Your message dated Fri, 14 Feb 2014 20:00:46 +0100 with message-id <[email protected]> and subject line Re: Bug#703587: libnss3 update disables some (self signed) certs (with Icedove) has caused the Debian Bug report #703587, regarding icedove fails silently instead of reporting TLS certificate failures to the user to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 703587: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703587 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libnss3 Version: 2:3.14.3-1 Severity: important Dear Maintainer, * What led up to the situation? I upgraded libnss* from 2:3.13.6-2 (previously in wheezy) to 2:3.14.3-1 (new in wheezy). Suddenly Icedove cannot connect to my IMAP-mail server anymore. That mail-server has a self-signed certificate. Thunderbird on other PCs (Win7) does not have the problem. Mail-clients on other devices do nave the problem. So it seems related to wheezy specifically. * What exactly did you do (or not do) that was effective (or ineffective)? Restart Icedove. * What was the outcome of this action? * What outcome did you expect instead? Downgraded libnss* to 2:3.13.6-2 to verify that libnss is the culprit. This solves the issue. Upgrading to 2:3.14.3-1 again makes the issue appear again. I also read some bug-reports. One of them talked about cert8.db being the problem. So I moved ~/.icedove/<profile>/cert8.db to cert8.db.bak and stopped/started Icedove to re-created cert8.db. This does not solve the issue, so the issue is not related to cert8.db and thus not to #670882 and/or Mozilla bug 634074 . If you need any more information please specify. have added a dump of the certificate generated with openssl s_client -connect imap.intranet:993 -showcerts for you and attached it to this report. To resolve this issue I have to downgrade to 2:3.13.6-2 and am thus stuck with a vulnerable version. If using a different (non self-signed) certificate solves the issue, please specify. The imap.intranet server certificate is going to expire in a few months anyway. I can generate a certificate using a local PKI I've setup for OpenVPN after generating this certiticate in 2005. -- System Information: Debian Release: 7.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libnss3 depends on: ii libc6 2.13-38 ii libnspr4 2:4.9.2-1 ii libnspr4-0d 2:4.9.2-1 ii libsqlite3-0 3.7.13-1 ii multiarch-support 2.13-38 ii zlib1g 1:1.2.7.dfsg-13 libnss3 recommends no packages. libnss3 suggests no packages. -- no debconf informationCONNECTED(00000003) --- Certificate chain 0 s:/C=NL/ST=Zuid-Holland/L=Den