Hi List,
I've just searched the July 2010 Archives [1] for a problem with Mozilla
Thunderbird 3.1 and a TLS connection to Perdition, but
am still missing a solution.
After connecting to Perdition, Thunderbird 3.1 emits warnings like:
Server "foo(a)bar.com" has disconnected.
The server may have gone down or there may be a network problem.
Looking into the perdition logs reveals:
perdition[9088]: Connect:
121.121.121.121->123.123.123.123
perdition[9088]: Fatal error establishing TLS connection
The same when running perdition in debug mode:
perdition[10304]: Connect:
121.121.121.121->123.123.123.123
perdition[10304]: SELF: "* OK IMAP4 Ready 121.121.121.121 0001cd8b\r\n"
perdition[10304]: CLIENT: "1 capability\r\n"
perdition[10304]: SELF: "* CAPABILITY IMAP4 IMAP4REV1 STARTTLS\r\n"
perdition[10304]: SELF: "1 OK CAPABILITY\r\n"
perdition[10304]: CLIENT: "2 STARTTLS\r\n"
perdition[10304]: SELF: "2 OK Begin TLS negotiation now\r\n"
perdition[10304]: __perdition_ssl_connection: error:140D9115:SSL
routines:SSL_GET_PREV_SESSION:session id context uninitialized
perdition[10304]: __perdition_ssl_connection: SSL_accept
perdition[10304]: __perdition_ssl_connection: no shared ciphers?
perdition[10304]: perdition_ssl_server_connection: perdition_ssl_connection
perdition[10304]: main: perdition_ssl_server_connection TLS
perdition[10304]: Fatal error establishing TLS connection
I think the "no shared ciphers" is misleading here, it's the first
message that looks b0rked:
perdition[10304]: __perdition_ssl_connection:
error:140D9115:SSL routines:SSL_GET_PREV_SESSION:
session id context uninitialized
This could be related to the SSL/TLS renegotiation [2] done by the
recent Mozilla stack because of CVE-2009-3555, as pointed to by Thierry
Hotelier some days ago [3].
There is another mail by Giorgio Paolucci [4] indicating a problem with
the ssl/tls session caching (which really matches the error message).
Too bad the proposed fix (patch?) did not end up in the mailing list
archive. Could someone (Georgio?) please re-post this patch inline so
others will find it without being subscribed?
After a quick search on openssl-users it looks like this can be fixed
using SSL_CTX_set_session_id_context.
Any news on this?
Thanks.
[1]
http://lists.vergenet.net/pipermail/perdition-users/2010-July/thread.html
[2]
https://wiki.mozilla.org/Security:Renegotiation
[3]
http://lists.vergenet.net/pipermail/perdition-users/2010-July/002336.html
[4]
http://lists.vergenet.net/pipermail/perdition-users/2010-July/002341.html