Bug 328625 - Allow forcing encryption protocol version
Summary: Allow forcing encryption protocol version
Status: RESOLVED FIXED
Alias: None
Product: Akonadi
Classification: Frameworks and Libraries
Component: IMAP resource (show other bugs)
Version: GIT (master)
Platform: unspecified Linux
: NOR wishlist
Target Milestone: ---
Assignee: Christian Mollekopf
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-10 13:50 UTC by Christian Mollekopf
Modified: 2014-05-20 23:11 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Mollekopf 2013-12-10 13:50:32 UTC
Certain servers don't support sslv2 hello's, so they are incompatible with openssls compatibility mode for ssl. While I don't think this justifies a new GUI option, we could allow a configfile-only option to force a specific version to be used to work around the problem. 

Reproducible: Always
Comment 1 Christian Mollekopf 2013-12-10 13:50:49 UTC
See also https://bugs.kde.org/show_bug.cgi?id=322383
Comment 2 Christian Mollekopf 2014-04-23 09:39:18 UTC
A user just ran into this, so we really should have this config file option.
Comment 3 m.eik michalke 2014-04-28 17:29:08 UTC
it seems a bit anachronistic to me, for akonadi to only work properly if the mailserver still supports SSLv2.

as far as i remember that protocol version was even removed from the openssl packages for debian/ubuntu years ago. so regarding the config file solution i'd vote for this: make akonadi use SSLv3/TLS by default, and if you're really still stuck with SSLv2-only, than *that* would be the thing you'd have to turn on in a config file.
Comment 4 Christian Mollekopf 2014-04-29 11:56:47 UTC
(In reply to comment #3)
> it seems a bit anachronistic to me, for akonadi to only work properly if the
> mailserver still supports SSLv2.
> 
> as far as i remember that protocol version was even removed from the openssl
> packages for debian/ubuntu years ago. so regarding the config file solution
> i'd vote for this: make akonadi use SSLv3/TLS by default, and if you're
> really still stuck with SSLv2-only, than *that* would be the thing you'd
> have to turn on in a config file.

That's not what we're doing. We're using the auto-negotiation that apparently is broken on some servers (there's a report somewhere, if only I could find it). This causes the server to report an ssl version it doesn't actually support and thus the connection fails. For this case it's useful to be able to force the used version and thus skipping the broken negotiation.
Comment 5 m.eik michalke 2014-04-29 18:38:39 UTC
> That's not what we're doing. We're using the auto-negotiation that
> apparently is broken on some servers

ah, i see -- thanks for the clarification!

so there's hope if i get the mailserver admins to fix the server response. 
i'll try that in the meantime ;-)
Comment 6 Christian Mollekopf 2014-05-07 14:53:36 UTC
Git commit 32aaf98fd2d7387f1313cf0d135c82dffa643d9a by Christian Mollekopf.
Committed on 07/05/2014 at 14:20.
Pushed by cmollekopf into branch 'KDE/4.13'.

IMAP-Resource: Allow to override the encryption mode.

Some ssl servers advertise an ssl version they don't actually support.
This config-only option allows to override the used encryption mode, and
supports all available options, so the auto-negotiation can be skipped.

M  +3    -0    resources/imap/imapresource.kcfg
M  +24   -0    resources/imap/settings.cpp

http://commits.kde.org/kdepim-runtime/32aaf98fd2d7387f1313cf0d135c82dffa643d9a
Comment 7 Christian Mollekopf 2014-05-07 14:58:45 UTC
The above patch allows to specify the used version in
.kde/share/config/akonadi_imap_resource_*rc

[network]
OverrideEncryption=TLSV1

Valid values are: SSLV2, SSLV3, TLSV1, SSL, STARTTLS, UNENCRYPTED

TLSV1 is the same as sslv3.1 and SSL is the autonegotiation.

The patch will be part of the 4.13.1 release.

Please let me know whether this fixes your problem, and let me know if it doesn't.
Comment 8 m.eik michalke 2014-05-07 20:48:52 UTC
> Please let me know whether this fixes your problem, and let me know if it
> doesn't.

yes, it works! thanks a lot!!!

here's what i did:
* i added your patch to the ubuntu package sources for kdepim-runtime 4.13.0
* rebuilt the package and replaced the installed one
* stopped kmail and akonadi
* added the new config option
* started kmail -- and everything was back to normal again :-)

> The patch will be part of the 4.13.1 release.

it should probably be backported to the stock packages, too.

you made my day!
Comment 9 Christian Mollekopf 2014-05-20 23:11:26 UTC
Git commit 423632618ed307817a088ae99607d19f3cce98ed by Christian Mollekopf.
Committed on 07/05/2014 at 14:20.
Pushed by cmollekopf into branch 'kolab/integration/4.13.0'.

IMAP-Resource: Allow to override the encryption mode.

Some ssl servers advertise an ssl version they don't actually support.
This config-only option allows to override the used encryption mode, and
supports all available options, so the auto-negotiation can be skipped.

M  +3    -0    resources/imap/imapresource.kcfg
M  +24   -0    resources/imap/settings.cpp

http://commits.kde.org/kdepim-runtime/423632618ed307817a088ae99607d19f3cce98ed