Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#989839: thunderbird: Gmail imap authentication error

474 views
Skip to first unread message

Benjamin Bänziger

unread,
Jun 14, 2021, 11:50:03 AM6/14/21
to
Package: thunderbird
Version: 1:78.11.0-1
Severity: important

Dear Maintainer,

Since todays update, thunderbird doesn't connect with gmail imap server
anymore;
"Authenticcation failure while connecting to server imap.gmail.com"

Also creating a new account for gmail doesn't work:
"Thunderbird failed to find the settings for your email account"




-- System Information:
Debian Release: 11.0
APT prefers testing
APT policy: (990, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-6-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages thunderbird depends on:
ii debianutils 4.11.2
ii fontconfig 2.13.1-4.2
ii libatk1.0-0 2.36.0-2
ii libbotan-2-17 2.17.3+dfsg-2
ii libbz2-1.0 1.0.8-4
ii libc6 2.31-12
ii libcairo-gobject2 1.16.0-5
ii libcairo2 1.16.0-5
ii libdbus-1-3 1.12.20-2
ii libdbus-glib-1-2 0.110-6
ii libevent-2.1-7 2.1.12-stable-1
ii libffi7 3.3-6
ii libfontconfig1 2.13.1-4.2
ii libfreetype6 2.10.4+dfsg-1
ii libgcc-s1 10.2.1-6
ii libgdk-pixbuf-2.0-0 2.42.2+dfsg-1
ii libglib2.0-0 2.66.8-1
ii libgtk-3-0 3.24.24-4
ii libicu67 67.1-6
ii libjson-c5 0.15-2
ii libnspr4 2:4.29-1
ii libnss3 2:3.61-1
ii libpango-1.0-0 1.46.2-3
ii libstdc++6 10.2.1-6
ii libvpx6 1.9.0-1
ii libx11-6 2:1.7.1-1
ii libx11-xcb1 2:1.7.1-1
ii libxcb-shm0 1.14-3
ii libxcb1 1.14-3
ii libxext6 2:1.3.3-1.1
ii libxrender1 1:0.9.10-1
ii psmisc 23.4-2
ii x11-utils 7.7+5
ii zlib1g 1:1.2.11.dfsg-2

Versions of packages thunderbird recommends:
ii hunspell-de-de [hunspell-dictionary] 20161207-9
ii hunspell-en-us [hunspell-dictionary] 1:2019.10.06-1

Versions of packages thunderbird suggests:
ii apparmor 2.13.6-10
ii fonts-lyx 2.3.6-1
ii libgssapi-krb5-2 1.18.3-5
ii libgtk2.0-0 2.24.33-2

--1623684649-eximdsn-1059748872--

Kevin Locke

unread,
Jun 14, 2021, 1:50:03 PM6/14/21
to
On Mon, 2021-06-14 at 17:40 +0200, Benjamin Bänziger wrote:
> Package: thunderbird
> Version: 1:78.11.0-1
> Severity: important
>
> Dear Maintainer,
>
> Since todays update, thunderbird doesn't connect with gmail imap server
> anymore;
> "Authenticcation failure while connecting to server imap.gmail.com"
>
> Also creating a new account for gmail doesn't work:
> "Thunderbird failed to find the settings for your email account"

I encountered the same error after upgrading from 1:78.10.0-1 to
1:78.11.0-1 for every account using IMAP with TLS. It also manifests as
"Failed to connect to server ${SERVER}" with network.trr.mode=3. I
believe something is wrong with TLS in 1:78.11.0-1. An easy way to
reproduce (optionally in a new profile with no accounts configured):

1. Click "Add-ons" from the menu.
2. Click the "Find More Addons" button at the bottom of the
"Recommendations" tab.
3. Observe https://addons.thunderbird.net/en-US/thunderbird/ is opened
in a new tab with Error code: NS_ERROR_NET_INADEQUATE_SECURITY.

