evolution 3.36 disabled TLS1.0 and TLS 1.1 and workaround

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

evolution 3.36 disabled TLS1.0 and TLS 1.1 and workaround

Dario Lesca
I have try on Fedora 32 beta to use evo 3.36.x and I have get this error connect to an old POP3 server:

"Error performing TLS handshake: A packet with illegal or unsupported version was received."

This is caused by the recent disable TLS1.0 and TLS 1.1 protocol

My question is:

There is only this work around:

$ G_TLS_GNUTLS_PRIORITY="NORMAL:%COMPAT:+VERS-TLS1.0" evolution

Or there is some options into property panel to re-enable old protocol for some old server?

Many thanks

-- 
Dario Lesca
(inviato dal mio Linux Fedora 31 Workstation)

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: evolution 3.36 disabled TLS1.0 and TLS 1.1 and workaround

Patrick O'Callaghan
On Tue, 2020-04-07 at 17:07 +0200, Dario Lesca wrote:

> I have try on Fedora 32 beta to use evo 3.36.x and I have get this
> error connect to an old POP3 server:
>
> "Error performing TLS handshake: A packet with illegal or unsupported
> version was received."
>
> This is caused by the recent disable TLS1.0 and TLS 1.1 protocol
>
> My question is:
>
> There is only this work around:
>
>
> $ G_TLS_GNUTLS_PRIORITY="NORMAL:%COMPAT:+VERS-TLS1.0" evolution
>
> found it in this tread:
> https://www.mail-archive.com/debian-bugs-dist@.../msg1735889.html
>
> Or there is some options into property panel to re-enable old protocol
> for some old server?

Note that Fedora 32 is unreleased software. You might want to ask on
the Fedora Test list.

poc

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: evolution 3.36 disabled TLS1.0 and TLS 1.1 and workaround

Gnome Evolution - General mailing list
In reply to this post by Dario Lesca
On Tue, 2020-04-07 at 17:07 +0200, Dario Lesca wrote:
> Or there is some options into property panel to re-enable old
> protocol for some old server?

        Hi,
the protocols are disabled system-wide. Read (and edit) the
/etc/crypto-policies/config
file to change the settings. I do not know whether it has any user-
level setting, apart of the environment variable you found.
        Bye,
        Milan

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: evolution 3.36 disabled TLS1.0 and TLS 1.1 and workaround

Dario Lesca
In reply to this post by Patrick O'Callaghan
Il giorno mar, 07/04/2020 alle 16.29 +0100, Patrick O'Callaghan ha scritto:
Note that Fedora 32 is unreleased software. You might want to ask on
the Fedora Test list.

Yes, I have already done this.

However evolution 3.36.x is out, and the words "Fedora 32" they have nothing to do with the question I have subject.

Thank for your very useful OT suggest.

-- 
Dario Lesca
(inviato dal mio Linux Fedora 31 Workstation)

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: evolution 3.36 disabled TLS1.0 and TLS 1.1 and workaround

Dario Lesca
In reply to this post by Gnome Evolution - General mailing list
Il giorno mar, 07/04/2020 alle 17.37 +0200, Milan Crha via evolution-list ha scritto:
Read (and edit) the /etc/crypto-policies/config file to change the settings.

Thank Milan, I'll take a look at it

-- 
Dario Lesca
(inviato dal mio Linux Fedora 31 Workstation)

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: evolution 3.36 disabled TLS1.0 and TLS 1.1 and workaround

Dario Lesca
In reply to this post by Gnome Evolution - General mailing list
Il giorno mar, 07/04/2020 alle 17.37 +0200, Milan Crha via evolution-list ha scritto:

Read (and edit) the /etc/crypto-policies/config

In this file there is only a word (DEFAULT) not comment out, and some comment

#...
# * DEFAULT: A reasonable default for today's standards (80-bit security).
#
# * NEXT: Policy which will become DEFAULT in some upcoming release of the
#   operating system (112-bit security plus restriction of TLS to version 1.2
#   and newer).
#...

Now the value is set to DEFAULT like other Fedora version.

Someone have some suggest how to change this file ?

