Am Dienstag, 8. August 2017, 13:31:30 schrieb Sebastian Andrzej Siewior:
> On 2017-08-08 12:44:09 [+0200], Wolfgang Walter wrote:
> > Package: libssl1.1
> > Version: 1.1.0f-4
> > Severity: important
> > After upgrading a server to libssl1.1 1.1.0f-4 kmail on debian/stable could
> > not connect to dovecot on debian/unstable any more (kmail on
> > debian/unstable can't connect, either).
> > Dovecot logs "... tls_process_client_hello:version too low ..."
> Is this broken with kmail only or are other clients affected, too?
Don't know. Not tried yet.
> > Probably this is due to "Disable TLS 1.0 and 1.1".
> Yes but why? studlmu.lrz.de:993 handshakes here with TLS1.2. openssl in
> previous releases supports TLS1.2. So something limited it to TLS1.0
> and/or 1.1 only.
> > Please reactivate it. We would like to continue our policy to continously
> > test debian/unstable and debian/testing on servers in our environment.
> Did you limit on kmail side the connection somewhere to TLS1.0 only?
We run kmail es provided by debian/stable or debian/unstable.
I didn't check other clients, so I don't know if kmail does not speak TLS1.2
> If not, does this help (patch against kio):
Don't know if I have time to rebuild a kde paket (kio). I'll try another client
Even if this is a limitation of kmail I still think it is a rather bad idea to
limit openssl for unstable to TLS1.2.
I don't think that an upgrade to buster should also enforce simultanous updates
for a lot of other machines be it clients or servers, so TLS1.0 and TLS1.1
probably must be reenabled for buster anyway. The main effect will be that it
is just harder to test unstable/testing.
> diff --git a/src/core/ktcpsocket.h b/src/core/ktcpsocket.h
> index 75e1f8c4489a..4ff674d8abc1 100644
> --- a/src/core/ktcpsocket.h
> +++ b/src/core/ktcpsocket.h
> @@ -163,7 +163,7 @@ class KIOCORE_EXPORT KTcpSocket: public QIODevice
> TlsV1_0 = TlsV1,
> TlsV1_1 = 0x40,
> TlsV1_2 = 0x80,
> - AnySslVersion = SslV2 | SslV3 | TlsV1
> + AnySslVersion = SslV2 | SslV3 | TlsV1 | TlsV1_1 | TlsV1_2
> Q_DECLARE_FLAGS(SslVersions, SslVersion)
> I Cc qt/kdepim/kio folks in case they have a clue who is limmiting this.
Anstalt des öffentlichen Rechts