Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
Hi, evolution-data-server in wheezy doesn't enable all encryption algorithms (TLSv1+) when connecting securely to IMAP servers. This means that when servers disable SSLv3 due to POODLE, users are unable to connect in evolution, receiving a message like Could not connect to 'server:993': Cannot communicate securely with peer: no common encryption algorithm(s). Some links: Debian bug. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765838 Ubuntu bug in which the same (modulo wrangling the patch to apply on 3.4.4) fix was issued. https://bugs.launchpad.net/ubuntu/+source/evolution-data-server/+bug/1382133 Upstream mail providing the patch + details. https://mail.gnome.org/archives/evolution-list/2014-October/msg00113.html Redhat bug fixing the issue in Fedora. https://bugzilla.redhat.com/show_bug.cgi?id=1153052 I'd like to upload the attached diff to wheezy to fix the issue. Cheers, -- Iain Lane [ i...@orangesquash.org.uk ] Debian Developer [ la...@debian.org ] Ubuntu Developer [ la...@ubuntu.com ]
diff -Nru evolution-data-server-3.4.4/debian/changelog evolution-data-server-3.4.4/debian/changelog --- evolution-data-server-3.4.4/debian/changelog 2013-02-10 18:16:56.000000000 +0000 +++ evolution-data-server-3.4.4/debian/changelog 2014-11-02 17:13:18.000000000 +0000 @@ -1,3 +1,10 @@ +evolution-data-server (3.4.4-3+deb7u1) UNRELEASED; urgency=medium + + * debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch: + Enable all SSL/TLS versions supported by NSS (Closes: #765838) + + -- Iain Lane <la...@debian.org> Sun, 02 Nov 2014 16:48:55 +0000 + evolution-data-server (3.4.4-3) unstable; urgency=low * 04_mbox_index.patch: patch from upstream git. Correctly display diff -Nru evolution-data-server-3.4.4/debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch evolution-data-server-3.4.4/debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch --- evolution-data-server-3.4.4/debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch 1970-01-01 01:00:00.000000000 +0100 +++ evolution-data-server-3.4.4/debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch 2014-11-02 17:13:34.000000000 +0000 @@ -0,0 +1,107 @@ +Description: Enable all SSL/TLS versions supported by NSS +Origin: vendor, http://pkgs.fedoraproject.org/cgit/evolution-data-server.git/tree/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch?h=f20 +Author: Milan Crha <mc...@redhat.com> +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/evolution-data-server/+bug/1382133 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765838 + +--- a/camel/camel-network-service.c ++++ b/camel/camel-network-service.c +@@ -87,7 +87,8 @@ + stream = camel_tcp_stream_ssl_new ( + session, host, + CAMEL_TCP_STREAM_SSL_ENABLE_SSL2 | +- CAMEL_TCP_STREAM_SSL_ENABLE_SSL3); ++ CAMEL_TCP_STREAM_SSL_ENABLE_SSL3 | ++ CAMEL_TCP_STREAM_SSL_ENABLE_TLS); + break; + + default: +--- a/camel/camel-tcp-stream-ssl.c ++++ b/camel/camel-tcp-stream-ssl.c +@@ -43,6 +43,8 @@ + #include <sslerr.h> + #include "nss.h" /* Don't use <> here or it will include the system nss.h instead */ + #include <ssl.h> ++#include <sslt.h> ++#include <sslproto.h> + #include <cert.h> + #include <certdb.h> + #include <pk11func.h> +@@ -662,6 +664,9 @@ + PRFileDesc *fd) + { + PRFileDesc *ssl_fd; ++#if NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14) ++ SSLVersionRange versionStreamSup, versionStream; ++#endif + + g_assert (fd != NULL); + +@@ -679,6 +684,7 @@ + SSL_OptionSet (ssl_fd, SSL_V2_COMPATIBLE_HELLO, PR_FALSE); + } + ++#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14) + if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL3) + SSL_OptionSet (ssl_fd, SSL_ENABLE_SSL3, PR_TRUE); + else +@@ -689,6 +695,29 @@ + else + SSL_OptionSet (ssl_fd, SSL_ENABLE_TLS, PR_FALSE); + ++#else ++ SSL_VersionRangeGetSupported (ssl_variant_stream, &versionStreamSup); ++ ++ if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL3) ++ versionStream.min = SSL_LIBRARY_VERSION_3_0; ++ else ++ versionStream.min = SSL_LIBRARY_VERSION_TLS_1_0; ++ ++ if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_TLS) ++ versionStream.max = versionStreamSup.max; ++ else ++ versionStream.max = SSL_LIBRARY_VERSION_3_0; ++ ++ if (versionStream.max < versionStream.min) { ++ PRUint16 tmp; ++ ++ tmp = versionStream.max; ++ versionStream.max = versionStream.min; ++ versionStream.min = tmp; ++ } ++ ++ SSL_VersionRangeSet (ssl_fd, &versionStream); ++#endif + SSL_SetURL (ssl_fd, ssl->priv->expected_host); + + /* NSS provides a default implementation for the SSL_GetClientAuthDataHook callback +--- a/camel/camel.c ++++ b/camel/camel.c +@@ -99,6 +99,9 @@ + gchar *nss_sql_configdir = NULL; + SECStatus status = SECFailure; + PRUint16 indx; ++#if NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14) ++ SSLVersionRange versionStream; ++#endif + + if (nss_initlock == NULL) { + PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 10); +@@ -189,9 +192,15 @@ + } + + SSL_OptionSetDefault (SSL_ENABLE_SSL2, PR_TRUE); +- SSL_OptionSetDefault (SSL_ENABLE_SSL3, PR_TRUE); +- SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE); + SSL_OptionSetDefault (SSL_V2_COMPATIBLE_HELLO, PR_TRUE /* maybe? */); ++#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14) ++ SSL_OptionSetDefault (SSL_ENABLE_SSL3, PR_TRUE); ++ SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE); /* Enable TLSv1.0 */ ++#else ++ /* Enable all SSL/TLS versions supported by NSS (this API is for SSLv3 and newer). */ ++ SSL_VersionRangeGetSupported (ssl_variant_stream, &versionStream); ++ SSL_VersionRangeSetDefault (ssl_variant_stream, &versionStream); ++#endif + + g_free (nss_configdir); + g_free (nss_sql_configdir); diff -Nru evolution-data-server-3.4.4/debian/patches/series evolution-data-server-3.4.4/debian/patches/series --- evolution-data-server-3.4.4/debian/patches/series 2013-02-10 18:16:56.000000000 +0000 +++ evolution-data-server-3.4.4/debian/patches/series 2014-11-02 16:43:47.000000000 +0000 @@ -3,3 +3,4 @@ 03_EBookBackendSqliteDB_Escape_SQL_strings.patch 04_mbox_index.patch 20_gettext_intltool.patch +evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch