey,

I have two Kolab Servers running (16.1 on Debian 8 x64) and multiple
Users ran into big trouble when they Upgraded their Thunderbird 45.8 to
52.0.1

Drafts could no longer be saved. New mails were not seen. In fact,
setting up new accounts did not work, when forced to save, the initial
connection to the IMAP server to see the folders did not work either.
Thunderbird claims it could not connect to the imap server, however, log
files in Kolab did not show any connection attempt I could see.

Furthermore, connecting to gmail or gmx did work but also showed signs
of trouble, saving drafts did not work most of the time.

After the downgrade everything is back to working normally. This has
been verified twice now, on different machines, different internet
connections. I am absolutely certain that thunderbird is at fault.
Furthermore, I do believe that thunderbird f***ed something up and not
that kolab is doing it wrong...

Just wanted to warn you guys. Take care
Matthias
Stefan Froehlich
2017-04-22 06:06:34 UTC
Permalink
I can confirm this issue. This only happens if you set connection
security to STARTTLS or SSL/TLS. Setting this to None works.


MfG Stefan Froehlich

42 ;-)
Post by Matthias Busch
Hey,
I have two Kolab Servers running (16.1 on Debian 8 x64) and multiple
Users ran into big trouble when they Upgraded their Thunderbird 45.8
to 52.0.1
Drafts could no longer be saved. New mails were not seen. In fact,
setting up new accounts did not work, when forced to save, the initial
connection to the IMAP server to see the folders did not work either.
Thunderbird claims it could not connect to the imap server, however,
log files in Kolab did not show any connection attempt I could see.
Furthermore, connecting to gmail or gmx did work but also showed signs
of trouble, saving drafts did not work most of the time.
After the downgrade everything is back to working normally. This has
been verified twice now, on different machines, different internet
connections. I am absolutely certain that thunderbird is at fault.
Furthermore, I do believe that thunderbird f***ed something up and not
that kolab is doing it wrong...
Just wanted to warn you guys. Take care
Matthias
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Mihai Badici
2017-04-22 10:06:07 UTC
Permalink
Post by Stefan Froehlich
I can confirm this issue. This only happens if you set connection
security to STARTTLS or SSL/TLS. Setting this to None works.
MfG Stefan Froehlich
42 ;-)
Could be because of use of SSL3.0 or something like this?
I have an older kolab in place and as i see thunderbird connect without any
problem.
Daniel Hoffend
2017-05-08 14:35:41 UTC
Permalink
With Thunderbird 52 the minimal required TLS version is 1.2. But somehow
guam has problems to work with TLS 1.2. I haven't had time to take a
closer look.

To fix this issue you've to change the internal configuration variable within
thunderbird to lower the minimum required TLS Version to 1.1

1) Go to: Thunderbird Preferences > Advanced > Config Editor

2) Search for: security.tls.version.min

3) Replace Value for security.tls.version.min with 1 (tls 1.0) or 2 (tls 1.1)

For more Information look at this mozilla article:
http://kb.mozillazine.org/Security.tls.version.*


--
Regards
Daniel Hoffend
Post by Mihai Badici
Post by Stefan Froehlich
I can confirm this issue. This only happens if you set connection
security to STARTTLS or SSL/TLS. Setting this to None works.
MfG Stefan Froehlich
42 ;-)
Could be because of use of SSL3.0 or something like this?
I have an older kolab in place and as i see thunderbird connect without any
problem.
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Franz Skale
2017-05-11 09:50:13 UTC
Permalink
Hi,

For thunderbird 52.1.0 the proposed solution doesn't work at all using
kolab 16 on debian 8.x.

Debugging the problem it seems that the auth command will not be
passed to cyrus. (no authenticiation).

I disabled the guam service and reconfigured cyrus-imapd.

Now tls 1.2 works as expected.


Rgds.