These steps correctly show the Thunderbird Add-ons page with thunderbird
78.10.2-1 and below. The "Authentication failure" messages also do not
occur for me after downgrading thunderbird to 78.10.2-1.

Thanks,
Kevin

Àlex

unread,
Jun 16, 2021, 4:00:02 AM6/16/21
to
Hi,

(excuse my poor English)

It's not the first time this problem happens. It happened before last year:

Everytime package maintainers upgrade Thunderbird version before
upgrading Firefox version, it happens than Thunderbird stops working
with GMail, and stop working with some RSS too. The message in both
cases is (from "error console"):

   server does not support RFC 5746, see CVE-2009-3555

To fix-it, package maintainers have to upgrade Firefox from 78.10 to
78.11 , and then Thunderbird will start working fine again. Or downgrade
Thunderbird again to 78.10, the same version that Firefox.

It would be nice if in the future Firefox packages upgrade the same day
or days before than Thunderbird, so Thunderbird doesn't stop working.

Thanks



     Àlex

Carsten Schoenert

unread,
Jun 16, 2021, 4:30:04 AM6/16/21
to
Hello Àlex,

Am 16.06.21 um 09:42 schrieb Àlex:
...
> To fix-it, package maintainers have to upgrade Firefox from 78.10 to
> 78.11 , and then Thunderbird will start working fine again. Or downgrade
> Thunderbird again to 78.10, the same version that Firefox.
>
> It would be nice if in the future Firefox packages upgrade the same day
> or days before than Thunderbird, so Thunderbird doesn't stop working.

having such an requirement would be a issue as both packages are
independent from each other.
Thunderbird uses nothing from the Firefox package. So updating Firefox
would be nothing more than a workaround.

Also FF 78.11.0 has a requirement on libnss3 >= 3.51.1 so also Firefox
is working with the available older version of this library.

I'm using locally FF 88.0 from experiemntal

--
Regards
Carsten

Carsten Schoenert

unread,
Jun 16, 2021, 4:30:06 AM6/16/21
to
Argh,

I wasn't ready for sending ...

Am 16.06.21 um 10:22 schrieb Carsten Schoenert:

> I'm using locally FF 88.0 from experiemntal

... and the problems are the same if you use FF 78.10.0 from testing.

The underlying issues haven't been solved.

--
Regards
Carsten

Kevin Locke

unread,
Jun 16, 2021, 2:00:03 PM6/16/21
to
Comparing the log.moz_log from running thunderbird with MOZ_LOG=nsHttp:3
and MOZ_LOG_FILE=log in the environment shows
Http2Session::ConfirmTLSProfile gets version=304 from
ssl->GetSSLVersionUsed() in 78.10.0 and version=ffffffff
(nsISSLSocketControl::SSL_VERSION_UNKNOWN) in 78.11.0, which causes
Http2Session::ConfirmTLSProfile "FAILED due to lack of TLS1.2" and
INADEQUATE_SECURITY[1]:

I/nsHttp Http2Session::ConfirmTLSProfile 0x7f78dbdb7000 version=ffffffff
I/nsHttp Http2Session::ConfirmTLSProfile 0x7f78dbdb7000 FAILED due to lack of TLS1.2
I/nsHttp Http2Session::SessionError 0x7f78dbdb7000 reason=0xc mPeerGoAwayReason=0x1f
I/nsHttp Http2Session::ReadSegments 0x7f78dbdb7000 returning INADEQUATE_SECURITY 804b0052

Setting a breakpoint on SSL_GetChannelInfo revealed that it is called by
PreliminaryHandshakeDone with len = 128 by 78.10.0 and len = 136 by
78.11.0, which causes `len > sizeof inf` to fail and return SECFailure
(because `sizeof inf` is 128).

It appears that SSLChannelInfo added pskType in NSS 3.54, echAccepted
in NSS 3.60, and isFIPS in NSS 3.66. Perhaps there is a version
mismatch?

