When the IMAP TLS certificate is bad, i.e. self-signed, kmail shows a warning with three buttons: "Details", "Continue" and "Cancel". When the user clicks on "Cancel", kmail repeats the login process and shows the warning again immediately. This process continues in a loop, which can not be canceled by the user when clicking on "Cancel" (the only secure option). The only way to "escape" from this loop is to click on "Continue.", which might reveal the username and password.
This also applies in a limited form (dialogs show up slower) for SMTP.
The vulnerable is now published under https://nostarttls.secvuln.info/
A possibly relevant merge request was started @ https://invent.kde.org/pim/kimap/-/merge_requests/9
A possibly relevant merge request was started @ https://invent.kde.org/pim/kdepim-runtime/-/merge_requests/48
Git commit 7ee241898bc225237b3475f6c109ffc55a4a74c0 by Volker Krause. Committed on 28/09/2021 at 15:58. Pushed by knauss into branch 'release/21.08'. Disconnect rather than reconnect when not ignoring SSL errors Reconnecting makes no sense, we'll just end up with the SSL error dialog again and again in that case. Not enough to fix 423424 by itself, but a necessary prerequisite. M +1 -4 src/sessionthread.cpp https://invent.kde.org/pim/kimap/commit/7ee241898bc225237b3475f6c109ffc55a4a74c0
Git commit edb7f6fdea2c9f44085a042531f56223f3fd8a2f by Volker Krause. Committed on 28/09/2021 at 16:05. Pushed by knauss into branch 'release/21.08'. Consider the online state when attempting to reconnect There's actually a comprehensive error condition handling in the method above which properly distinguishing between transient and persistent problems, but we just ignore that decision here and continuously reconnect. Together with https://invent.kde.org/pim/kimap/-/merge_requests/9 this fixes the infinite SSL error dialog loop when rejecting to ignore an SSL error to a large extend. You still get the dialog twice now, and then after a few minutes again as this is considered to be a transient error (e.g. caused by capture portals). This at least gives you the opportunity now to actually fix the configuration or remove the resource. (Bug 423424 remains open for SMTP) M +1 -1 resources/imap/imapresourcebase.cpp https://invent.kde.org/pim/kdepim-runtime/commit/edb7f6fdea2c9f44085a042531f56223f3fd8a2f
A possibly relevant merge request was started @ https://invent.kde.org/pim/ksmtp/-/merge_requests/10
Git commit fca378d55e223944ce512c9a8f8b789d1d3abcde by Volker Krause. Committed on 29/09/2021 at 15:41. Pushed by knauss into branch 'release/21.08'. Emit an error rather than reconnect when SSL errors are not ignored Not ignoring SSL certificate errors now results in a delivery error rather than a loop on the SSL error dialog. M +5 -4 src/sessionthread.cpp https://invent.kde.org/pim/ksmtp/commit/fca378d55e223944ce512c9a8f8b789d1d3abcde
This was rechecked from the NO STARTTLS team with the current version 5.18.40 and this bug is not completly fixed: "The certificate loop for IMAP in the account wizard is also still present, kmail keeps reconnecting for me. I cannot even accept the invalid certificate, because kmail continues reconnecting and showing dialogs. I can provide a screen recording if needed. For SMTP it seems to be fixed (the dialog only appears once)."
A possibly relevant merge request was started @ https://invent.kde.org/pim/kimap/-/merge_requests/10
Git commit cbd3a03bc1d2cec48bb97570633940bbf94c34fa by Volker Krause. Committed on 15/11/2021 at 17:18. Pushed by knauss into branch 'release/21.12'. Treat SSL handshake errors as fatal also when using STARTTLS This fixes the infinite SSL error dialog loop also when using STARTTLS, the previous fix was only effective for direct TLS connections. M +9 -13 src/loginjob.cpp https://invent.kde.org/pim/kimap/commit/cbd3a03bc1d2cec48bb97570633940bbf94c34fa