Franz
Post by Daniel Hoffend
With Thunderbird 52 the minimal required TLS version is 1.2. But somehow
guam has problems to work with TLS 1.2. I haven't had time to take a
closer look.
To fix this issue you've to change the internal configuration variable within
thunderbird to lower the minimum required TLS Version to 1.1
1) Go to: Thunderbird Preferences > Advanced > Config Editor
2) Search for: security.tls.version.min
3) Replace Value for security.tls.version.min with 1 (tls 1.0) or 2 (tls 1.1)
http://kb.mozillazine.org/Security.tls.version.*
--
Regards
Daniel Hoffend
Post by Mihai Badici
Post by Stefan Froehlich
I can confirm this issue. This only happens if you set connection
security to STARTTLS or SSL/TLS. Setting this to None works.
MfG Stefan Froehlich
42 ;-)
Could be because of use of SSL3.0 or something like this?
I have an older kolab in place and as i see thunderbird connect
without any
problem.
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Franz Skale
2017-05-11 17:16:58 UTC
Permalink
Thanks,
it works now !
Nevertheless, without guam it works w/o tweaking the extended conf.
Log:
2017-05-11 18:53:23.881 [error] <0.84.0> Supervisor tls_connection_sup
had child undefined started with {tls_connection,start_link,undefined}
at <0.160.0> exit with reason no function clause matching
ssl_cipher:hash_algorithm(8) line 1196 in context child_terminated
2017-05-11 18:53:23.881 [error] <0.100.0> gen_server <0.100.0>
terminated with reason:
{{function_clause,[{ssl_cipher,hash_algorithm,"\b",[{file,"ssl_cipher.erl"},{line,1196}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1706}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1707}]},{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1706}]},{tls_handshake,decode_handshake,3,[{file,"tls_handshake.erl"},{line,184}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handsha..."},...]},...]},...}
2017-05-11 18:53:23.881 [error] <0.100.0> CRASH REPORT Process <0.100.0>
with 0 neighbours exited with reason:
{{function_clause,[{ssl_cipher,hash_algorithm,"\b",[{file,"ssl_cipher.erl"},{line,1196}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1706}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1707}]},{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1706}]},{tls_handshake,decode_handshake,3,[{file,"tls_handshake.erl"},{line,184}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handsha..."},...]},...]},...}
in gen_server:terminate/6 line 737
2017-05-11 18:53:23.882 [error] <0.90.0> Supervisor
{<0.90.0>,kolab_guam_listener} had child session started with
{kolab_guam_session,start_link,undefined} at <0.100.0> exit with reason
{{function_clause,[{ssl_cipher,hash_algorithm,"\b",[{file,"ssl_cipher.erl"},{line,1196}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1706}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1707}]},{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1706}]},{tls_handshake,decode_handshake,3,[{file,"tls_handshake.erl"},{line,184}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handsha..."},...]},...]},...}
in context child_terminated
2017-05-11 18:53:24.099 [error] <0.164.0> gen_fsm <0.164.0> in state
hello terminated with reason: no function clause matching
ssl_cipher:hash_algorithm(8) line 1196
2017-05-11 18:53:24.099 [error] <0.164.0> CRASH REPORT Process <0.164.0>
with 0 neighbours exited with reason: no function clause matching
ssl_cipher:hash_algorithm(8) line 1196 in gen_fsm:terminate/7 line 611

Perhaps the lowlevel erlang ssl lib is buggy ? kolab_guam bug ?
i easly can connect using:
openssl s_client -connect mailisserver:143 -starttls imap (TLSv1.2 with
cipher ECDHE-RSA-AES256-SHA384 (256/256 bits reused)
and doing:
. login ***@domain.com [password]

Rgds.

Franz
Post by Franz Skale
Hi,
For thunderbird 52.1.0 the proposed solution doesn't work at all using
kolab 16 on debian 8.x.
Debugging the problem it seems that the auth command will not be
passed to cyrus. (no authenticiation).
I disabled the guam service and reconfigured cyrus-imapd.
Now tls 1.2 works as expected.
Rgds.
Franz
Post by Daniel Hoffend
With Thunderbird 52 the minimal required TLS version is 1.2. But somehow
guam has problems to work with TLS 1.2. I haven't had time to take a
closer look.
To fix this issue you've to change the internal configuration
variable within
thunderbird to lower the minimum required TLS Version to 1.1
1) Go to: Thunderbird Preferences > Advanced > Config Editor
2) Search for: security.tls.version.min
3) Replace Value for security.tls.version.min with 1 (tls 1.0) or 2 (tls 1.1)
http://kb.mozillazine.org/Security.tls.version.*
--
Regards
Daniel Hoffend
Post by Mihai Badici
Post by Stefan Froehlich
I can confirm this issue. This only happens if you set connection
security to STARTTLS or SSL/TLS. Setting this to None works.
MfG Stefan Froehlich
42 ;-)
Could be because of use of SSL3.0 or something like this?
I have an older kolab in place and as i see thunderbird connect
without any
problem.
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Franz Skale
2017-05-12 05:30:57 UTC
Permalink
Hi Daniel,

today i installed a new client using a clean thunderbird 52.1.0 version.

