Bug 1153052
Summary: | Evolution 3.10.4 not able to use TLSv1 or higher (only SSLv3) | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | RH <hirner> | |
Component: | evolution | Assignee: | Milan Crha <mcrha> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | urgent | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 20 | CC: | kengert, lucilanga, mbarnes, mcrha, tpopela, williama_lovaton | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | evolution-data-server-3.8.5-7.fc19 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1159704 (view as bug list) | Environment: | ||
Last Closed: | 2014-10-19 13:20:58 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1159704 | |||
Attachments: |
Description
RH
2014-10-15 13:51:33 UTC
Created attachment 947480 [details] evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch Thanks for a bug report. This patch should make it work. There is an option to enable only TLS, when STARTTLS is used, but that requires (for IMAP) to have the STARTTLS supported by the IMAP server, whci is not always true. I do not know how much correct this change is, though. In any case, here [1] is a test package with it included. Give it a try, please. [1] http://koji.fedoraproject.org/koji/taskinfo?taskID=7879901 In case it matters: In my case, I don't use STARTTLS but only SSL/TLS over a dedicated port (because our server doesn't support unencrypted IMAP at all). However, I think that it shouldn't make a difference for SSL/TLS negotiation whether you use STARTTLS or SSL/TLS over a dedicated port. Yes, "always use SSL on a decidated port" should mean: "always use SSL/TLS (without starttls), but support both SSL/TLS, and prefer the most recent one" *** Bug 1153658 has been marked as a duplicate of this bug. *** Created attachment 947662 [details]
evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch ][
This is a bit more complicated version of the previous patch, which enables all available SSL/TLS algorithms available in the current NSS version (for NSS 3.14+). I'm using that for the official update, which will fix error message like:
Could not connect to 'server:993': Cannot communicate securely with peer:
no common encryption algorithm(s).
when a server has disabled SSLv3.
evolution-data-server-3.10.4-6.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/evolution-data-server-3.10.4-6.fc20 Package evolution-data-server-3.10.4-6.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing evolution-data-server-3.10.4-6.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13050/evolution-data-server-3.10.4-6.fc20 then log in and leave karma (feedback). evolution-data-server-3.10.4-6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Works for me, thanks! Hello there, Any plan to backport this to Fedora 19? Thanks. I didn't plan to change the Fedora 19 evolution-data-server, but you are right, it makes sense to fix it there too. I'll do it. evolution-data-server-3.8.5-7.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/evolution-data-server-3.8.5-7.fc19 Great Milan, thanks a lot for your work. I can confirm this works fine with Fedora 19. Now I'm able to disable SSLv3 in my POP3 server: TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits) Regards, William evolution-data-server-3.8.5-7.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |