[ksmtp] [Bug 394770] STARTTLS is restricted to TLS 1.0
https://bugs.kde.org/show_bug.cgi?id=394770 Teemu Torma changed: What|Removed |Added CC||te...@torma.org -- You are receiving this mail because: You are the assignee for the bug.
[kimap] [Bug 394769] STARTTLS is restricted to TLS 1.0
https://bugs.kde.org/show_bug.cgi?id=394769 Teemu Torma changed: What|Removed |Added CC||te...@torma.org -- You are receiving this mail because: You are the assignee for the bug.
[kmail2] [Bug 342567] TLSv1.2 is not used on imap/smtp/managesieve
https://bugs.kde.org/show_bug.cgi?id=342567 Teemu Torma changed: What|Removed |Added Attachment #90267|0 |1 is obsolete|| --- Comment #17 from Teemu Torma --- Created attachment 99540 --> https://bugs.kde.org/attachment.cgi?id=99540&action=edit Patch to allow imap/smtp/managesieve to use TLSv1.2 in KF5 For KF5, as packaged in kubuntu ppa backports, this allows TLSv1.2 (and later) for mail handling. The patch contains patches for four packages and may need to be split accordingly. The following changes in packages were needed for KF5: kdepim: to fix managesieve kimap: to fix imap kio: to fix smtp kmailtransport: to fix smtp -- You are receiving this mail because: You are the assignee for the bug. ___ Kdepim-bugs mailing list Kdepim-bugs@kde.org https://mail.kde.org/mailman/listinfo/kdepim-bugs
[kmail2] [Bug 342567] TLSv1.2 is not used on imap/smtp/managesieve
https://bugs.kde.org/show_bug.cgi?id=342567 --- Comment #13 from Teemu Torma --- I am currently using Ubuntu Vivid with kubuntu-backports as it is and that works for me, and has been since Vivid was released in April. It has been a while, but for what I remember, I saw Laurent implement some things in my patch at some point, but not all, However, everything works for me right now without any patching of my own. What comes to this bug, I do consider it as done. My patch in itself, I do consider it applies to the version I reported, since I had to use it to get things working. -- You are receiving this mail because: You are the assignee for the bug. ___ Kdepim-bugs mailing list Kdepim-bugs@kde.org https://mail.kde.org/mailman/listinfo/kdepim-bugs
[kmail2] [Bug 342567] TLSv1.2 is not used on imap/smtp/managesieve
https://bugs.kde.org/show_bug.cgi?id=342567 --- Comment #10 from Teemu Torma --- I might add that disabling SSLv3 from auto negotiation has really nothing to do with it being the only protocol available. The problem is that man-in-the-middle can cause the auto negotiation to fail. Even if both server and client support TLSv1.2, man-in-the-middle can signal client that protocol is not supported, thus client tries lower protocol versions until the connection with SSLv3 succeeds and is vulnerable to POODLE attack. -- You are receiving this mail because: You are the assignee for the bug. ___ Kdepim-bugs mailing list Kdepim-bugs@kde.org https://mail.kde.org/mailman/listinfo/kdepim-bugs
[kmail2] [Bug 342567] TLSv1.2 is not used on imap/smtp/managesieve
https://bugs.kde.org/show_bug.cgi?id=342567 --- Comment #9 from Teemu Torma --- I did have more thorough look into various versions of Qt and how things are implemented there. By the time of Qt 4.7 (2010), QSsl had three protocol options, SslV2, SslV3 and TlsV1, and auto negotiate AnyProtocol. At the time openssl did not support TLSv1.1 or TLSv1.2, so the situation was relatively clear. The auto negotiation is done by openssl. By the time of Qt 4.8 (2011), openssl had added support for newer TLS protocols, so QSsl was expanded with two new auto negotiate options, TlsV1SslV3 and SecureProtocols. They both behaved the some, negotiate the highest protocol excluding SslV2. Thus, TLSv1.1 and TLSv1.2 started working with these options, as well as with AnyProtocol. Qt5 then added explicit versions TlsV1_0, TlsV1_1 and TlsV1_2 and made TlsV1 alias for TlsV1_0. Then came POODLE attack and Qt 5.4 dropped SslV3 from SecureProtocols. Now, looking KDE, it seems that it uses Qt 4.7 way of doing things and thus uses TlsV1 in many places. More appropriate thing would be to use SecureProtocols and leave disabling SSLv3 to the Qt side, like in Qt 5.4. That way, when for example TLSv1.3 lands, just by upgrading openssl would make it work. KTcpSocket has at some point added new enumerations TlsV1SslV3 and SecureProtocols, but it is a bit unclear to me what it is trying to do, since in QSsl these are enumerated values and KTcpSocket redefines them somehow as bitmasks. But these auto negotiate values and explicit protocol values are not really same thing on Qt level. -- You are receiving this mail because: You are the assignee for the bug. ___ Kdepim-bugs mailing list Kdepim-bugs@kde.org https://mail.kde.org/mailman/listinfo/kdepim-bugs
