Control: tags 989839 severity important
Control: tags 989843 severity important
Control: merge 989843 989839

Hello *,

decreasing the severity as Thunderbird isn't *completely* unusable.

Am 14.06.21 um 19:31 schrieb Todor Tsankov:
> Dear Maintainer,
> Since the update to 78.11.0 Thunderbird cannot load various webpages. To
> reproduce the error, try to do a search in the Add-ons Manager (type
> something in the search box and press Enter).
> The error message is
> "The website tried to negotiate an inadequate level of security.
> ...
> There is perhaps a more useful error message in the error console:
> : server does not support RFC 5746, see CVE-2009-3555

Well, both messages are almost enough information to step into an
analysis and search for data on various internet web sites.

There are quite some web resources out there that explain what's going
wrong here (beside we don't know exactly why). I'm quoting from


> NS_ERROR_NET_INADEQUATE_SECURITY indicates that the server initiates
> a HTTP/2 connection, but Firefox detects an invalid TLS configuration
> in the server response (server negotiated HTTP/2 with blacklisted
> cipher suites). This is likely not an issue with the certificate, but
> this is a problem with the server setup and there are invalid cipher
> suites for HTTP/2 claimed (INADEQUATE_SECURITY).>
> There might also be
> other software that acts as a MITM and is interfering. When HTTP/2 is
> enabled and used then the requirements are much stricter than with
> message in case the server isn't configured properly.>
> A workaround to fix this ANNOYING issue is;
> network.http.spdy.enabled.http2 = false in about:config


So, to recap:
The server is sending over a HTTP/2 connection, but Thunderbird, or more
precisely the NSS3 library (depending on the configuration of
Thunderbird) is detecting some invalid TLS data and is
stopping the communication by presenting this message about
NS_ERROR_NET_INADEQUATE_SECURITY because the settings are that strict to
not going further.

> The problem also appears when trying to load other pages or using
> certain add-ons (for example, calendar-google-provider).
> The problem goes away if one sets network.http.spdy.enforce-tls-profile
> to false in the preferences. This makes me think that there is an issue
> with the TLS library.

This isn't a problem solution, it's a workaround that disables the TLS
validation check. And if Thunderbird is instructed to ignore any
security settings related to SSL/TLS it's not really surprising that the
previously seen issues seems to have gone.

Currently I've no real idea what's the reason why 78.11.0 is working
differently than the previous version 78.10.x.
And further more it's also possible that the external resources have a
real problem regarding the TLS settings. This needs clarification and
analysis of the underlying data flow.

Both Thunderbird versions 78.10.x and 78.11.x are using the same
underlying libnss3 version, that hasn't changed since 2021-02-18. That's
the main difference to the Thunderbird version in stable-security, there
we use the internal shipped NSS3 source to build the packages and so far
we haven't seen bug reports from stable users.

The build checks for a minimum required NSS3 version.

> 0:10.34 checking for nss >= 3.53.1... yes

In the archive we have 3.61 so it's clear the check is passing. The
upstream source for Thunderbird 78.11.0 comes with NSS3 version 3.51.1
and this hasn't changed since the introducing of Thunderbird ESR series

In can currently only think of some other different internal behavior of
78.11.0 together with NSS3 from the system.
The changelog from Mozilla for 78.11.0 isn't giving any hint that some
upstream modification might be the reason for the different behavior.

Closed bug reports between 78.10.2 and 78.11.0


Closed bug reports between 78.10.1 and 78.10.2


So to work around the problems users can do the following modification
to their profile settings.

Set network.http.spdy.enforce-tls-profile = false

If this isn't working this setting can set to false also

set network.http.spdy.enabled.http2 = false

But please note!
This decreases the transport security and should later get get reset to
the default, if not Thunderbird will use the insecure setting for ever!


Reply via email to