I'm getting this error when checking my mail, and I can't download my mail. I recently updated Thundirbird yesterday, but it restarted and was working fine for many hours. I saw this question: How to add an account when Thunderbird warns "potentially vulnerable to CVE-2009-3555"?, which led to https://wiki.mozilla.org/Security:Renegotiation, and I checked my config editor, and the following are still at their default values:
security.ssl.require_safe_negotiation;false
security.ssl.treat_unsafe_negotiation_as_broken;false
security.ssl.warn_missing_rfc5746;1
I found the original references to these errors, but they are from 2010. It's hard to believe the server was not updated since then. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555, http://tools.ietf.org/html/rfc5746
I tried to open a connection from the command line, and it worked fine:
$ openssl s_client -connect imap.spamarrest.com:993
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=Washington/L=Mercer Island/O=Spam Arrest LLC/CN=*.spamarrest.com
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEyTCCA7GgAwIBAgIQGYgqh31QZsgNdrzNLIRl0zANBgkqhkiG9w0BAQUFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU
R2VvVHJ1c3QgU1NMIENBIC0gRzIwHhcNMTMwNzI1MDAwMDAwWhcNMTUwNzI1MjM1
OTU5WjBvMQswCQYDVQQGEwJVUzETMBEGA1UECBQKV2FzaGluZ3RvbjEWMBQGA1UE
BxQNTWVyY2VyIElzbGFuZDEYMBYGA1UEChQPU3BhbSBBcnJlc3QgTExDMRkwFwYD
VQQDFBAqLnNwYW1hcnJlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAv+uYrM/qwi2a2A/UxK9OXK8JkpcsRrgVpkuZYKmonRwwv6zPWaKSAMjp
gpA1IoL5/+EjxFXF0r0U8LURCex9h7PFD/QKuxY0zWl8tuFpBJMnBZvVZLoFSt0j
nEi5nQBbRTiZ3O7HqBCsjXjvUzauxNyD1rJKA7H8hwpROsjNX69npteGXN2rKv9J
wdd5z0sbmx1inoOpCrMB3QRgzAdK0w0UWgN6bm3sfO4XFdj3acsJuJpDKyIN+76F
FoMOSb+nJkwCCnYMlzdibmXpAYuATdajqU9fVp6+A9jR1EaQSeuyz6hY8tpDsxNE
SCLzsAEgkrlztR/MR0dWNe9BHXeKawIDAQABo4IBijCCAYYwKwYDVR0RBCQwIoIQ
Ki5zcGFtYXJyZXN0LmNvbYIOc3BhbWFycmVzdC5jb20wCQYDVR0TBAIwADAOBgNV
HQ8BAf8EBAMCBaAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2d0c3NsMi1jcmwu
Z2VvdHJ1c3QuY29tL2d0c3NsMi5jcmwwTAYDVR0gBEUwQzBBBgpghkgBhvhFAQc2
MDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNl
cy9jcHMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaA
FBFK0HM51VtpCFy6Pb9kmqiLHFW8MHIGCCsGAQUFBwEBBGYwZDArBggrBgEFBQcw
AYYfaHR0cDovL2d0c3NsMi1vY3NwLmdlb3RydXN0LmNvbTA1BggrBgEFBQcwAoYp
aHR0cDovL2d0c3NsMi1haWEuZ2VvdHJ1c3QuY29tL2d0c3NsMi5jZXIwDQYJKoZI
hvcNAQEFBQADggEBAIBf8uFFmwbDupaaxA7EcJTAEeXBscvwv+hB070MzQaMVqej
2b6uiyx3SzKioV6Oxdhgp1Q681utm/+oMhyhHZkdyWmnJp/M/COEDtEmw6i1GEQd
7HvSLAgfCTK4QymkX7KloX5+c6mQUIPnw8OlHHX/1wgPuHW61reytRaFpC0mF/7l
rdOMEp7bf8XgqihidJx0PN6QBkYJ93jcGLC/Z+RB/YbfZ5PlssLmAttSdBe8ICKp
5JZasTIJsKLmOEePx22wgSCSs90WBCtWwFWMgySL0is06kyyO8f41pxecn1l+ZUL
akBDXv0v2MEZ1Bt/zMdfb+HIZ2qrDbu7DkLPaxg=
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Mercer Island/O=Spam Arrest LLC/CN=*.spamarrest.com
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 3560 bytes and written 672 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: zlib compression
Expansion: zlib compression
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: E9038FFAE57B8F588299E197E5B5698AD51E595B6E2BFEEBA0ABA899ABDC1FCF
Session-ID-ctx:
Master-Key: 3CAD63BB946E9F696BD5259472E16A4C4616B41020A30C67A5CDDBC9BE063C702A0F0A7BE83AF98EB61D1F27A8B89E67
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - e6 4e d4 d0 12 78 e6 ad-ce a5 b0 84 4d 59 ea 1d .N...x......MY..