[kmail2] [Bug 342567] TLSv1.2 is not used on imap/smtp/managesieve
https://bugs.kde.org/show_bug.cgi?id=342567 --- Comment #8 from Teemu Torma --- I verified with server log files every combination that TLSv1.2 is used with QSsl::SecureProtocols. It is a bit unfortunate that Qt4 QSsl::TlsV1 implies that it is the latest protocol, and from the code it seems that the idea is to use latest protocols. That was true ten years ago, but nowadays it has opposite effect to pinning the protocol to least acceptable one which has already shown weaknesses. I agree that SSLv3 is not ideal, but does disabling that really belong to KDE? I would think that it should be done on lower levels or server side. Since imap/ssl talks already TLSv1.2 because it speaks any protocol, we could change just smtp/ssl to get TLSv1.2 functionality, and leave starttls variants to as they are. -- You are receiving this mail because: You are the assignee for the bug. ___ Kdepim-bugs mailing list Kdepim-bugs@kde.org https://mail.kde.org/mailman/listinfo/kdepim-bugs
[kmail2] [Bug 342567] TLSv1.2 is not used on imap/smtp/managesieve
https://bugs.kde.org/show_bug.cgi?id=342567 --- Comment #6 from Teemu Torma --- I don't know any of this code either. I just made a minimal patch to make it work, I don't know if it should be done like that. -- You are receiving this mail because: You are the assignee for the bug. ___ Kdepim-bugs mailing list Kdepim-bugs@kde.org https://mail.kde.org/mailman/listinfo/kdepim-bugs
[kmail2] [Bug 342567] TLSv1.2 is not used on imap/smtp/managesieve
https://bugs.kde.org/show_bug.cgi?id=342567 --- Comment #3 from Teemu Torma --- "kio/kio/tcpslavebase.cpp" change was needed to get smtp/starttls working. I had to hunt that down once I noticed that patches to kdepimlibs were not enough. -- You are receiving this mail because: You are the assignee for the bug. ___ Kdepim-bugs mailing list Kdepim-bugs@kde.org https://mail.kde.org/mailman/listinfo/kdepim-bugs
[kmail2] [Bug 342567] TLSv1.2 is not used on imap/smtp/managesieve
https://bugs.kde.org/show_bug.cgi?id=342567 --- Comment #1 from Teemu Torma --- Created attachment 90267 --> https://bugs.kde.org/attachment.cgi?id=90267&action=edit Patch to allow imap/smtp/managesieve to use TLSv1.2 With the following patch I managed to get TLSv1.2 working with imap/ssl, imap/starttls, smtp/ssl, smtp/starttls and managesieve connections. The patch basically replaces the forced TLSv1.0 with QSsl::SecureProtocols. Since TLSv1.0 is also part of QSsl::SecureProtocols (at least for now), it should not cause any regression. -- You are receiving this mail because: You are the assignee for the bug. ___ Kdepim-bugs mailing list Kdepim-bugs@kde.org https://mail.kde.org/mailman/listinfo/kdepim-bugs
[kmail2] [Bug 342567] New: TLSv1.2 is not used on imap/smtp/managesieve
https://bugs.kde.org/show_bug.cgi?id=342567 Bug ID: 342567 Summary: TLSv1.2 is not used on imap/smtp/managesieve Product: kmail2 Version: 4.14.1 Platform: Ubuntu Packages OS: Linux Status: UNCONFIRMED Severity: normal Priority: NOR Component: crypto Assignee: kdepim-bugs@kde.org Reporter: te...@torma.org While trying to enforce TLSv1.2 everywhere, I noticed that kmail does not support it. By digging into code, I noticed that TLSv1.0 is forced everywhere except imap/ssl (which allows any protocol version). Reproducible: Always Steps to Reproduce: 1. Try to use imap/starttls, smtp/starttls or smtp/ssl on a server that does not support TLSv1.0, only later protocols. Actual Results: It doesn't work. Expected Results: It should work. -- You are receiving this mail because: You are the assignee for the bug. ___ Kdepim-bugs mailing list Kdepim-bugs@kde.org https://mail.kde.org/mailman/listinfo/kdepim-bugs