Your proposed solution didn't work, so i tweaked and tested and came to
the solution using the following settings:

security.tls.version.min = 1

security.tls.version.max = 2

(May 12 07:27:22 mailis cyrus-imapd/imaps[13777]: starttls: TLSv1.2 with
cipher ECDHE-RSA-AES256-SHA384 (256/256 bits reused))

Otherwise, no connection was possible.

Rgds.

Franz
Post by Franz Skale
Thanks,
it works now !
Nevertheless, without guam it works w/o tweaking the extended conf.
2017-05-11 18:53:23.881 [error] <0.84.0> Supervisor tls_connection_sup
had child undefined started with {tls_connection,start_link,undefined}
at <0.160.0> exit with reason no function clause matching
ssl_cipher:hash_algorithm(8) line 1196 in context child_terminated
2017-05-11 18:53:23.881 [error] <0.100.0> gen_server <0.100.0>
{{function_clause,[{ssl_cipher,hash_algorithm,"\b",[{file,"ssl_cipher.erl"},{line,1196}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1706}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1707}]},{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1706}]},{tls_handshake,decode_handshake,3,[{file,"tls_handshake.erl"},{line,184}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handsha..."},...]},...]},...}
2017-05-11 18:53:23.881 [error] <0.100.0> CRASH REPORT Process
{{function_clause,[{ssl_cipher,hash_algorithm,"\b",[{file,"ssl_cipher.erl"},{line,1196}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1706}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1707}]},{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1706}]},{tls_handshake,decode_handshake,3,[{file,"tls_handshake.erl"},{line,184}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handsha..."},...]},...]},...}
in gen_server:terminate/6 line 737
2017-05-11 18:53:23.882 [error] <0.90.0> Supervisor
{<0.90.0>,kolab_guam_listener} had child session started with
{kolab_guam_session,start_link,undefined} at <0.100.0> exit with reason
{{function_clause,[{ssl_cipher,hash_algorithm,"\b",[{file,"ssl_cipher.erl"},{line,1196}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1706}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1707}]},{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1706}]},{tls_handshake,decode_handshake,3,[{file,"tls_handshake.erl"},{line,184}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handsha..."},...]},...]},...}
in context child_terminated
2017-05-11 18:53:24.099 [error] <0.164.0> gen_fsm <0.164.0> in state
hello terminated with reason: no function clause matching
ssl_cipher:hash_algorithm(8) line 1196
2017-05-11 18:53:24.099 [error] <0.164.0> CRASH REPORT Process
<0.164.0> with 0 neighbours exited with reason: no function clause
matching ssl_cipher:hash_algorithm(8) line 1196 in gen_fsm:terminate/7
line 611
Perhaps the lowlevel erlang ssl lib is buggy ? kolab_guam bug ?
openssl s_client -connect mailisserver:143 -starttls imap (TLSv1.2
with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits reused)
Rgds.
Franz
Post by Franz Skale
Hi,
For thunderbird 52.1.0 the proposed solution doesn't work at all
using kolab 16 on debian 8.x.
Debugging the problem it seems that the auth command will not be
passed to cyrus. (no authenticiation).
I disabled the guam service and reconfigured cyrus-imapd.
Now tls 1.2 works as expected.
Rgds.
Franz
Post by Daniel Hoffend
With Thunderbird 52 the minimal required TLS version is 1.2. But somehow
guam has problems to work with TLS 1.2. I haven't had time to take a
closer look.
To fix this issue you've to change the internal configuration variable within
thunderbird to lower the minimum required TLS Version to 1.1
1) Go to: Thunderbird Preferences > Advanced > Config Editor
2) Search for: security.tls.version.min
3) Replace Value for security.tls.version.min with 1 (tls 1.0) or 2 (tls 1.1)
http://kb.mozillazine.org/Security.tls.version.*
--
Regards
Daniel Hoffend
Post by Mihai Badici
Post by Stefan Froehlich
I can confirm this issue. This only happens if you set connection
security to STARTTLS or SSL/TLS. Setting this to None works.
MfG Stefan Froehlich
42 ;-)
Could be because of use of SSL3.0 or something like this?
I have an older kolab in place and as i see thunderbird connect
without any
problem.
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Gregor Adamczyk
2017-04-22 13:35:51 UTC
Permalink
Hi, same problem here.