Many thanks

-- 
Dario Lesca
(inviato dal mio Linux Fedora 31 Workstation)

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: evolution 3.36 disabled TLS1.0 and TLS 1.1 and workaround

Gnome Evolution - General mailing list
On Tue, 2020-04-07 at 18:43 +0200, Dario Lesca wrote:
> Someone have some suggest how to change this file ?

        Hi,
I thought the file content is more or less self-explanatory. The
comments there tell you what the format of the file is, what values are
known and what to do (from top to bottom).

Short version:
a) change the not-commented DEFAULT (at the end of the file) to LEGACY
b) run as root: update-crypto-policies

And that's all. From the file, as I see here:

# * LEGACY: Ensures maximum compatibility with legacy systems (64-bit
#   security).

The 'legacy' means 'old' servers here (from my point of view).

I was not aware of the environment variable you found. Thinking of it,
an alternative might be to add:

   export G_TLS_GNUTLS_PRIORITY="NORMAL:%COMPAT:+VERS-TLS1.0"

into ~/.bashrc (or /etc/environment, without the 'export') or some such
file, but that will work only for glib applications and only if
glib-networking uses GnuTLS backend, not the Open SSL backend.

The editing of /etc/crypto-policies/config is supposed to configure all
at once.
        Bye,
        Milan

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: evolution 3.36 disabled TLS1.0 and TLS 1.1 and workaround

Gnome Evolution - General mailing list
In reply to this post by Dario Lesca
On Tue, 2020-04-07 at 18:43 +0200, Dario Lesca wrote:

> Il giorno mar, 07/04/2020 alle 17.37 +0200, Milan Crha via evolution-
> list ha scritto:
>
> > Read (and edit) the /etc/crypto-policies/config
>
> In this file there is only a word (DEFAULT) not comment out, and some
> comment
>
> #...
> # * DEFAULT: A reasonable default for today's standards (80-bit
> security).
> #
> # * NEXT: Policy which will become DEFAULT in some upcoming release
> of the
> #   operating system (112-bit security plus restriction of TLS to
> version 1.2
> #   and newer).
> #...
>
> Now the value is set to DEFAULT like other Fedora version.
>
> Someone have some suggest how to change this file ?
>
> Many thanks
>
> --
> Dario Lesca
Probably Fedora 32 has changed the meaning of DEFAULT to exclude TLS
before 1.2.  Try changing the value to LEGACY.  The comments in the
file explain what to do after changing the value.

It would be better, of course, to ask the people responsible for the e-
mail server to upgrade their security.
    John Sauter ([hidden email])
--
PGP fingerprint E24A D25B E5FE 4914 A603  49EC 7030 3EA1 9A0B 511E


_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: evolution 3.36 disabled TLS1.0 and TLS 1.1 and workaround

Pete Biggs
In reply to this post by Dario Lesca
On Tue, 2020-04-07 at 18:43 +0200, Dario Lesca wrote:

> Il giorno mar, 07/04/2020 alle 17.37 +0200, Milan Crha via evolution-list ha scritto:
>
> > Read (and edit) the /etc/crypto-policies/config
>
> In this file there is only a word (DEFAULT) not comment out, and some comment
>
> #...
> # * DEFAULT: A reasonable default for today's standards (80-bit security).
> #
> # * NEXT: Policy which will become DEFAULT in some upcoming release of the
> #   operating system (112-bit security plus restriction of TLS to version 1.2
> #   and newer).
> #...
>
> Now the value is set to DEFAULT like other Fedora version.
>
> Someone have some suggest how to change this file ?

   vi /etc/crypto-policies/config

but you need to read what it says - it should only contain a single
word.

At the very least you should read 'man crypto-policies'

Like POC said, this is a Fedora issue, not an Evolution one.

P.


_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: evolution 3.36 disabled TLS1.0 and TLS 1.1 and workaround

Dario Lesca
In reply to this post by Gnome Evolution - General mailing list
Il giorno mar, 07/04/2020 alle 19.06 +0200, Milan Crha via evolution-list ha scritto:
The editing of /etc/crypto-policies/config is supposed to configure all
at once.

Thank, I have fount this:

And yes, it's a Fedora change

-- 
Dario Lesca
(inviato dal mio Linux Fedora 31 Workstation)

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list