Bug 394769

Summary: STARTTLS is restricted to TLS 1.0
Product: [Frameworks and Libraries] kimap Reporter: Jörg Thalheim <joerg.kde>
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: arthur, rdieter, teemu
Priority: NOR    
Version: git   
Target Milestone: ---   
Platform: Other   
OS: All   
URL: https://github.com/KDE/kimap/blob/35464c7fd3858d70c8ac0558ecece216e3a95398/src/loginjob.cpp#L254
Latest Commit: https://commits.kde.org/kimap/b6c4ee82160da39ad7cff4c54360912f393aabd2 Version Fixed In: 5.8.2

Description Jörg Thalheim 2018-05-27 21:17:44 UTC 
KImap makes the assumption that TLSv1 is equal to STARTTLS

https://github.com/KDE/kimap/blob/35464c7fd3858d70c8ac0558ecece216e3a95398/src/loginjob.cpp#L254

This is incorrect as STARTTLS is independent from the protocol version used for cryptography.
In turn it is not possible to use newer TLS version such as v1.1 or v1.2.
Also it is not possible to use TLS 1.0 on ports without STARTTLS.

A workaround at the moment is to enable imaps (imap without STARTTLS) on a different port to allow modern TLS version.
Comment 1 Jörg Thalheim 2018-05-27 21:21:45 UTC 
Ksmtp suffers from the same bug. However there is no bugtracker category for Ksmtp yet.

I wrote a longer explanation for Ksmtp here: https://github.com/KDE/ksmtp/commit/e83911f9d1963b5e7181932960f999f331b4a5f9#r29145231
Comment 2 Jörg Thalheim 2018-05-27 21:44:28 UTC 
ksmtp has now its own ticket: https://bugs.kde.org/show_bug.cgi?id=394770
Comment 3 Daniel Vrátil 2018-06-03 17:49:18 UTC 
Git commit b6c4ee82160da39ad7cff4c54360912f393aabd2 by Daniel Vrátil.
Committed on 03/06/2018 at 17:43.
Pushed by dvratil into branch 'Applications/18.04'.

Fix TLS vs STARTTLS handling

Allow only choosing between no encryption, SSL/TLS or STARTTLS and let
KTcpSocket negotiate the best encryption protocol with the server.

FIXED-IN: 5.8.2

M  +22   -48   src/loginjob.cpp
M  +10   -5    src/loginjob.h
M  +1    -4    src/session.cpp

https://commits.kde.org/kimap/b6c4ee82160da39ad7cff4c54360912f393aabd2
Comment 4 Jörg Thalheim 2018-06-03 18:22:59 UTC 
Thanks a lot!
Comment 5 zless 2018-06-04 10:18:54 UTC 
Hello.

I just applied the patch at 
https://commits.kde.org/kimap/b6c4ee82160da39ad7cff4c54360912f393aabd2
to kimap-17.12.3.

The account can't connect any more. When I restart akonadi it says in the console:

org.kde.pim.kimap: STARTTLS not supported by server!