I found a workaround:


Set "security.tls.version.max" to 2 and starttls will work again...
--
Mit freundlichen Grüßen/With best regards
Gregor Adamczyk
Send users mailing list submissions to
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.kolab.org/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
You can reach the person managing the list at
When replying, please edit your Subject line so it is more specific
than "Re: Contents of users digest..."
1. Attention: Thunderbird 52 and Kolab 16 (Matthias Busch)
2. Re: Attention: Thunderbird 52 and Kolab 16 (Stefan Froehlich)
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Matthias Busch
2017-04-29 01:26:12 UTC
Permalink
so whats actually going on here?

is the new thunderbird (by default) using a tls version which is not
supported by kolab and fails to fall back to the another version?

or is it something else?
Gregor Adamczyk
2017-05-11 14:02:50 UTC
Permalink
Set "security.tls.version.max" to 2 ...

not

security.tls.version.min

I wrote this already here:

http://lists.kolab.org/pipermail/users/2017-April/021173.html
--
Mit freundlichen Grüßen/With best regards
Gregor Adamczyk
Franz Skale
2017-05-11 17:14:28 UTC
Permalink
Thanks,
it works now !
Nevertheless, without guam it works w/o tweaking the extended conf.
Log:
2017-05-11 18:53:23.881 [error] <0.84.0> Supervisor tls_connection_sup
had child undefined started with {tls_connection,start_link,undefined}
at <0.160.0> exit with reason no function clause matching
ssl_cipher:hash_algorithm(8) line 1196 in context child_terminated
2017-05-11 18:53:23.881 [error] <0.100.0> gen_server <0.100.0>
terminated with reason:
{{function_clause,[{ssl_cipher,hash_algorithm,"\b",[{file,"ssl_cipher.erl"},{line,1196}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1706}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1707}]},{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1706}]},{tls_handshake,decode_handshake,3,[{file,"tls_handshake.erl"},{line,184}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handsha..."},...]},...]},...}
2017-05-11 18:53:23.881 [error] <0.100.0> CRASH REPORT Process <0.100.0>
with 0 neighbours exited with reason:
{{function_clause,[{ssl_cipher,hash_algorithm,"\b",[{file,"ssl_cipher.erl"},{line,1196}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1706}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1707}]},{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1706}]},{tls_handshake,decode_handshake,3,[{file,"tls_handshake.erl"},{line,184}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handsha..."},...]},...]},...}
in gen_server:terminate/6 line 737
2017-05-11 18:53:23.882 [error] <0.90.0> Supervisor
{<0.90.0>,kolab_guam_listener} had child session started with
{kolab_guam_session,start_link,undefined} at <0.100.0> exit with reason
{{function_clause,[{ssl_cipher,hash_algorithm,"\b",[{file,"ssl_cipher.erl"},{line,1196}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1706}]},{ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,[{file,"ssl_handshake.erl"},{line,1707}]},{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1706}]},{tls_handshake,decode_handshake,3,[{file,"tls_handshake.erl"},{line,184}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handsha..."},...]},...]},...}
in context child_terminated
2017-05-11 18:53:24.099 [error] <0.164.0> gen_fsm <0.164.0> in state
hello terminated with reason: no function clause matching
ssl_cipher:hash_algorithm(8) line 1196
2017-05-11 18:53:24.099 [error] <0.164.0> CRASH REPORT Process <0.164.0>
with 0 neighbours exited with reason: no function clause matching
ssl_cipher:hash_algorithm(8) line 1196 in gen_fsm:terminate/7 line 611

Perhaps the lowlevel erlang ssl lib is buggy ? kolab_guam bug ?
i easly can connect using:
openssl s_client -connect mailisserver:143 -starttls imap (TLSv1.2 with
cipher ECDHE-RSA-AES256-SHA384 (256/256 bits reused)
and doing:
. login ***@domain.com [password]

Rgds.

Franz
Post by Gregor Adamczyk
Set "security.tls.version.max" to 2 ...
not
security.tls.version.min
http://lists.kolab.org/pipermail/users/2017-April/021173.html
Matthias Busch
2017-05-21 19:57:54 UTC
Permalink
Is there a fix/update for guam in the planning, to make newer
thunderbird version compatible without manually setting advanced
parameters or downgrading and disabling auto-updates?

anyone know anything?

Loading...