Re-enabling SSL 3.0 support in Thunderbird after RHSA-2014:1924

Updated -

After apply the security update RHSA-2014:1924, Thunderbird may stop fetching mail from certain mail servers, or saving drafts of mail messages may fail. This happens if the mail servers support only the insecure SSL 3.0 protocol. Re-enabling SSL 3.0 support in Thunderbird will allow users to continue to connect with these mail servers.

There are two ways to resolve this issue, one applying to an individual user, and one system-wide.

User-specific configuration

The following steps have to be applied for each user who needs to connect to mail servers which only support the protocol version, SSL 3.0.

  1. Start Thunderbird.

  2. Open the advanced configuration editor:

    • If using the classic menu, in the “Edit” menu, choose “Preferences…”, and select the “Advanced” tab in the dialog. Click on “Config Editor…”.

    • If using the new design, click on the three horizontal bars in the upper left corner of the Thunderbird window, and click on “Preferences” (either the top-level menu entry, or the entry in the submenu).

  3. If a warning message is shown, acknowledge it. (Making the changes described below does not invalidate support coverage.)

  4. You should now see the about:config window. Enter “security.tls” in the “Search” field. Among other entries, the item “security.tls.version.min” will appear. Double-click on this entry.
  5. A dialog box, “Enter integer value” will appear. Replace the value “1” in the input field with “0”, and click on “OK”. The configuration setting should look as shown in the picture below.
    Thunderbird TLS settings
  6. Close the about:config window and the preferences dialog.
  7. Make sure that you can connect to the mail server and fetch new mail. (It may be necessary to restart Thunderbird.)

System-wide configuration

These settings will change the defaults for all users on the system to which they are applied.

  1. Log in as root.
  2. Open the text file /usr/lib64/thunderbird/defaults/pref/all.js with a text editor such as vim. This file is not part of the Thunderbird package; you may have to create it.

  3. Add this line to the file at the end:

    pref("security.tls.version.min", 0);

  4. Save the file, and log out.

  5. Repeat steps 2 to 4 for the file /usr/lib/thunderbird/defaults/pref/all.js if the system uses a 32-bit version of Thunderbird.
  6. As a user on the same system, log in, (re)start Thunderbird, and check that the mail server which supports SSL 3.0 only can be accessed.

Note that these changes only set the default. If users changed the same preference settings using the “about:config” dialog, their changes override the “all.js” setting.

It is possible to deploy the “all.js” file using a configuration management tool such as Puppet.

Comments