SSL connection errors

User Help for Mozilla Thunderbird
Post Reply
User avatar
Psychonaut
Posts: 109
Joined: April 7th, 2008, 3:56 am
Location: Winnipeg
Contact:

SSL connection errors

Post by Psychonaut »

I have Thunderbird 45.6.0 running on three computers: a desktop machine at work, a desktop machine at home, and a laptop that I use sometimes at work and sometimes at home. All three computers are running various flavours of openSUSE. Around the same time last week, all three machines suddenly stopped being able to connect to my work's IMAP server (with SSL/TLS security and NLTM authentication). The following message appeared in their error consoles:
Error: An error occurred during a connection to mx.ukp.informatik.tu-darmstadt.de:993.

SSL received a record that exceeded the maximum permissible length.

Error code: <a id="errorCode" title="SSL_ERROR_RX_RECORD_TOO_LONG">SSL_ERROR_RX_RECORD_TOO_LONG</a>
The system administrator says he had installed a new certificate the previous day, so that may have had something to do with the problem. Anyway, after a day or so, two of the computers (my home machine and my laptop) spontaneously started being able to connect to the IMAP server again. But my work machine is still throwing this error. Does anyone know how I can troubleshoot this problem? Here is what I have already tried:
  • I tried removing the cert8.db and/or cert_override.txt files from my profile before starting Thunderbird. This had no effect.
  • I tried copying the cert8.db file from my home machine. This had no effect.
  • I tried creating a new profile and adding the IMAP account. Thunderbird won't even let me add the account because it can't connect to the server (but doesn't provide a more specific error message).
  • I tried adding the IMAP account with a couple different IMAP clients. KMail also refuses to add the account because can't connect to the server; it throws the error "SSL handshake failed." Evolution has the same problem; its error message is "Error performing TLS handshake: An unexpected TLS packet was received."
  • I tried reinstalling my system-wide CA certificates (via my distribution's ca-certificates package). This had no effect.
  • I tried using the openssl command-line tool to retrieve the certificates from the server, on both my home machine and my work machine:

    Code: Select all

    openssl s_client -showcerts -connect mx.ukp.informatik.tu-darmstadt.de:443 </dev/null
    Apart from the timestamp, session ID, and master key, the output is nearly identical:

    Code: Select all

    $ diff /tmp/*.crt
    117d116
    < Server Temp Key: ECDH, P-256, 256 bits
    119c118
    < SSL handshake has read 5262 bytes and written 427 bytes
    ---
    > SSL handshake has read 5262 bytes and written 395 bytes
    126d124
    < No ALPN negotiated
    130c128
    <     Session-ID: 2D3500005AB2C579E7295DA59102E7D447C4B63D5FB22580A4C0DA6BA341FB58
    ---
    >     Session-ID: 6B000000EC3B8A27B25418B0486F8D3BF2E35D02B1B1E1B9B6DA01789BBB4A38
    132c130
    <     Master-Key: CE1755695B0E0114DBB1E5C303177EE57F9A219AE0B52BD44B5D7412789C0DCB4181C4742D58EF0C1F5451CAA8B9335A
    ---
    >     Master-Key: 3A76D172277BF9060541E54EF5518158BC5204F1ADCC5704A207C91EBBD63C69A73D3766996014E5F327E23A25492A88
    137c135
    <     Start Time: 1484565348
    ---
    >     Start Time: 1484565365
    
I realize all this points to a system-wide SSL/certificate problem rather than Thunderbird in particular, but if anyone could give me any hints as to how to further diagnose the problem (maybe by making Thunderbird's error logging more verbose?) I would be grateful.
User avatar
Psychonaut
Posts: 109
Joined: April 7th, 2008, 3:56 am
Location: Winnipeg
Contact:

Re: SSL connection errors

Post by Psychonaut »

Further to the above, I also tried connecting via openssl on port 993. When I connect from my home machine or my laptop, it works fine, but when I connect at work, I get the following output:

Code: Select all

$ openssl s_client -connect mx.ukp.informatik.tu-darmstadt.de:993
CONNECTED(00000003)
140265371022992:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 261 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
This is interesting because my laptop is plugged into the same wired network as my work machine. And both machines are running exactly the same version of OpenSSL (OpenSSL 1.0.1k-fips 8 Jan 2015).

I'm not really au fait with OpenSSL so could someone suggest to me what the problem is here?
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: SSL connection errors

Post by tanstaafl »

https://stackoverflow.com/questions/119 ... sl#4762977
https://stackoverflow.com/questions/244 ... ertificate

I'd suspect something is wrong with either the new certificate, or the server's SSL/TLS implementation. Use https://www.ssllabs.com/ssltest/ to test it. You might need to use the -servername option with openssl to enable TLS extensions to work correctly.
User avatar
Psychonaut
Posts: 109
Joined: April 7th, 2008, 3:56 am
Location: Winnipeg
Contact:

Re: SSL connection errors

Post by Psychonaut »

Thanks for the tips. Further testing by the sysadmins and my colleagues has confirmed that it's a server configuration issue, which means there's nothing I can do about it.
Post Reply