Bug 340396

Summary: Connection to TLS-only server does not work.
Product: [Applications] konversation Reporter: Yatsek <yatsek>
Component: encryptionAssignee: Travis McHenry <wordsizzle>
Status: RESOLVED FIXED    
Severity: critical CC: hein, joao.eiras, konversation-devel, rdieter
Priority: NOR    
Version: 1.5   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Yatsek 2014-10-27 13:05:14 UTC
I am trying to connect to company internal IRC server.

Because of POODLE SSL vulnerability SSL encryption was disabled on server
and it uses only TLS encryption now.

From this point on I am unable to connect to the server with Konversation.
Reason : "Unknown error"

While adding new server the only option for server encryption is "SSL".
Best regards
Yatsek
Comment 1 Yatsek 2014-10-27 13:14:37 UTC
Just to add more info.

I am able to connect with Quassel with exactly same server/password combination.

On Quassel I am getting:

*** You are connected to your.server.com with TLSv1.2-AES256-GCM-SHA384-256bits

On Konversation there is only error.
Comment 2 Yatsek 2014-10-29 10:07:27 UTC
I'm trying to prepare some repeatable testcase (maybe with irc server on VM) but have I very limited time availability. If somebody could point some directions then it would be great.

And just to add info about severity of this issue - it can be expected that TLS will be the status quo of encryption (because of POODLE) and lack of TLS support actually completely voids Konversation as IRC tool for many of us - in case of my company - dev house with ~500 people.
Comment 3 Eike Hein 2014-11-03 11:49:11 UTC
I believe this is because of the following:

1. Konversation uses KTcpSocket, which is a wrapper around QSslSocket.
2. QSslSocket lets you set which SSL or TLS versions you want to use while connecting.
3. For technical reasons KTcpSocket duplicates that API, and can get out of sync with QSslSocket.
4. KTcpSocket didn't use to have an equivalent to the "Use secure protocols" mode of QSslSocket, which enables reasonable defaults.
5. I actually added this to KTcpSocket, but because kdelibs wasn't released at the time the only secure variant left at the time was to set Konvi to use TLSv1.
6. This probably breaks on servers supporting only TLSv1.2.

We can rely on newer kdelibs now and we're about to do a 1.5.1 release, so we can switch to #4 now.
Comment 4 Eike Hein 2014-11-03 12:03:07 UTC
Git commit 718a37c810718ddc297174046961544bd889700f by Eike Hein.
Committed on 03/11/2014 at 11:57.
Pushed by hein into branch '1.5'.

Switch to KTcpSocket::SecureProtocols.

This bumps the kdelibs version requirement to v4.9.0.

M  +1    -1    CMakeLists.txt
M  +1    -1    src/irc/server.cpp

http://commits.kde.org/konversation/718a37c810718ddc297174046961544bd889700f
Comment 5 Rex Dieter 2014-11-11 17:28:49 UTC
*** Bug 340857 has been marked as a duplicate of this bug. ***