1034810 – evolution fails to import calendar with 'SSL handshake failed'

Bug 1034810 - evolution fails to import calendar with 'SSL handshake failed'

Summary: evolution fails to import calendar with 'SSL handshake failed'

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	evolution
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Matthew Barnes
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-26 14:37 UTC by Mildred
Modified:	2013-12-09 16:57 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-26 20:40:47 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
GNOME Bugzilla	719381	0	None	None	None	Never

Description Mildred 2013-11-26 14:37:15 UTC

Description of problem:
When trying to add a web calendar, evolution fails with "Unable to connect to 'CALENDAR-NAME': Cannot open calendar: SSL handshake failed"

Version-Release number of selected component (if applicable): 3.10.2
How reproducible: always

Steps to Reproduce:
1. Add calendar "On the Web" with URI "https://basecamp.com/1788133/calendar_feeds/c744724.ics?token=TlpObVZzMTVrQlBBeWg4Y3JiSFpwdz09LS05Z3JCNGNVL25sczJ3QXZNZVlheTN3PT0%3D--35f00ea56760b54c23e5c8397f7191250d4e24e4-715358"

Actual results: an error is shown, a RESET TCP packet on wireshark
Expected results: no error and no events (the calendar is empty)

Comment 1 Mildred 2013-11-26 14:38:04 UTC

Might be related to https://bugzilla.gnome.org/show_bug.cgi?id=660134

Comment 2 Milan Crha 2013-11-26 20:40:47 UTC

Thanks for a bug report. It's weird, you are supposed to be asked what to do with the certificate, whether you want to ignore the SSL error or reject connection, when the server certificate looks suspicious. Nonetheless, I tried to reproduce this with your URL and I see the same issue, no prompt for a certificate.

Let's deal with this upstream, as this doesn't seem to be Fedora specific. I do not expect this being related to the old 3.2.x bug report from comment #1, thus I created a new bug for it [1]. Please see [1] for any further updates.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=719381

Comment 3 Dan Winship 2013-12-09 16:57:36 UTC

from the upstream bug:

"gnutls-cli -d 9 basecamp.com" shows:

    |<3>| EXT[0x2370310]: Parsing extension 'SUPPORTED ECC/10' (4 bytes)
    |<2>| ASSERT: ecc.c:95
    |<2>| ASSERT: gnutls_extensions.c:206
    |<2>| ASSERT: gnutls_handshake.c:1734
    |<2>| ASSERT: gnutls_handshake.c:2154
    |<2>| ASSERT: gnutls_handshake.c:1383
    |<2>| ASSERT: gnutls_handshake.c:2634
    *** Fatal error: An illegal TLS extension was received.

where:

    92    if (session->security_parameters.entity == GNUTLS_CLIENT)
    93      {
    94        /* A client shouldn't receive this extension */
    95        return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION);
    96      }


So, basically, basecamp.com is sending a TLS extension that is only defined for
clients, not servers, and gnutls, being anal like it is, aborts at that point.

File a bug against basecamp I guess?

You can kludge around this by running e-d-s with

    G_TLS_GNUTLS_PRIORITY="NORMAL:%COMPAT:-ECDHE-RSA"

set in the environment, which will keep e-d-s (and any other glib-tls-based
code in that environment) from negotiating elliptic-curve encryption, thus
bypassing the server bug.

Note You need to log in before you can comment on or make changes to this bug.