Haag/O=intranet/OU=sysadmin/CN=imap.intranet/emailAddress=none i:/C=NL/ST=Zuid-Holland/L=Den Haag/O=intranet/OU=sysadmin/CN=imap.intranet/emailAddress=none -----BEGIN CERTIFICATE----- MIIGjDCCBHSgAwIBAgIJAOXpf4Sm+5IaMA0GCSqGSIb3DQEBBAUAMIGKMQswCQYD VQQGEwJOTDEVMBMGA1UECBMMWnVpZC1Ib2xsYW5kMREwDwYDVQQHEwhEZW4gSGFh ZzERMA8GA1UEChMIaW50cmFuZXQxETAPBgNVBAsTCHN5c2FkbWluMRYwFAYDVQQD Ew1pbWFwLmludHJhbmV0MRMwEQYJKoZIhvcNAQkBFgRub25lMB4XDTA1MDYyNzIw NTA0MloXDTEzMDkxMzIwNTA0MlowgYoxCzAJBgNVBAYTAk5MMRUwEwYDVQQIEwxa dWlkLUhvbGxhbmQxETAPBgNVBAcTCERlbiBIYWFnMREwDwYDVQQKEwhpbnRyYW5l dDERMA8GA1UECxMIc3lzYWRtaW4xFjAUBgNVBAMTDWltYXAuaW50cmFuZXQxEzAR BgkqhkiG9w0BCQEWBG5vbmUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC AQC6Kozv3DzzWc2qv1Q2wiXQSCVIX8LtU0OCk9GvunJ1wk4g0G5PWqHKiJwbtYyH 91QE2FaLJCKvHIyVMDlHkUBVReWlxk3ELvWG9nv/doNQ1lF7pK2gdbmHbkV0ogRj eKq6kzPWb/ydqNk3JSb2fX3Z6Ll0P2vHExw0eYzAmPaPX1PTFtp7dvoYeRFo0SJV ITwkcC5grEkKSUz9XJZBAH0JqWPzz1zoKBdFBZzqyNhguvQgndpr4ORUjaHsxBAH ytSuQZuHec1nMtVbUvLimDPPyYKtdWvqmbK/1jL2XLDeiDpRT54a9rZ+xyc6EEbT N05pTTTm+nEmUWUKFzif6qWCRDOASF715krFma2rUSsAwdViB6T3Z87qMCvMl6dS uQWnO1O5jbmVjl0hBL7ZM+AQElyjTS0ZSerktRDEhZiElEDNl7TOu+DxJCcc0lGB YlR74rmicQoUTdVU0LgDcJ6oHSSSCtU9HNfPZ+vVAiTZuJB36UVGAFiUU88SHyCm UNjdAm4mtryWp/AhPJRiPDTCvZiPosVkt0PMXkvQF0geS9vwRib2RzNPd7lf9iO+ Fp/b1smtxl8CQmBNm9tpl3+ikR1B6tMbxo+dL3odiSGrdHmh9K6KFkc/gw1mH3ia tCWnA37xQI5cufcwooysSwwhkED8OJNjQpabQyKhjQ+FOwIDAQABo4HyMIHvMB0G A1UdDgQWBBSQGcZJ+5b5fXV4JytzEBFmFlyE3zCBvwYDVR0jBIG3MIG0gBSQGcZJ +5b5fXV4JytzEBFmFlyE36GBkKSBjTCBijELMAkGA1UEBhMCTkwxFTATBgNVBAgT DFp1aWQtSG9sbGFuZDERMA8GA1UEBxMIRGVuIEhhYWcxETAPBgNVBAoTCGludHJh bmV0MREwDwYDVQQLEwhzeXNhZG1pbjEWMBQGA1UEAxMNaW1hcC5pbnRyYW5ldDET MBEGCSqGSIb3DQEJARYEbm9uZYIJAOXpf4Sm+5IaMAwGA1UdEwQFMAMBAf8wDQYJ KoZIhvcNAQEEBQADggIBAIylxgMcnZt9k8feCA1mqAJJeBPrnpNx2EhTvKRKj+im r53IXFQxv0PjpcXq4Gq/qpRN8uRglBI9U1KGBHUbmBJsqw4cvctGBpFdJ5W5xEFL ilSTTGFoynM8k2czcMZCOa2osY1eA5f4OOYzHF83GwDa9oXbLc4QaSTkLHnv4qWC jstfmiISEmb+jsxWHW5k846JByw0JrU02Y9MKWtXDkIw+7NJ5c/pciooRM1GxEFE 2sE0MY6sQauKYw5auWRoX657nC8cHFzWeG5cGnIUpUJ72ggrafW9g0jE1GpHkwwK OBbNw1hq09/WtsJFUU/NpRN874tvQvosfkBlYjAnaio/jNIvLplc6Y5fvW+D1WK9 jXyIi+B+AFntMK6A+s1sC/hxyU4CxTG7tok2qwlW1WpWdMZ8G8WvoZ58L6tvcx4Y WWmLXXBhpbJs+s0z9I0Ux7wAsqnUXVMggayjxQF2+20IF5qwOqdOYMezbfAtVMnp Igxwv6FJZH5cC+OhnW+z2w+022m9QIdD+/auh6nu64maSB2tZkwpBiDmVXvExVkv 8XSLSSSCbe7i1V5Za1kFfq+dT05EhCOqVrAJ77hI1OLYeyVV9W4wzgdS5RdXOegm w77QUeBTHr56YZDf4OA1Y3ZIvS8FUnJiEQQaQVKC3ZBol/qfrXiOsrB3jtnEoi1t -----END CERTIFICATE----- --- Server certificate subject=/C=NL/ST=Zuid-Holland/L=Den Haag/O=intranet/OU=sysadmin/CN=imap.intranet/emailAddress=none