Bug#871477: upgrade of libssl1.1 to breaks dovecot imap via tls: kmail from debian stable/unstable cannot connect to dovecot any more
I can say, that this version break my freeradius. No windows client (Win8.1 and Win7) can connect to my wifi. The same with 3-yrs old android tablets. KJ -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html Machines that have broken down will work perfectly when the repairman arrives.
Bug#871477: [Pkg-openssl-devel] Bug#871477: upgrade of libssl1.1 to breaks dovecot imap via tls: kmail from debian stable/unstable cannot connect to dovecot any more
Am Dienstag, 8. August 2017, 15:13:23 schrieben Sie: > reassign kmail 4:16.04.3-3 > thanks > > On Tue, Aug 08, 2017 at 12:44:09PM +0200, Wolfgang Walter wrote: > > Package: libssl1.1 > > Version: 1.1.0f-4 > > Severity: important > > > > After upgrading a server to libssl1.1 1.1.0f-4 kmail on debian/stable could > > not connect to dovecot on debian/unstable any more (kmail on > > debian/unstable can't connect, either). > > > > Dovecot logs "... tls_process_client_hello:version too low ..." > > > > Probably this is due to "Disable TLS 1.0 and 1.1". > > > > Please reactivate it. We would like to continue our policy to continously > > test debian/unstable and debian/testing on servers in our environment. > > I'm going to start with reassigning this to kmail. I believe all > such issues should get fixed, and that they should get fixed in > stable and maybe oldstable too. > But this also exists in ubuntu and other systems. I agree that it would be good to fix that in debian/stable and debian/oldstable anyway (if it is indeed a kmail problem). But disabling TLS 1.0 and 1.1 in openssl directly to find other (mostly remote, often other people's) systems is bad. It makes testing unstable much harder because you have to rebuild openssl yourself with TLS 1.0 and 1.1 reactivated. Regards, -- Wolfgang Walter Studentenwerk München Anstalt des öffentlichen Rechts
Bug#871477: upgrade of libssl1.1 to breaks dovecot imap via tls: kmail from debian stable/unstable cannot connect to dovecot any more
Am Dienstag, 8. August 2017, 13:31:30 schrieb Sebastian Andrzej Siewior: > On 2017-08-08 12:44:09 [+0200], Wolfgang Walter wrote: > > Package: libssl1.1 > > Version: 1.1.0f-4 > > Severity: important > > > > After upgrading a server to libssl1.1 1.1.0f-4 kmail on debian/stable could > > not connect to dovecot on debian/unstable any more (kmail on > > debian/unstable can't connect, either). > > > > Dovecot logs "... tls_process_client_hello:version too low ..." > > Is this broken with kmail only or are other clients affected, too? Don't know. Not tried yet. > > > Probably this is due to "Disable TLS 1.0 and 1.1". > > Yes but why? studlmu.lrz.de:993 handshakes here with TLS1.2. openssl in > previous releases supports TLS1.2. So something limited it to TLS1.0 > and/or 1.1 only. > > > Please reactivate it. We would like to continue our policy to continously > > test debian/unstable and debian/testing on servers in our environment. > > Did you limit on kmail side the connection somewhere to TLS1.0 only? > We run kmail es provided by debian/stable or debian/unstable. I didn't check other clients, so I don't know if kmail does not speak TLS1.2 > If not, does this help (patch against kio): > Don't know if I have time to rebuild a kde paket (kio). I'll try another client first. Even if this is a limitation of kmail I still think it is a rather bad idea to limit openssl for unstable to TLS1.2. I don't think that an upgrade to buster should also enforce simultanous updates for a lot of other machines be it clients or servers, so TLS1.0 and TLS1.1 probably must be reenabled for buster anyway. The main effect will be that it is just harder to test unstable/testing. > diff --git a/src/core/ktcpsocket.h b/src/core/ktcpsocket.h > index 75e1f8c4489a..4ff674d8abc1 100644 > --- a/src/core/ktcpsocket.h > +++ b/src/core/ktcpsocket.h > @@ -163,7 +163,7 @@ class KIOCORE_EXPORT KTcpSocket: public QIODevice > TlsV1_0 = TlsV1, > TlsV1_1 = 0x40, > TlsV1_2 = 0x80, > -AnySslVersion = SslV2 | SslV3 | TlsV1 > +AnySslVersion = SslV2 | SslV3 | TlsV1 | TlsV1_1 | TlsV1_2 > }; > Q_DECLARE_FLAGS(SslVersions, SslVersion) > > > I Cc qt/kdepim/kio folks in case they have a clue who is limmiting this. > Regards, -- Wolfgang Walter Studentenwerk München Anstalt des öffentlichen Rechts
