Bug 1273016 - improve fetchmail SSL support - cannot disable SSLv3 and _not_ disable TLSv1.1+ together
improve fetchmail SSL support - cannot disable SSLv3 and _not_ disable TLSv1....
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: fetchmail (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Vitezslav Crhonek
Alois Mahdal
:
Depends On:
Blocks: 1288169 1400961
  Show dependency treegraph
 
Reported: 2015-10-19 08:15 EDT by Vitezslav Crhonek
Modified: 2017-08-01 16:58 EDT (History)
6 users (show)

See Also:
Fixed In Version: fetchmail-6.3.24-6.el7
Doc Type: Bug Fix
Doc Text:
Cause – user wants fetchmail to avoid using insecure SSLv3 SSL protocol Consequence – user is confused because of unclear documentation and finally realizes, that it's not possible to disable SSLv3 and not to disable TLSv1.1+ at the same time Fix – latest upstream improvements of SSL protocols handling and documentation has been backported Result – SSL protocols support in fetchmail is clear and well documented now
Story Points: ---
Clone Of: 1234853
Environment:
Last Closed: 2017-08-01 16:58:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vitezslav Crhonek 2015-10-19 08:15:32 EDT
+++ This bug was initially created as a clone of Bug #1234853 +++

Description of problem:

This text appears to have been incorrectly edited and is now confusing:

--sslproto <name>
              (Keyword: sslproto)
              Forces  an  SSL/TLS  protocol.  Possible  values are ’’, ’SSL2’,
              ’SSL23’, (use of these two values is discouraged and should only
              be  used  as  a  last  resort)  ’SSL3’, and ’TLS1’.  The default
              behaviour if this option is unset is:  for  connections  without
              --ssl,  use  ’TLS1’  that  fetchmail  will opportunistically try
              STARTTLS negotiation with TLS1. You can  configure  this  option
              explicitly  if the default handshake (TLS1 if --ssl is not used,
              does not work for your server.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. man fetchmail
2. /sslproto

Actual results:
as above

Expected results:
as per Fedora 22:

  --sslproto <name>
 (Keyword: sslproto)
  Forces an SSL/TLS protocol. Possible values are '', 'SSL2' (not supported on all systems), 'SSL23', (use of these two  values  is  discouraged and should only be used as a last resort) 'SSL3', and 'TLS1'. The default behaviour if this option is unset is: for connections without --ssl, use 'TLS1' so that fetchmail will opportunistically try STARTTLS negotiation with TLS1. You can configure this option explicitly if the default handshake (TLS1 if --ssl is not used) does not work for your server.


Additional info:

The words "use 'TLS1' so that" string is not very clear as some might think they have to use it, rather than "will be used" which seems to be what the author meant. If that part was omitted, would that be clearer? i.e.: The default behaviour if this option is unset is: for connections without --ssl, fetchmail will opportunistically try STARTTLS negotiation with TLS1.

Or:
for connections without --ssl, use 'TLS1'. This causes fetchmail to opportunistically try STARTTLS negotiation with TLS1.


Thank you

--- Additional comment from Tomas Mraz on 2015-07-07 04:04:55 EDT ---

Unfortunately using 'sslproto tls1' disables support for TLSv1.1 and TLSv1.2. That is a problem.

--- Additional comment from Vitezslav Crhonek on 2015-10-19 08:01 EDT ---

Fixing the man page isn't enough, see comment #1. There's no way to disable SSLv3 and not to disable TLSv1.1+ together.

I backported recent upstream changes related to SSL and updated various parts of documentation (man page, README.SSL and NEWS).

--sslproto with this patch will support:
'', auto, ssl23, ssl2, ssl3, ssl3+, tls1, tls1+, tls1.1, tls1.1+, tls1.2 and tls1.2+.

All except ssl23 are intuitive to use. (Empty value is used to disable SSL at all.) auto/ssl23 are default values, fetchmail will use TLSv1 protocol or better in that case (this means it's pretty well backwards compatible for most configurations, the only difference should be that SSLv3 is disabled by default and if it's really needed, ssl3 or ssl3+ should be passed to fetchmail in --sslproto).

--- Additional comment from Vitezslav Crhonek on 2015-10-19 08:05:52 EDT ---
Comment 5 Alois Mahdal 2017-06-15 23:20:18 EDT
The backported option is now fairly covered by /CoreOS/fetchmail/Sanity/option-sslproto (cca 70 cases: from ssl3 to tls1.2 on both server and client side, plus some corner cases).

With the new build, the test passes on all platforms.
Comment 6 errata-xmlrpc 2017-08-01 16:58:46 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2051

Note You need to log in before you can comment on or make changes to this bug.