[Pkg-openssl-devel] Bug#871477: upgrade of libssl1.1 to breaks dovecot imap via tls: kmail from debian stable/unstable cannot connect to dovecot any more

[Sebastian Andrzej Siewior]

On 2017-08-08 12:44:09 [+0200], Wolfgang Walter wrote:
> Package: libssl1.1
> Version: 1.1.0f-4
> Severity: important
> 
> After upgrading a server to libssl1.1 1.1.0f-4 kmail on debian/stable could not connect to dovecot on debian/unstable any more (kmail on debian/unstable can't connect, either).
> 
> Dovecot logs "... tls_process_client_hello:version too low ..."

Is this broken with kmail only or are other clients affected, too?

> Probably this is due to "Disable TLS 1.0 and 1.1".

Yes but why? studlmu.lrz.de:993 handshakes here with TLS1.2. openssl in
previous releases supports TLS1.2. So something limited it to TLS1.0
and/or 1.1 only.

> Please reactivate it. We would like to continue our policy to continously test debian/unstable and debian/testing on servers in our environment. 

Did you limit on kmail side the connection somewhere to TLS1.0 only? If
not, does this help (patch against kio):

diff --git a/src/core/ktcpsocket.h b/src/core/ktcpsocket.h
index 75e1f8c4489a..4ff674d8abc1 100644
--- a/src/core/ktcpsocket.h
+++ b/src/core/ktcpsocket.h
@@ -163,7 +163,7 @@ class KIOCORE_EXPORT KTcpSocket: public QIODevice
         TlsV1_0 = TlsV1,
         TlsV1_1 = 0x40,
         TlsV1_2 = 0x80,
-        AnySslVersion = SslV2 | SslV3 | TlsV1
+        AnySslVersion = SslV2 | SslV3 | TlsV1 | TlsV1_1 | TlsV1_2
     };
     Q_DECLARE_FLAGS(SslVersions, SslVersion)
 

I Cc qt/kdepim/kio folks in case they have a clue who is limmiting this.

> Regards,

Sebastian