(Past) S/MIME(!) encryption problem with openSUSE 42.1/42.2 + Thunderbird 52 + Enigmail <1.9.7 (openSUSE-RU-2017:1363-1)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

(Past) S/MIME(!) encryption problem with openSUSE 42.1/42.2 + Thunderbird 52 + Enigmail <1.9.7 (openSUSE-RU-2017:1363-1)

Greetings (and sorry for this really late mail),

I am not sure if this mailing list is the correct address for this,
but it affected openSUSE, and you probably know better than me if and
how to contact the Thunderbird and Enigmail developers…

TLDR: Back in May (2017-05) we noticed the following problem on
openSUSE Leap 42.1 and 42.2 with Thunderbird 52 and RPM-installed
Enigmail: E-Mail that should have been X.509-signed or -encrypted was
sent entirely unencrypted and unsigned, with Thunderbird giving no
indication that signing or encrypting had failed.

= Our setup =
- All of our laptop-using colleagues have personal X.509 certificates
on PKCS#11 USB tokens.
- Some of them also have personal GPG keys on their laptops or tokens.
- Thunderbird signs outgoing mail by default with the X.509 certificate.
- Thunderbird encrypts on demand with either X.509 (S/MIME) or GPG key
(via Enigmail).

= What happened, what was the problem? =
- If our users tried to read GPG-encrypted mail in their freshly
updated Thunderbird 52, or sign or encrypt via GPG, or even change
their Enigmail/GPG config, it failed noisily. So far, so good, this
was reported by somebody else 2 days after the release of TB52 as
BSC#1038034 (URL in timeline section below).
- If our users tried to send S/MIME-signed and/or -encrypted mail, it
was "successfully" sent without any error message, but unsigned and
unencrypted (reading mail---decrypting and verifying---worked fine).
So apparently the fact that Enigmail/GPG encryption was incompatible
with Thunderbird 52 broke the whole Thunderbird crypto, including
X.509/S-MIME, in such a horrible, invisibly way. (We witnessed this on
several laptops and reproduced it with newly created Thunderbird user
profiles. Sadly, I don't have any strace because I didn't think of it
at the time, and when I did, all users had upgraded. But I assume the
problem will return in the future.)

= Timeline =
2017-05-06 Release of Thunderbird 52 on openSUSE Leap 42.1 and 42.2
2017-05-08 Bugreport (not by us) that Enigmail isn't working anymore
with Thunderbird 52
(https://bugzilla.suse.com/show_bug.cgi?id=1038034, similar reports
existed for previous Thunderbird versions)
2017-05-17 EOL openSUSE Leap 42.1, didn't receive a fix.
2017-05-19 Enigmail update for 42.2 only (openSUSE-RU-2017:1363-1,

= Who was affected? =
All of our laptop users running openSUSE 42.1 or 42.2 at that time,
- if they had installed the RPM package "enigmail",
- if they had updated to Thunderbird 52 (at or after 2017-05-06),
- if they hadn't yet updated to Enigmail 1.9.7 (at or after 2017-05-19).

(To see if you are/were affected, you should:
1. identify the timespan between installation/update of
MozillaThunderbird 52 and Enigmail 1.9.7:
    grep -i "enigmail\|thunderbird|52" /var/log/zypp/history
2. look through your Thunderbird "Sent" folder for that timespan and
see if mails that were supposed to be S/MIME-signed or -encrypted
really are signed or encrypted.)

= How to get rid of the problem? =
Users of openSUSE Leap 42.1 need(ed) to:
- remove the system package "enigmail" ("zypper rm enigmail" as root)
to avoid similar problems with future Thunderbird updates and
- if you do need GPG, install the Thunderbird Add-On of the same name
(Extras -> Add-ons -> enter "enigmail" into the search field in the
top right -> Enter) and
- upgrade to at least 42.2 as soon as possible.

Users of 42.2 need(ed) to:
- install current system package updates after 2017-05-19 ("zypper ref
-f; zypper up" as root; make sure enigmail is at least version 1.9.7)
and we recommended to our users to also:
- remove the system package "enigmail" (like above) and
- if you do need GPG, install the Thunderbird Add-On of the same name
(like above).

= How to avoid similar problems in the future? =
- Fix Thunderbird and/or Enigmail upstream to at least not break silently.
- Release openSUSE Thunderbird updates together with Enigmail updates,
or introduce a version dependency if possible (I assume it is not that
easy on the RPM package level because Enigmail probably works with
other Mail client software, too, and hence a dependency on Thunderbird
at all would be nonsensical).

Thanks for your time and for making openSUSE!

Kind regards
    Christopher 'm4z' Holm / 686f6c6d

"We must respect the other fellow's religion, but only in the sense
and to the extent that we respect his theory that his wife is
beautiful and his children smart." --H. L. Mencken
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]