0010 - fc a2 61 c2 36 e8 d5 a6-f2 3f da 74 b6 7a d7 c1 ..a.6....?.t.z..
0020 - eb ac cf da 9a 21 02 70-da 85 38 d6 28 83 31 fe .....!.p..8.(.1.
0030 - e1 8d 14 ee 55 c7 02 5d-97 a3 3e cb d7 b8 70 de ....U..]..>...p.
0040 - 76 95 02 02 7c d8 5a 1a-f7 60 d8 fa ad f6 9f fb v...|.Z..`......
0050 - e1 30 92 ef 09 58 08 73-22 2c 1c bc 3c f0 a1 a5 .0...X.s",..<...
0060 - a9 bd fb 09 52 a4 9d cd-6b a6 9c 5e 42 ab 7c b3 ....R...k..^B.|.
0070 - 45 46 17 00 59 0a 3f b6-20 41 40 a3 2e 88 39 2c EF..Y.?. A@...9,
0080 - 4e 7d e6 09 ed 02 8f 3c-1e 9c 9c ce d9 88 cf 73 N}.....<.......s
0090 - 0e d6 87 83 4a 86 30 13-22 16 9c 13 b8 17 fd ba ....J.0.".......
Compression: 1 (zlib compression)
Start Time: 1434915194
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=CRAM-MD5 AUTH=PLAIN ACL ACL2=UNION] IMAP ready.
closed
So how do I work around this problem to fetch my mail? I've already notified the support of the server, but have not heard back.
Thunderbird 38.0.1
OpenSSL 1.0.2a 19 Mar 2015
It's happened for two consecutive updates. Is this a fault with Thunderbird or the mail server?
Timestamp: 8/19/2015 3:54:37 PM Error: uncaught exception: 2147746065
Timestamp: 8/19/2015 3:54:37 PM Error: mail.spamarrest.com : server does not support RFC 5746, see CVE-2009-3555
Answer
RFC 5746 describes a Transport Layer Security (TLS) Renegotiation Indication Extension, which is intended to protect against attackers injecting data into the connection early on and thus tricking clients and servers into communicating with each other in a manner that is vulnerable to a man in the middle attack.
CVE-2009-3555 is an old (late 2009) Common Vulnerability and Exposures identifier that basically allows you to learn more about products and product versions which are vulnerable or not to this specific attack. It's similar to a bug report ID or issue number that a vendor might assign to a problem report, except CVEs can (and in this case it certainly does) cover many different applications.
Thunderbird is informing you (though I agree, definitely not in a very user-friendly manner) that the server you are connecting to does not support the standard that was developed to mitigate this threat, and is aborting the connection attempt because this presents a potential security vulnerability leading to loss of privacy (specifically data confidentiality, in this case of both authentication credentials as well as email traffic).
The place where this needs to be fixed is on the mail server you are connecting to, so you should urge your service provider to immediately upgrade to software that mitigates CVE-2009-3555. Alternatively, since the problem has been known for six years and the fix has been standardized for five and a half years, I would have doubts about what other potential security issues the service provider is not taking seriously, and personally would probably look for alternative service providers.
If you don't care about privacy, then you can try to mitigate this by turning off TLS/SSL in your Thunderbird account settings, thus using plain-text mail transmission between your Thunderbird client and the mail server. This however leaves you potentially vulnerable to various threats, including pervasive monitoring. Additionally, this mitigative strategy requires that your service provider's mail server allows plaintext sessions in the first place; it's becoming more and more common for service providers to configure their systems such that only encrypted connections are allowed, particularly for authenticated workflows. Hence, this mitigative strategy may or may not be available in your specific case, and even if it is, is not a recommended approach.
Note that ignoring this problem (by switching to plain-text email transfer) affects not just you, but also potentially everyone that you correspond with over email. Even if you (contrary to best current Internet engineering practice) feel that pervasive monitoring is not a threat in your situation, those you correspond with might feel differently.
No comments:
Post a Comment