Bug#787505: libnss3: NSS 3.19.1 breaks icedove IMAPS to server with DH 786 temp key

Tue Jun 2 10:45:25 UTC 2015

Package: libnss3
Version: 2:3.19-1
Severity: normal

Dear Maintainer,

since upgrade to NSS 3.19.1, icedove refuses to connect to an IMAPS server with
a "Server Temp Key: DH, 768 bits". Workaround is to downgrade to NSS 3.19 or
change icedove connection to unencrypted IMAP.

To protect against logjam attacks, NSS 3.19.1 refuses to connect to servers
with a finite field algorithm key strength less than 1023 bits:
https://developer.mozilla.org/en-
US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_notes

This behaviour breaks icedove on Debian clients that need to connect to IMAPS
servers with weak server temp keys. Note that these are clients which have no
control over configuration of remote servers. Workaround is to downgrade to NSS
3.19 or change icedove connection to unencrypted IMAP.

Kind regards,
Ben.

Upgrade that caused the failure:

libnss3-1d:amd64 (3.19-1, 3.19.1-2), libnss3:amd64 (3.19-1, 3.19.1-2)

icedove error console:

Error: An error occurred during a connection to mail.example.org:993.
SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange
handshake message.
(Error code: ssl_error_weak_server_ephemeral_dh_key)

Affected server openssl s_client session showing server temp key (note: icedove
manual exception added for broken certs):

$ openssl s_client -connect ub007lcs04.cbr.the-server.net.au:993
CONNECTED(00000003)
depth=0 C = US, ST = NY, L = New York, O = Courier Mail Server, OU =
Automatically-generated IMAP SSL key, CN = localhost, emailAddress =
postmaster at example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = NY, L = New York, O = Courier Mail Server, OU =
Automatically-generated IMAP SSL key, CN = localhost, emailAddress =
postmaster at example.com
verify error:num=10:certificate has expired
notAfter=Nov 18 06:02:36 2014 GMT
verify return:1
depth=0 C = US, ST = NY, L = New York, O = Courier Mail Server, OU =
Automatically-generated IMAP SSL key, CN = localhost, emailAddress =
postmaster at example.com
notAfter=Nov 18 06:02:36 2014 GMT
verify return:1
---
Certificate chain
 0 s:/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated
IMAP SSL key/CN=localhost/emailAddress=postmaster at example.com
   i:/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated
IMAP SSL key/CN=localhost/emailAddress=postmaster at example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC/zCCAmigAwIBAgIJAJh1IPFs6+cSMA0GCSqGSIb3DQEBBQUAMIG1MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCE5ldyBZb3JrMRwwGgYDVQQK
ExNDb3VyaWVyIE1haWwgU2VydmVyMS0wKwYDVQQLEyRBdXRvbWF0aWNhbGx5LWdl
bmVyYXRlZCBJTUFQIFNTTCBrZXkxEjAQBgNVBAMTCWxvY2FsaG9zdDElMCMGCSqG
SIb3DQEJARYWcG9zdG1hc3RlckBleGFtcGxlLmNvbTAeFw0xMzExMTgwNjAyMzZa
Fw0xNDExMTgwNjAyMzZaMIG1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxETAP
BgNVBAcTCE5ldyBZb3JrMRwwGgYDVQQKExNDb3VyaWVyIE1haWwgU2VydmVyMS0w
KwYDVQQLEyRBdXRvbWF0aWNhbGx5LWdlbmVyYXRlZCBJTUFQIFNTTCBrZXkxEjAQ
BgNVBAMTCWxvY2FsaG9zdDElMCMGCSqGSIb3DQEJARYWcG9zdG1hc3RlckBleGFt
cGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwy9JZbZkl3t8HZX3
mKipZZ45Ol4CJJHrdrOMmWXNXk3dAClrs5yJiPmMOA2s9ruexp0aYBKb056m5HfX
LUVumnkLSLYUOrhpSYaM/qI4w6rU7X02pHjBynX7kubaTNiPD5OTtp3+C+ZYURdd
BsK9iuW8dfkzG0jFtJBMRSR6B1MCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgZA
MA0GCSqGSIb3DQEBBQUAA4GBAJ3jKR/R6Ferrg+DT2rnPQyu/ahsElnVRj2VtWCy
D/AIOSg8T98CfDWUjnZxe5LOaNB4X0VKVh2sEwZYMViCgtPM9v5jXgREsHUUNEaT
Wn1ZF17BS3gx70PoLtob6C9yEhERzw3OAIDXVHVBSADK+imSxyxENHv+hUiEoNJw
Xz81
-----END CERTIFICATE-----
subject=/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated
IMAP SSL key/CN=localhost/emailAddress=postmaster at example.com
issuer=/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated
IMAP SSL key/CN=localhost/emailAddress=postmaster at example.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 768 bits
---
SSL handshake has read 1424 bytes and written 503 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID:
1458FA1DBEEA2D465D47D3E2B49ED7DAE09C625E5CE84CCFFC4B0C29FFC9A7F7
    Session-ID-ctx:
    Master-Key:
3880E699567D8B9A2D59BB2809A4D97AA2F88264543B130C47B245BE292D3AE2873D002C06F2155EE5C1A9FA5E7D77AA
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - a4 50 46 e6 9e ce 75 4d-33 7e 60 af 50 21 bf 50   .PF...uM3~`.P!.P
    0010 - 62 07 ac f1 1d 55 f0 7a-d2 ce 24 1b 81 06 f1 dc   b....U.z..$.....
    0020 - d3 f4 99 4d 6c 9a 78 36-87 a2 a5 0c 86 48 0c 91   ...Ml.x6.....H..
    0030 - 0f e6 c2 8f 02 ae 4e d8-14 0a a7 e3 18 17 15 e7   ......N.........
    0040 - fa 67 22 65 7f 5c 53 97-8e a1 c4 05 2a 56 d1 2f   .g"e.\S.....*V./
    0050 - 03 b4 e2 78 1b d7 94 60-13 48 71 32 3e b9 2d 49   ...x...`.Hq2>.-I
    0060 - 74 57 08 c9 0c 3c b1 90-3d b2 93 d2 7a 1f f8 ee   tW...<..=...z...
    0070 - 7a 9d 4e de 23 7a b7 6b-6b 9d 2a ce bc 98 53 e6   z.N.#z.kk.*...S.
    0080 - 6c aa d5 99 94 ef b4 0e-ab 2d 8b 6b 1b eb cd bc   l........-.k....
    0090 - 52 57 67 49 dd bd 2a 8a-da 21 7c be ba 61 7f bc   RWgI..*..!|..a..

    Start Time: 1433239095
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP
ready. Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution
information.
DONE

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libnss3 depends on:
ii  libc6         2.19-18
ii  libnspr4      2:4.10.8-2
ii  libsqlite3-0  3.8.10.2-1
ii  zlib1g        1:1.2.8.dfsg-2+b1

libnss3 recommends no packages.

libnss3 suggests no packages.

-- no debconf information