Bug 108388

Summary:	TLS handshake is not accepted
Product:	[Unmaintained] kio	Reporter:	Roland Wenzel <rwenzel>
Component:	kssl	Assignee:	George Staikos <staikos>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	mueller, thilo.bangert
Priority:	NOR
Version:	unspecified
Target Milestone:	---
Platform:	Debian stable
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:
Attachments:	Patch for kssl.cc witch enables work with TLSv1.

Description Roland Wenzel 2005-07-01 10:09:39 UTC

Version:            (using KDE KDE 3.3.2)
Installed from:    Debian stable Packages
OS:                Linux

KDE - Settings - Encryption: SSLv2 is disabled, SSLv3 is enabled, TLS is enabled.

The target server (see https://kis.hosteurope.de) does not accept SSLv3 connections, but SSLv2 or TLS connections only. This has been verified using Internet Explorer and Ethereal.

However, Konqueror fails to open a TLS connection, but insists on a SSLv3 handshake. This fails on the above server. Enabling/Disabling the TLS setting (SSLv3 enabled) does not change anything (at least I could not detect a change in the handshake).

Firefox does a funny thing: Even if set to SSLv3 only, it will start a SSLv2 handshake and then accepts the TLS connection.

Microsofts Internet Explorer is the only browser that sticks to its settings. 

Suggestion: Change the setting "Activate TLS, if server supports it" to "Activate TLS" to be consistent with the SSLv2 and SSLv3 settings. As it is now, disabling SSLv3 and SSLv2, but enabling TLS will yield in a SSLv2 connection.

Best regards,

roland

Comment 1 George Staikos 2005-11-13 02:50:06 UTC

*** Bug 116108 has been marked as a duplicate of this bug. ***

Comment 2 George Staikos 2006-03-09 16:15:08 UTC

Seems to work fine in all configurations with the latest code in 3.5 branch and trunk

Comment 3 Vladimir I. Kobylyanskiy 2006-07-31 12:07:12 UTC

Created attachment 17181 [details]
Patch for kssl.cc witch enables work with TLSv1.

KDE 3.5.3
Konqueror - don't want to work with TLSv1 with or without "Activate TLS, if
server supports it".

In code we found that all methods for TLS-work exists, but not used. Someone
forgot to init TLS methods. 
We made the a little patch for kssl.cc - and now all works fine. Patch in
attachment.

Comment 4 George Staikos 2006-07-31 20:27:26 UTC

Index: kssl.cc
I just put this in 3.5 branch.  Does it work for you?

===================================================================
--- kssl.cc     (revision 516947)
+++ kssl.cc     (working copy)
@@ -129,7 +129,7 @@
                return false;

        if (m_bAutoReconfig)
-       m_cfg->load();
+               m_cfg->load();

        if (!m_cfg->tlsv1())
                return false;
@@ -160,6 +160,9 @@
 bool KSSL::initialize() {
 #ifdef KSSL_HAVE_SSL
        kdDebug(7029) << "KSSL initialize" << endl;
+       if (m_cfg->tlsv1())
+               return TLSInit();
+
        if (m_bInit)
                return false;

@@ -499,6 +502,7 @@
                if (err != SSL_ERROR_NONE &&
                    err != SSL_ERROR_ZERO_RETURN && err != SSL_ERROR_SYSCALL) {
                        rc = -1;      // OpenSSL returns 0 on error too
+                       d->kossl->ERR_print_errors_fp(stderr);
                }

 //             else if (err == SSL_ERROR_ZERO_RETURN)

Comment 5 Vladimir I. Kobylyanskiy 2006-08-02 09:54:43 UTC

We have tested your changes for our patch here at our office (LISSI Ltd., http://www.lissi.ru, mailto: info@lissi.ru). Everything works fine. Thanks.

Comment 6 Vladimir I. Kobylyanskiy 2006-08-02 09:56:54 UTC

When this patch will be released?

Comment 7 George Staikos 2006-08-02 10:05:48 UTC

KDE 4, if not a future 3.5 release.

Comment 8 Dirk Mueller 2006-08-11 12:08:16 UTC

unfortunately this patch causes regressions, for example 132098

Comment 9 Dirk Mueller 2006-08-11 13:49:07 UTC

I'll track it under 132098

*** This bug has been marked as a duplicate of 132098 ***

Comment 10 Dirk Mueller 2006-08-11 15:23:10 UTC

SVN commit 571989 by mueller:

always allow TLS
CCBUG: 108388


 M  +2 -6      kssl.cc  


--- trunk/KDE/kdelibs/kio/kssl/kssl.cc #571988:571989
@@ -139,6 +139,8 @@
 	d->m_meth = d->kossl->TLSv1_client_method();
 	d->lastInitTLS = true;
 
+	m_pi.reset();
+
 	d->m_ctx = d->kossl->SSL_CTX_new(d->m_meth);
 	if (d->m_ctx == 0L) {
 		return false;
@@ -282,9 +284,6 @@
 		}
 	}
 
-	if (!d->lastInitTLS)
-		d->kossl->SSL_set_options(d->m_ssl, SSL_OP_NO_TLSv1);
-
 	d->kossl->SSL_set_options(d->m_ssl, SSL_OP_ALL);
 
 	rc = d->kossl->SSL_set_fd(d->m_ssl, sock);
@@ -368,9 +367,6 @@
 		}
 	}
 
-	if (!d->lastInitTLS)
-		d->kossl->SSL_set_options(d->m_ssl, SSL_OP_NO_TLSv1);
-
 	d->kossl->SSL_set_options(d->m_ssl, SSL_OP_ALL);
 
 	rc = d->kossl->SSL_set_fd(d->m_ssl, sock);