Bug#871477: [Pkg-openssl-devel] Bug#871477: upgrade of libssl1.1 to breaks dovecot imap via tls: kmail from debian stable/unstable cannot connect to dovecot any more
reassign kmail 4:16.04.3-3 thanks On Tue, Aug 08, 2017 at 12:44:09PM +0200, Wolfgang Walter wrote: > Package: libssl1.1 > Version: 1.1.0f-4 > Severity: important > > After upgrading a server to libssl1.1 1.1.0f-4 kmail on debian/stable could > not connect to dovecot on debian/unstable any more (kmail on debian/unstable > can't connect, either). > > Dovecot logs "... tls_process_client_hello:version too low ..." > > Probably this is due to "Disable TLS 1.0 and 1.1". > > Please reactivate it. We would like to continue our policy to continously > test debian/unstable and debian/testing on servers in our environment. I'm going to start with reassigning this to kmail. I believe all such issues should get fixed, and that they should get fixed in stable and maybe oldstable too. I'm planning on making a change to openssl too, but it would still likely still and up broken. Kurt
Bug#871477: upgrade of libssl1.1 to breaks dovecot imap via tls: kmail from debian stable/unstable cannot connect to dovecot any more
On 2017-08-08 12:44:09 [+0200], Wolfgang Walter wrote: > Package: libssl1.1 > Version: 1.1.0f-4 > Severity: important > > After upgrading a server to libssl1.1 1.1.0f-4 kmail on debian/stable could > not connect to dovecot on debian/unstable any more (kmail on debian/unstable > can't connect, either). > > Dovecot logs "... tls_process_client_hello:version too low ..." Is this broken with kmail only or are other clients affected, too? > Probably this is due to "Disable TLS 1.0 and 1.1". Yes but why? studlmu.lrz.de:993 handshakes here with TLS1.2. openssl in previous releases supports TLS1.2. So something limited it to TLS1.0 and/or 1.1 only. > Please reactivate it. We would like to continue our policy to continously > test debian/unstable and debian/testing on servers in our environment. Did you limit on kmail side the connection somewhere to TLS1.0 only? If not, does this help (patch against kio): diff --git a/src/core/ktcpsocket.h b/src/core/ktcpsocket.h index 75e1f8c4489a..4ff674d8abc1 100644 --- a/src/core/ktcpsocket.h +++ b/src/core/ktcpsocket.h @@ -163,7 +163,7 @@ class KIOCORE_EXPORT KTcpSocket: public QIODevice TlsV1_0 = TlsV1, TlsV1_1 = 0x40, TlsV1_2 = 0x80, -AnySslVersion = SslV2 | SslV3 | TlsV1 +AnySslVersion = SslV2 | SslV3 | TlsV1 | TlsV1_1 | TlsV1_2 }; Q_DECLARE_FLAGS(SslVersions, SslVersion) I Cc qt/kdepim/kio folks in case they have a clue who is limmiting this. > Regards, Sebastian
Bug#871477: upgrade of libssl1.1 to breaks dovecot imap via tls: kmail from debian stable/unstable cannot connect to dovecot any more
Package: libssl1.1 Version: 1.1.0f-4 Severity: important After upgrading a server to libssl1.1 1.1.0f-4 kmail on debian/stable could not connect to dovecot on debian/unstable any more (kmail on debian/unstable can't connect, either). Dovecot logs "... tls_process_client_hello:version too low ..." Probably this is due to "Disable TLS 1.0 and 1.1". Please reactivate it. We would like to continue our policy to continously test debian/unstable and debian/testing on servers in our environment. Regards, -- Wolfgang Walter Studentenwerk München Anstalt des öffentlichen Rechts