Finder wrote:
> I'm trying to migrate from Mozilla MailNews 1.4 to Thunderbird 0.7.1. We
> use IMAP over SSL, and the PKCS#12 certificate/key I use in Moz 1.4
> works (of course). Using the same cert/key combo, TBird craps out in the
> SSL negotation with "Error establishing an encrypted connection to
> {server}: Error code -8092".SSL questions are better asked in n.p.m.crypto. I'm redirecting followups there.
According to http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html#1038056
error code -8092 is "SEC_ERROR_KEYGEN_FAIL" which means
"Unable to generate public-private key pair."
http://lxr.mozilla.org/mozilla/search?string=SEC_ERROR_KEYGEN_FAIL tells us that this error is produced in any of 4 places, all in ssl3con.c. They are in functions: sendDHClientKeyExchange (clients only) sendECDHClientKeyExchange (clients only, when compiled for ECC) ssl3_CreateRSAStepDownKeys (servers only) ssl3_CreateECDHEphemeralKeys (servers only, when compiled for ECC)
You're not running a server, and AFAIK, the client products do not compile the Elliptic Curve Cryptography code at this time, so you probably got this error from sendDHClientKeyExchange. That in turn implies that the server negotiated one of the Diffie-Hellman ciphersuites.
I'd guess that the newer Tbird supports some of these, and the older mozilla does not.
> Ethereal seems to show the server sending > the same stuff back for TBird as Moz (simply the Server Hello with its > cert chain, after the Client Hello from the mail client), but TBird > choosing not to continue the conversation by sending its certs back to > the server at that point.
I'll bet that it shows another difference, a different SSL3/TLS ciphersuite has probably been chosen by the server.
> Can it not find the right cert/key combo to use?
It attempted to generate an ephemeral Diffie-Hellman key pair, which is rather trivial, and that failed for some reason.
> How can I make it prompt for that, or trace what's going on? I'm > pretty sure the cert is well formed, since TBird successfully uses it to > S/MIME sign outgoing messages (and they're received as good messages).
There's no indication of a cert problem in what's reported thus far. As for a way to trace it. Use the NSS program named ssltap. ssltap acts like a proxy, between client and server. it logs what passes through. It doesn't decrypt anything, but usually the relevant bits for diaglnosis aren't encrypted anyway.
> Any ideas? This is a show stopper, unfortunately; we use client certs to > control access to the SSL server. If it's any help: I'm pretty sure we > noticed this problem first with Moz 1.5 (but I can't reproduce that), > which is why we're still on version 1.4. Maybe something changed in PSM > around that time?
I think the Diffie-Hellman Ephemeral cipher suites were introduced about then. but I don't recall exactly.
> I'm currently testing TBird 0.7.1 prebuilt binaries on Windows 2000, > same with the Moz 1.4 binaries. > > When I set the IMAP logging up, I don't really get much more > information. The layer reporting the information just gets told the > socket read fails (-1) for some reason (-8092); I think the underlying > reason is not being traced.
Things that would help would be: - a trace from ssltap, - copies of the server certs (which will be output to files by ssltap), - a copy of your secmod.db file (which doesn't contain any secrets, so don't worry). - and if you're willing, the hostname and port number of your IMAPS server. You can email that into to me (after demunging my email address), or you can create a bug in bugzilla.mozilla.org and attach the info there.
Do you use any hardware or third party software crypto devices? Have you configured your browser to work with any of them?
If Tbird has UI for disabling individual cipher suites, you might try disabling any that use Diffic-Hellman ephemeral ciphersuites. But if that works, it's only a workaround, and we should still find and fix the cause.
-- Nelson B _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
