1273016 – improve fetchmail SSL support - cannot disable SSLv3 and _not_ disable TLSv1.1+ together

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1273016 - improve fetchmail SSL support - cannot disable SSLv3 and _not_ disable TLSv1.1+ together

Summary: improve fetchmail SSL support - cannot disable SSLv3 and _not_ disable TLSv1....

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	fetchmail
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Vitezslav Crhonek
QA Contact:	Alois Mahdal
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1288169 1400961
TreeView+	depends on / blocked

Reported:	2015-10-19 12:15 UTC by Vitezslav Crhonek
Modified:	2017-08-01 20:58 UTC (History)
CC List:	6 users (show)
Fixed In Version:	fetchmail-6.3.24-6.el7
Doc Type:	Bug Fix
Doc Text:	Cause – user wants fetchmail to avoid using insecure SSLv3 SSL protocol Consequence – user is confused because of unclear documentation and finally realizes, that it's not possible to disable SSLv3 and not to disable TLSv1.1+ at the same time Fix – latest upstream improvements of SSL protocols handling and documentation has been backported Result – SSL protocols support in fetchmail is clear and well documented now
Clone Of:	1234853
Environment:
Last Closed:	2017-08-01 20:58:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2051	0	normal	SHIPPED_LIVE	fetchmail bug fix update	2017-08-01 18:35:45 UTC

Description Vitezslav Crhonek 2015-10-19 12:15:32 UTC

+++ This bug was initially created as a clone of Bug #1234853 +++

Description of problem:

This text appears to have been incorrectly edited and is now confusing:

--sslproto <name>
              (Keyword: sslproto)
              Forces  an  SSL/TLS  protocol.  Possible  values are ’’, ’SSL2’,
              ’SSL23’, (use of these two values is discouraged and should only
              be  used  as  a  last  resort)  ’SSL3’, and ’TLS1’.  The default
              behaviour if this option is unset is:  for  connections  without
              --ssl,  use  ’TLS1’  that  fetchmail  will opportunistically try
              STARTTLS negotiation with TLS1. You can  configure  this  option
              explicitly  if the default handshake (TLS1 if --ssl is not used,
              does not work for your server.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. man fetchmail
2. /sslproto

Actual results:
as above

Expected results:
as per Fedora 22:

  --sslproto <name>
 (Keyword: sslproto)
  Forces an SSL/TLS protocol. Possible values are '', 'SSL2' (not supported on all systems), 'SSL23', (use of these two  values  is  discouraged and should only be used as a last resort) 'SSL3', and 'TLS1'. The default behaviour if this option is unset is: for connections without --ssl, use 'TLS1' so that fetchmail will opportunistically try STARTTLS negotiation with TLS1. You can configure this option explicitly if the default handshake (TLS1 if --ssl is not used) does not work for your server.


Additional info:

The words "use 'TLS1' so that" string is not very clear as some might think they have to use it, rather than "will be used" which seems to be what the author meant. If that part was omitted, would that be clearer? i.e.: The default behaviour if this option is unset is: for connections without --ssl, fetchmail will opportunistically try STARTTLS negotiation with TLS1.

Or:
for connections without --ssl, use 'TLS1'. This causes fetchmail to opportunistically try STARTTLS negotiation with TLS1.


Thank you

--- Additional comment from Tomas Mraz on 2015-07-07 04:04:55 EDT ---

Unfortunately using 'sslproto tls1' disables support for TLSv1.1 and TLSv1.2. That is a problem.

--- Additional comment from Vitezslav Crhonek on 2015-10-19 08:01 EDT ---

Fixing the man page isn't enough, see comment #1. There's no way to disable SSLv3 and not to disable TLSv1.1+ together.

I backported recent upstream changes related to SSL and updated various parts of documentation (man page, README.SSL and NEWS).

--sslproto with this patch will support:
'', auto, ssl23, ssl2, ssl3, ssl3+, tls1, tls1+, tls1.1, tls1.1+, tls1.2 and tls1.2+.

All except ssl23 are intuitive to use. (Empty value is used to disable SSL at all.) auto/ssl23 are default values, fetchmail will use TLSv1 protocol or better in that case (this means it's pretty well backwards compatible for most configurations, the only difference should be that SSLv3 is disabled by default and if it's really needed, ssl3 or ssl3+ should be passed to fetchmail in --sslproto).

--- Additional comment from Vitezslav Crhonek on 2015-10-19 08:05:52 EDT ---

Comment 5 Alois Mahdal 2017-06-16 03:20:18 UTC

The backported option is now fairly covered by /CoreOS/fetchmail/Sanity/option-sslproto (cca 70 cases: from ssl3 to tls1.2 on both server and client side, plus some corner cases).

With the new build, the test passes on all platforms.

Comment 6 errata-xmlrpc 2017-08-01 20:58:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2051

Note You need to log in before you can comment on or make changes to this bug.