[Pkg-openssl-devel] Bug#871477: upgrade of libssl1.1 to breaks dovecot imap via tls: kmail from debian stable/unstable cannot connect to dovecot any more

Wolfgang Walter wolfgang.walter at stwm.de
Tue Aug 8 13:36:03 UTC 2017 

Am Dienstag, 8. August 2017, 13:31:30 schrieb Sebastian Andrzej Siewior:
> On 2017-08-08 12:44:09 [+0200], Wolfgang Walter wrote:
> > Package: libssl1.1
> > Version: 1.1.0f-4
> > Severity: important
> > 
> > After upgrading a server to libssl1.1 1.1.0f-4 kmail on debian/stable could not connect to dovecot on debian/unstable any more (kmail on debian/unstable can't connect, either).
> > 
> > Dovecot logs "... tls_process_client_hello:version too low ..."
> 
> Is this broken with kmail only or are other clients affected, too?

Don't know. Not tried yet.

> 
> > Probably this is due to "Disable TLS 1.0 and 1.1".
> 
> Yes but why? studlmu.lrz.de:993 handshakes here with TLS1.2. openssl in
> previous releases supports TLS1.2. So something limited it to TLS1.0
> and/or 1.1 only.
> 
> > Please reactivate it. We would like to continue our policy to continously test debian/unstable and debian/testing on servers in our environment. 
> 
> Did you limit on kmail side the connection somewhere to TLS1.0 only?
> 

We run kmail es provided by debian/stable or debian/unstable.

I didn't check other clients, so I don't know if kmail does not speak TLS1.2

> If not, does this help (patch against kio):
> 

Don't know if I have time to rebuild a kde paket (kio). I'll try another client first.

Even if this is a limitation of kmail I still think it is a rather bad idea to limit openssl for unstable to TLS1.2. 

I don't think that an upgrade to buster should also enforce simultanous updates for a lot of other machines be it clients or servers, so TLS1.0 and TLS1.1 probably must be reenabled for buster anyway. The main effect will be that it is just harder to test unstable/testing.

> diff --git a/src/core/ktcpsocket.h b/src/core/ktcpsocket.h
> index 75e1f8c4489a..4ff674d8abc1 100644
> --- a/src/core/ktcpsocket.h
> +++ b/src/core/ktcpsocket.h
> @@ -163,7 +163,7 @@ class KIOCORE_EXPORT KTcpSocket: public QIODevice
>          TlsV1_0 = TlsV1,
>          TlsV1_1 = 0x40,
>          TlsV1_2 = 0x80,
> -        AnySslVersion = SslV2 | SslV3 | TlsV1
> +        AnySslVersion = SslV2 | SslV3 | TlsV1 | TlsV1_1 | TlsV1_2
>      };
>      Q_DECLARE_FLAGS(SslVersions, SslVersion)
>  
> 
> I Cc qt/kdepim/kio folks in case they have a clue who is limmiting this.
> 

Regards,
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts

More information about the Pkg-openssl-devel mailing list