423424 2020-06-24 08:18:18 +0000 Kmail "forces" the user to accept invalid TLS certificates. 2021-11-16 17:06:40 +0000 1 1 2 Applications kmail2 general 5.13.3 Other Linux REOPENED NOR major --- 1 93s4m32gd2ab8ax6 pim-bugs-null sknauss https://invent.kde.org/pim/ksmtp/commit/fca378d55e223944ce512c9a8f8b789d1d3abcde 20 oldest_to_newest 1939462 0 93s4m32gd2ab8ax6 2020-06-24 08:18:18 +0000 When the IMAP TLS certificate is bad, i.e. self-signed, kmail shows a warning with three buttons: "Details", "Continue" and "Cancel". When the user clicks on "Cancel", kmail repeats the login process and shows the warning again immediately. This process continues in a loop, which can not be canceled by the user when clicking on "Cancel" (the only secure option). The only way to "escape" from this loop is to click on "Continue.", which might reveal the username and password. 1939465 1 93s4m32gd2ab8ax6 2020-06-24 08:29:43 +0000 This also applies in a limited form (dialogs show up slower) for SMTP. 2060253 2 sknauss 2021-09-10 19:27:12 +0000 The vulnerable is now published under https://nostarttls.secvuln.info/ 2064695 3 bug-janitor 2021-09-28 15:59:56 +0000 A possibly relevant merge request was started @ https://invent.kde.org/pim/kimap/-/merge_requests/9 2064700 4 bug-janitor 2021-09-28 16:06:15 +0000 A possibly relevant merge request was started @ https://invent.kde.org/pim/kdepim-runtime/-/merge_requests/48 2064760 5 vkrause 2021-09-28 19:27:34 +0000 Git commit 7ee241898bc225237b3475f6c109ffc55a4a74c0 by Volker Krause. Committed on 28/09/2021 at 15:58. Pushed by knauss into branch 'release/21.08'. Disconnect rather than reconnect when not ignoring SSL errors Reconnecting makes no sense, we'll just end up with the SSL error dialog again and again in that case. Not enough to fix 423424 by itself, but a necessary prerequisite. M +1 -4 src/sessionthread.cpp https://invent.kde.org/pim/kimap/commit/7ee241898bc225237b3475f6c109ffc55a4a74c0 2064770 6 vkrause 2021-09-28 19:58:18 +0000 Git commit edb7f6fdea2c9f44085a042531f56223f3fd8a2f by Volker Krause. Committed on 28/09/2021 at 16:05. Pushed by knauss into branch 'release/21.08'. Consider the online state when attempting to reconnect There's actually a comprehensive error condition handling in the method above which properly distinguishing between transient and persistent problems, but we just ignore that decision here and continuously reconnect. Together with https://invent.kde.org/pim/kimap/-/merge_requests/9 this fixes the infinite SSL error dialog loop when rejecting to ignore an SSL error to a large extend. You still get the dialog twice now, and then after a few minutes again as this is considered to be a transient error (e.g. caused by capture portals). This at least gives you the opportunity now to actually fix the configuration or remove the resource. (Bug 423424 remains open for SMTP) M +1 -1 resources/imap/imapresourcebase.cpp https://invent.kde.org/pim/kdepim-runtime/commit/edb7f6fdea2c9f44085a042531f56223f3fd8a2f 2064966 7 bug-janitor 2021-09-29 15:42:47 +0000 A possibly relevant merge request was started @ https://invent.kde.org/pim/ksmtp/-/merge_requests/10 2064985 8 vkrause 2021-09-29 17:25:41 +0000 Git commit fca378d55e223944ce512c9a8f8b789d1d3abcde by Volker Krause. Committed on 29/09/2021 at 15:41. Pushed by knauss into branch 'release/21.08'. Emit an error rather than reconnect when SSL errors are not ignored Not ignoring SSL certificate errors now results in a delivery error rather than a loop on the SSL error dialog. M +5 -4 src/sessionthread.cpp https://invent.kde.org/pim/ksmtp/commit/fca378d55e223944ce512c9a8f8b789d1d3abcde 2077048 9 sknauss 2021-11-12 12:21:13 +0000 This was rechecked from the NO STARTTLS team with the current version 5.18.40 and this bug is not completly fixed: "The certificate loop for IMAP in the account wizard is also still present, kmail keeps reconnecting for me. I cannot even accept the invalid certificate, because kmail continues reconnecting and showing dialogs. I can provide a screen recording if needed. For SMTP it seems to be fixed (the dialog only appears once)." 2077768 10 bug-janitor 2021-11-15 17:20:35 +0000 A possibly relevant merge request was started @ https://invent.kde.org/pim/kimap/-/merge_requests/10 2078080 11 vkrause 2021-11-16 17:06:40 +0000 Git commit cbd3a03bc1d2cec48bb97570633940bbf94c34fa by Volker Krause. Committed on 15/11/2021 at 17:18. Pushed by knauss into branch 'release/21.12'. Treat SSL handshake errors as fatal also when using STARTTLS This fixes the infinite SSL error dialog loop also when using STARTTLS, the previous fix was only effective for direct TLS connections. M +9 -13 src/loginjob.cpp https://invent.kde.org/pim/kimap/commit/cbd3a03bc1d2cec48bb97570633940bbf94c34fa