SUMMARY I can not send emails using Trojita 0.7 on my linux distribution (KaOSx). I'm using a gmail imap account. STEPS TO REPRODUCE 1. Setup a gmail imap account 2. Try to send an email 3. Error appear OBSERVED RESULT Error during SSL handshake: error:1408F10B:SSL routines:ssl3_get_record:wrong version number EXPECTED RESULT Email sent correctly with no error. SOFTWARE/OS VERSIONS LSB Version: 1.4 Distributor ID: KaOS Description: KaOS Release: rolling Codename: n/a KDE Frameworks 5.55.0 Qt 5.12.1 (built against 5.12.1) The xcb windowing system
Hi Filipe, thanks for your bugreport. We are, however, relying on the Qt library and its crypto layer for all SSL/TLS handling. We do not set any fancy flags for specific TLS support options. If the issue persists and if it affects other applications which use the Qt library, please report this to your distribution. I do not see how this could be Trojita-specific.
Hm, the problem is ... only Trojita is having ssl issues. No other Qt apps nor KDE apps do have ssl issues. I can by example use KMail with the same gmail account, browse sftp / ssh remotes machines without issues etc. Using Dolphin for sftp/ssh remote connection works fine as well.
I did test again, and the error still occurs. Still i can read / load content being hosted on secure servers (ie, loading https images by examples). Here is the output log: 17:15:44.765 Submission STATE_INIT 17:15:44.772 Submission STATE_BUILDING_MESSAGE 17:15:44.772 Submission STATE_SAVING 17:15:45.688 Submission STATE_SUBMITTING 17:15:45.864 Submission gotError: Error during SSL handshake: error:1408F10B:SSL routines:ssl3_get_record:wrong version number 17:15:45.864 Submission STATE_FAILED
I did a full uninstall/resintall/restart of the package, the full output log clearly state it initiate ssl upon connection opening and correctly handle initial sychronization, only message sending fails. Could it be a missconfigured gmail account or a gmail imap issue in Trojita ?
Looks like TLS/1.3 but Qt 5.12 should not even support that… Do you use smtp on port 465 or port 587?
I do use those imap/smtp configurations: * imap: TLS on imap.gmail.com:993 * smtp: TLS on smtp.gmail.com:587
Ah, just tested TLS port 465 for smtp and it worked fine ! Which is weird, google support page say 465 if for ssl. See https://support.google.com/mail/answer/7126229?hl=en So I guess my configuration was not wrong using TLS/587.
465 *is* SSL, you'll not use STARTTLS on it (no idea about the trojitá config GUI suggesting something different?) So this is a TLS version conflict (and 1.3 mess), can one see your distros downstream patches to Qt? (Afaik TLS v1.3 support should only appear w/ Qt 5.13)
The Trojita GUI does not specify SSL at all, it has: - Use encryption (STARTTLS) - Force encryption (TLS) Hence I selected the expected port 587 from the support page for gmail. My distribution is using Qt 5.12.1 and has no downstream patches for Qt.
The config is probably misleading, but I'm pretty sure gmail won't do STARTTLS on 465 (you can wireshark what's going on) I assume the issue at hand to be Qt w/o 1.3 support running into an 1.3 supporting openssl unprepared and would suggest to stick to 465 until 5.13 hits ground, ensure that it's supposed to support TLS 1.3 and try again.
Fine, will test that with 5.13 at time. Thanks for the support !
(In reply to Filipe Azevedo from comment #9) > The Trojita GUI does not specify SSL at all, it has: > > - Use encryption (STARTTLS) > - Force encryption (TLS) I can see that these names can be confusing, but I do not know how to better explain what's going on. The choice is, essentially, whether to use encryption from very beginning, or whether to establish a plaintext connection first and then upgrade it to encryption via the STARTTLS command. These two options use different server port numbers, and it is important to get both port number *and* encryption type correct. Trojita warns the user right in the settings dialog when the port number is unusual. The standard says that the default submission settings are STARTTLS and port 587. If you ask Trojita to use "TLS" on port 587, then Trojita attempts to initiate a TLS connection against a cleartext endpoint which won't work. In the past, a lot of software called the "hey, let's encrypt from the begining" option "SSL", and the other option, "start in cleartext and introduce encryption as soon as possible", was called "STARTTLS". Then encryption standard knows as "SSL v2" got disabled due to its unfixable security vulnerabilities, SSL v3 git deprecated in 2015, and everybody has been using something which is technically TLS for the past four years.
FYI, a patch series which attempts to clear some of these warnings: https://gerrit.vesnicky.cesnet.cz/r/#/q/topic:bug-404211
Git commit 0993c644234391625bda12ad3fac85e8e97aa875 by Jan Kundrát. Committed on 10/03/2019 at 13:08. Pushed by gerrit into branch 'master'. Improve port number warnings The SSL/TLS/STARTTLS distinction appears to be a non-negligible source of confusion. This patch tries to improve this by emphasizing the correct, standard port number a bit more and identifying the cnryption method at the same time. Change-Id: Iefff721796d7308e45be69e7e19a0c540e63312d M +6 -2 src/Gui/SettingsDialog.cpp M +14 -1 src/MSA/Account.cpp https://commits.kde.org/trojita/0993c644234391625bda12ad3fac85e8e97aa875