Bug 1159704

Is the below something that should be fixed in Red Hat Enterprise Linux 6 and 7 too?

+++ This bug was initially created as a clone of Bug #1153052 +++

Description of problem:
Evolution in the default configuration is not able to use TLSv1 or higher for SSL connections, it only allows SSLv3 connections.

After the Poodle attack has been discovered [https://www.openssl.org/~bodo/ssl-poodle.pdf], SSLv3 can't can considered as secure anymore and TLS is *required*.

Steps to Reproduce:
1. Try to connect to a server that doesn't allow SSLv3.
2. Evolution can't connect: "Cannot communicate securely with peer: no common encryption algorithm(s)."

May be related to: https://bugzilla.redhat.com/show_bug.cgi?id=1091544

--- Additional comment from Milan Crha on 2014-10-16 03:21:04 EDT ---

Thanks for a bug report. This patch should make it work. There is an option to enable only TLS, when STARTTLS is used, but that requires (for IMAP) to have the STARTTLS supported by the IMAP server, whci is not always true. I do not know how much correct this change is, though. In any case, here [1] is a test package with it included. Give it a try, please.

[1] http://koji.fedoraproject.org/koji/taskinfo?taskID=7879901

--- Additional comment from RH on 2014-10-16 03:50:35 EDT ---

In case it matters: In my case, I don't use STARTTLS but only SSL/TLS over a dedicated port (because our server doesn't support unencrypted IMAP at all).

However, I think that it shouldn't make a difference for SSL/TLS negotiation whether you use STARTTLS or SSL/TLS over a dedicated port.

--- Additional comment from Kai Engert (on vacation) (:kaie) on 2014-10-16 06:26:58 EDT ---

Yes, "always use SSL on a decidated port" should mean:
"always use SSL/TLS (without starttls), but support both SSL/TLS, and prefer the most recent one"

--- Additional comment from Matthew Barnes on 2014-10-16 10:27:07 EDT ---



--- Additional comment from Milan Crha on 2014-10-16 11:28:12 EDT ---

This is a bit more complicated version of the previous patch, which enables all available SSL/TLS algorithms available in the current NSS version (for NSS 3.14+). I'm using that for the official update, which will fix error message like:

   Could not connect to 'server:993': Cannot communicate securely with peer:
   no common encryption algorithm(s).

when a server has disabled SSLv3.

--- Additional comment from Fedora Update System on 2014-10-16 12:27:15 EDT ---

evolution-data-server-3.10.4-6.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/evolution-data-server-3.10.4-6.fc20

--- Additional comment from Fedora Update System on 2014-10-17 04:40:29 EDT ---

Package evolution-data-server-3.10.4-6.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing evolution-data-server-3.10.4-6.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13050/evolution-data-server-3.10.4-6.fc20
then log in and leave karma (feedback).

--- Additional comment from Fedora Update System on 2014-10-19 09:20:58 EDT ---

evolution-data-server-3.10.4-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from RH on 2014-10-19 11:14:07 EDT ---

Works for me, thanks!