Best,
Kevin

[ConfirmTLSProfile]: https://hg.mozilla.org/releases/mozilla-esr78/file/FIREFOX_78_11_0esr_RELEASE/netwerk/protocol/http/Http2Session.cpp#l4194
[PreliminaryHandshakeDone]: https://hg.mozilla.org/releases/mozilla-esr78/file/FIREFOX_78_11_0esr_RELEASE/security/manager/ssl/nsNSSCallbacks.cpp#l700
[SSL_GetChannelInfo]: https://hg.mozilla.org/releases/mozilla-esr78/file/FIREFOX_78_11_0esr_RELEASE/security/nss/lib/ssl/sslinfo.c#l13
[SSLChannelInfo FF78]: https://hg.mozilla.org/releases/mozilla-esr78/file/FIREFOX_78_11_0esr_RELEASE/security/nss/lib/ssl/sslt.h#l293
[SSLChannelInfo tip]: https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ssl/sslt.h#l299

Kevin Locke

unread,
Jun 16, 2021, 4:30:03 PM6/16/21
to
On Wed, 2021-06-16 at 11:55 -0600, Kevin Locke wrote:
> Setting a breakpoint on SSL_GetChannelInfo revealed that it is called by
> PreliminaryHandshakeDone with len = 128 by 78.10.0 and len = 136 by
> 78.11.0, which causes `len > sizeof inf` to fail and return SECFailure
> (because `sizeof inf` is 128).
>
> It appears that SSLChannelInfo added pskType in NSS 3.54, echAccepted
> in NSS 3.60, and isFIPS in NSS 3.66. Perhaps there is a version
> mismatch?

After a bit more testing, I realized thunderbird 1:78.10.2-1 was built
with libnss3-dev 2:3.63-1 and thunderbird 1:78.11.0-1 was built with
libnss3-dev 2:3.66-1. I am only able to reproduce the issue with
libnss3 2:3.61-1, not libnss3 2:3.67-1 from unstable.

Cheers,
Kevin

https://buildd.debian.org/status/fetch.php?pkg=thunderbird&arch=amd64&ver=1%3A78.11.0-1&stamp=1622744401&raw=0
https://buildd.debian.org/status/fetch.php?pkg=thunderbird&arch=amd64&ver=1%3A78.10.2-1&stamp=1621535757&raw=0

Àlex

unread,
Jun 17, 2021, 6:30:03 AM6/17/21
to
El 16/6/21 a les 10:22, Carsten Schoenert ha escrit:
Thanks Carsten,

I know Thunderbird and Firefox are independent. But I am completely sure
last time this bug happened, Firefox upgrade just fix the problem, even
if it was a workarround. So maybe, when Firefox upgraded it also
upgraded a library that new version Thunderbird needed for working fine.

I don't know about Debian packages but I am going to research what
happened last time and write to the list if I found something useful.

Thanks

Carsten Schoenert

unread,
Jun 19, 2021, 4:00:03 AM6/19/21
to
Hello Mina,

Am 19.06.21 um 09:33 schrieb Mina Morcose Farage:
...
>> I've done such a rebuild of 78.11.0 together with the internal NSS
>> library and so far I don't see any TLS/SSL related issue as before.
>>
>> The packages and the debian folder can be found here
>>
>> https://people.debian.org/~tijuca/thunderbird-bullseye/
>>
> i tested your version i can confirm  it's working on testing

thanks for testing and confirming the working functionality!

--
Regards
Carsten

stephane szyller

unread,
Jun 19, 2021, 3:20:03 PM6/19/21
to

hello

Thunderbird does connect with gmail imap server with The packages and the debian folder https://people.debian.org/~tijuca/thunderbird-bullseye/
thanks a lot
Stéphane

Benjamin Bänziger

unread,
Jun 21, 2021, 1:20:03 PM6/21/21
to
Thank you!
0 new messages