Bug 1153052 - Evolution 3.10.4 not able to use TLSv1 or higher (only SSLv3)
Summary: Evolution 3.10.4 not able to use TLSv1 or higher (only SSLv3)
Alias: None
Product: Fedora
Classification: Fedora
Component: evolution
Version: 20
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Milan Crha
QA Contact: Fedora Extras Quality Assurance
: 1153658 (view as bug list)
Depends On:
Blocks: 1159704
TreeView+ depends on / blocked
Reported: 2014-10-15 13:51 UTC by RH
Modified: 2014-12-03 01:00 UTC (History)
6 users (show)

Fixed In Version: evolution-data-server-3.8.5-7.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1159704 (view as bug list)
Last Closed: 2014-10-19 13:20:58 UTC
Type: Bug

Attachments (Terms of Use)
Captured packets of handshake made by Evolution (1.13 KB, application/octet-stream)
2014-10-15 13:51 UTC, RH
no flags Details
evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch (682 bytes, patch)
2014-10-16 07:21 UTC, Milan Crha
no flags Details | Diff
evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch ][ (4.05 KB, patch)
2014-10-16 15:28 UTC, Milan Crha
no flags Details | Diff

Description RH 2014-10-15 13:51:33 UTC
Created attachment 947229 [details]
Captured packets of handshake made by Evolution

Description of problem:
Evolution in the default configuration is not able to use TLSv1 or higher for SSL connections, it only allows SSLv3 connections.

After the Poodle attack has been discovered [https://www.openssl.org/~bodo/ssl-poodle.pdf], SSLv3 can't can considered as secure anymore and TLS is *required*.

Steps to Reproduce:
1. Try to connect to a server that doesn't allow SSLv3.
2. Evolution can't connect: "Cannot communicate securely with peer: no common encryption algorithm(s)."

May be related to: https://bugzilla.redhat.com/show_bug.cgi?id=1091544

Comment 1 Milan Crha 2014-10-16 07:21:04 UTC
Created attachment 947480 [details]

Thanks for a bug report. This patch should make it work. There is an option to enable only TLS, when STARTTLS is used, but that requires (for IMAP) to have the STARTTLS supported by the IMAP server, whci is not always true. I do not know how much correct this change is, though. In any case, here [1] is a test package with it included. Give it a try, please.

[1] http://koji.fedoraproject.org/koji/taskinfo?taskID=7879901

Comment 2 RH 2014-10-16 07:50:35 UTC
In case it matters: In my case, I don't use STARTTLS but only SSL/TLS over a dedicated port (because our server doesn't support unencrypted IMAP at all).

However, I think that it shouldn't make a difference for SSL/TLS negotiation whether you use STARTTLS or SSL/TLS over a dedicated port.

Comment 3 Kai Engert (:kaie) (inactive account) 2014-10-16 10:26:58 UTC
Yes, "always use SSL on a decidated port" should mean:
"always use SSL/TLS (without starttls), but support both SSL/TLS, and prefer the most recent one"

Comment 4 Matthew Barnes 2014-10-16 14:27:07 UTC
*** Bug 1153658 has been marked as a duplicate of this bug. ***

Comment 5 Milan Crha 2014-10-16 15:28:12 UTC
Created attachment 947662 [details]
evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch ][

This is a bit more complicated version of the previous patch, which enables all available SSL/TLS algorithms available in the current NSS version (for NSS 3.14+). I'm using that for the official update, which will fix error message like:

   Could not connect to 'server:993': Cannot communicate securely with peer:
   no common encryption algorithm(s).

when a server has disabled SSLv3.

Comment 6 Fedora Update System 2014-10-16 16:27:15 UTC
evolution-data-server-3.10.4-6.fc20 has been submitted as an update for Fedora 20.

Comment 7 Fedora Update System 2014-10-17 08:40:29 UTC
Package evolution-data-server-3.10.4-6.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing evolution-data-server-3.10.4-6.fc20'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2014-10-19 13:20:58 UTC
evolution-data-server-3.10.4-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 RH 2014-10-19 15:14:07 UTC
Works for me, thanks!

Comment 10 William Lovaton 2014-11-12 22:35:12 UTC
Hello there,

Any plan to backport this to Fedora 19?


Comment 11 Milan Crha 2014-11-13 05:03:49 UTC
I didn't plan to change the Fedora 19 evolution-data-server, but you are right, it makes sense to fix it there too. I'll do it.

Comment 12 Fedora Update System 2014-11-13 05:49:33 UTC
evolution-data-server-3.8.5-7.fc19 has been submitted as an update for Fedora 19.

Comment 13 William Lovaton 2014-11-13 15:36:41 UTC
Great Milan, thanks a lot for your work.  I can confirm this works fine with Fedora 19.  Now I'm able to disable SSLv3 in my POP3 server:

   TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits)



Comment 14 Fedora Update System 2014-12-03 01:00:38 UTC
evolution-data-server-3.8.5-7.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.