Created attachment 947229 [details] Captured packets of handshake made by Evolution Description of problem: Evolution in the default configuration is not able to use TLSv1 or higher for SSL connections, it only allows SSLv3 connections. After the Poodle attack has been discovered [https://www.openssl.org/~bodo/ssl-poodle.pdf], SSLv3 can't can considered as secure anymore and TLS is *required*. Steps to Reproduce: 1. Try to connect to a server that doesn't allow SSLv3. 2. Evolution can't connect: "Cannot communicate securely with peer: no common encryption algorithm(s)." May be related to: https://bugzilla.redhat.com/show_bug.cgi?id=1091544
Created attachment 947480 [details] evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch Thanks for a bug report. This patch should make it work. There is an option to enable only TLS, when STARTTLS is used, but that requires (for IMAP) to have the STARTTLS supported by the IMAP server, whci is not always true. I do not know how much correct this change is, though. In any case, here [1] is a test package with it included. Give it a try, please. [1] http://koji.fedoraproject.org/koji/taskinfo?taskID=7879901
In case it matters: In my case, I don't use STARTTLS but only SSL/TLS over a dedicated port (because our server doesn't support unencrypted IMAP at all). However, I think that it shouldn't make a difference for SSL/TLS negotiation whether you use STARTTLS or SSL/TLS over a dedicated port.
Yes, "always use SSL on a decidated port" should mean: "always use SSL/TLS (without starttls), but support both SSL/TLS, and prefer the most recent one"
*** Bug 1153658 has been marked as a duplicate of this bug. ***
Created attachment 947662 [details] evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch ][ This is a bit more complicated version of the previous patch, which enables all available SSL/TLS algorithms available in the current NSS version (for NSS 3.14+). I'm using that for the official update, which will fix error message like: Could not connect to 'server:993': Cannot communicate securely with peer: no common encryption algorithm(s). when a server has disabled SSLv3.
evolution-data-server-3.10.4-6.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/evolution-data-server-3.10.4-6.fc20
Package evolution-data-server-3.10.4-6.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing evolution-data-server-3.10.4-6.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13050/evolution-data-server-3.10.4-6.fc20 then log in and leave karma (feedback).
evolution-data-server-3.10.4-6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Works for me, thanks!
Hello there, Any plan to backport this to Fedora 19? Thanks.
I didn't plan to change the Fedora 19 evolution-data-server, but you are right, it makes sense to fix it there too. I'll do it.
evolution-data-server-3.8.5-7.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/evolution-data-server-3.8.5-7.fc19
Great Milan, thanks a lot for your work. I can confirm this works fine with Fedora 19. Now I'm able to disable SSLv3 in my POP3 server: TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits) Regards, William
evolution-data-server-3.8.5-7.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.