issuer=/C=NL/ST=Zuid-Holland/L=Den Haag/O=intranet/OU=sysadmin/CN=imap.intranet/emailAddress=none --- No client certificate CA names sent --- SSL handshake has read 1996 bytes and written 902 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 23F21A652686850DA0C3B7F742F08A1131460A4F059BF4C84CBDFB78B60A916B Session-ID-ctx: Master-Key: 23DF35222A6026A18C5F192C5CAD92D9F051124F2D13B9D32F64FD1F4BB74702F18DF52731F69199C141F601D120D797 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - 0e 30 1d 12 55 2e 80 e4-df 76 30 1e 29 3f 4c 2d .0..U....v0.)?L- 0010 - f7 f8 d3 52 c0 16 1c fc-d3 9f b9 43 f5 18 31 c3 ...R.......C..1. 0020 - 0f 86 9a 79 e6 31 7b 57-70 db 31 eb b5 da c3 09 ...y.1{Wp.1..... 0030 - ff 43 46 36 2d de 0e c8-d5 a9 7b cc c1 17 57 48 .CF6-.....{...WH 0040 - 1d 90 94 9c 04 00 51 f0-e1 6e eb ac bd e7 a7 9a ......Q..n...... 0050 - 5a de b2 2e d6 52 4b 8a-59 a2 1a 14 cb 2c 48 16 Z....RK.Y....,H. 0060 - e7 db 96 9e c5 bb b6 34-7c c5 3e 56 4e 34 9d 53 .......4|.>VN4.S 0070 - e4 ea 9d ab 48 de 5c d8-1a f4 9d 76 29 e0 3d 6e ....H.\....v).=n 0080 - 46 12 87 87 24 a0 a4 20-2e 6a 5a 16 6a 54 1a fb F...$.. .jZ.jT.. 0090 - fa af ab a9 a6 29 43 dd-9a 14 75 92 04 82 16 48 .....)C...u....H Compression: 1 (zlib compression) Start Time: 1363819210 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2010 Double Precision, Inc. See COPYING for distribution information.
--- End Message ---
--- Begin Message ---Version: 17.0.10-1~deb7u1 On Sun, Sep 01, 2013 at 09:14:14PM +0100, subs wrote: > I just encountered this problem with a newly built wheezy laptop. > An upgrade to libnss 3.15.1-1 appears to fix it. > Now when I set a new email account the advanced tab is available where > before it was greyed out and add exceptions for self signed certs. > > I got the files from > http://ftp.uk.debian.org/debian/pool/main/n/nss/ > > root@t520:/home/philip/install# ls > libnss3-1d_3.15.1-1_i386.deb libnss3_3.15.1-1_i386.deb > root@t520:/home/philip/install# dpkg -i * > (Reading database ... 75776 files and directories currently installed.) > Preparing to replace libnss3-1d:i386 2:3.14.3-1 (using > libnss3-1d_3.15.1-1_i386.deb) ... > Unpacking replacement libnss3-1d:i386 ... > Preparing to replace libnss3:i386 2:3.14.3-1 (using > libnss3_3.15.1-1_i386.deb) ... > Unpacking replacement libnss3:i386 ... > Setting up libnss3:i386 (2:3.15.1-1) ... > Setting up libnss3-1d:i386 (2:3.15.1-1) ... > > thanks, Philip With the updated version of libnss3 and Icedove in stable-security this bug is gone. So I will close this bug. Regards Carsten
--- End Message ---
