CentOS Bug Tracker - CentOS-6
View Issue Details
0009050CentOS-6nsspublic2015-07-11 02:112015-07-27 16:41
Reporterskupsy 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionno change required 
PlatformOSOS Version
Product Version6.6 
Target VersionFixed in Version 
Summary0009050: Recent upgrade of NSS disrupts Thunderbird functionality
DescriptionAfter NSS (and util/tools) update to nss 3.19 (package nss.x86_64 0:3.19.1-3.el6_6)
Thunderbird became unable to connect to an SMTP server using STARTTLS.
Reverting to nss 3.18 (package nss.x86_64 0:3.18.0-5.3.el6_6) solved the problem.

I suspect some kind of interaction w openssl; several applications exibit strange behaviors (strongswan, sshd, apache, ecc.) and fail secure connections

Back to Thunderbird issue, on server side (sendmail) I get the message:
STARTTLS=server: 17951:error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:s3_pkt.c:1472:SSL alert number 47
(and obviously the server config is ok and works fine with older nss on the client)
Steps To Reproduceyum update nss nss-util nss-tools nss-sysinit
(now Thunderbird cannot send messages using SMTP STARTTLS)

to revert:
yum downgrade nss nss-util nss-tools nss-sysinit
(now all is ok again)

TagsNo tags attached.
Attached Files

Notes
(0023609)
skupsy   
2015-07-11 10:57   
> several applications exibit strange behaviors (strongswan, sshd, apache, ecc.) and fail secure connections

my mistake, these issues are not related to the nss problem, the rest stands.

This morning I successfully replicated the problem on a plain-vanilla CentOS6.6 installation; nss downgrade solves the issue.
(0023679)
skupsy   
2015-07-21 12:00   
the recent upgrade of Thunderbird to 31.8.0-1 doesn't solve the issue
(0023690)
skupsy   
2015-07-22 14:48   
It came out it wasn't a bug: the new NSS library blocks connections to servers w insecure or weak ciphers (in my case DH).
Switching to a more updated mail server solves the issue.

Issue History
2015-07-11 02:11skupsyNew Issue
2015-07-11 10:57skupsyNote Added: 0023609
2015-07-21 12:00skupsyNote Added: 0023679
2015-07-22 14:48skupsyNote Added: 0023690
2015-07-27 16:41JohnnyHughesStatusnew => resolved
2015-07-27 16:41JohnnyHughesResolutionopen => no change required