Bug 1153658
| Summary: | Fix Camel to always try TLSv1 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matthew Barnes <mbarnes> |
| Component: | evolution-data-server | Assignee: | Milan Crha <mcrha> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | mbarnes, mcrha |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-16 14:27:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Milan already has a patch for this in bug 1153052. *** This bug has been marked as a duplicate of bug 1153052 *** |
This colossal brain fart in camel-network-service.c is my own doing: switch (method) { case CAMEL_NETWORK_SECURITY_METHOD_NONE: stream = camel_tcp_stream_raw_new (); break; case CAMEL_NETWORK_SECURITY_METHOD_STARTTLS_ON_STANDARD_PORT: stream = camel_tcp_stream_ssl_new_raw ( session, host, CAMEL_TCP_STREAM_SSL_ENABLE_TLS); break; case CAMEL_NETWORK_SECURITY_METHOD_SSL_ON_ALTERNATE_PORT: stream = camel_tcp_stream_ssl_new ( session, host, CAMEL_TCP_STREAM_SSL_ENABLE_SSL2 | CAMEL_TCP_STREAM_SSL_ENABLE_SSL3); break; default: g_return_val_if_reached (NULL); } The middle two cases in the switch statement should be passing the same set of flags, and should include at least CAMEL_TCP_STREAM_SSL_ENABLE_TLS. The recent POODLE security vulerability effectively kills SSLv3, and so a lot of services are switching it off. This leaves some Evolution users using "IMAPS" or "POPS" services (the SSL_ON_ALTERNATE_PORT case) with a non-working mailer. This is already fixed in version 3.12 because Camel started using GTlsConnection, and the SSL/TLS negotiation is handled by glib-networking. But still worth a backport to Fedora 20 and possibly RHEL 7.0.