FS#76585 - Cannot connect to mail server after update to OpenSSL 3.0.7

Attached to Project: Arch Linux
Opened by Timo Wilken (twilk) - Tuesday, 15 November 2022, 15:39 GMT
Last edited by Evangelos Foutras (foutrelis) - Wednesday, 16 November 2022, 21:05 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture x86_64
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

After updating the openssl package from 1.1.1 to 3.0.7, I cannot connect to the IMAP server imap.cern.ch any more. That IMAP server requires TLSv1.0, which may be part of the problem. It is a Microsoft Exchange server.

I get the following output from curl when trying to connect. KMail refuses to connect, saying only "connection refused".

$ curl -v 'imaps://imap.cern.ch:993/'
* Trying [2001:1458:201:66::100:14]:993...
* Connected to imap.cern.ch (2001:1458:201:66::100:14) port 993 (#0)
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server key exchange (12):
* TLSv1.0 (OUT), TLS header, Unknown (21):
* TLSv1.0 (OUT), TLS alert, internal error (592):
* error:0A0C0103:SSL routines::internal error
* Closing connection 0
curl: (35) error:0A0C0103:SSL routines::internal error

I still have an openssl 1.1.1m build lying around (built on CentOS 7), with which I can connect to the same server without any problems.

Additional info:
* package version(s): openssl 3.0.7-2, curl 7.86.0-3, kmail 22.08.3-1
* config and/or log files etc.: see above
* link to upstream bug report, if any: N/A

Steps to reproduce:
1. run `curl -v 'imaps://imap.cern.ch:993/'`
2. observe the error
This task depends upon

Closed by  Evangelos Foutras (foutrelis)
Wednesday, 16 November 2022, 21:05 GMT
Reason for closing:  Not a bug
Comment by Morten Linderud (Foxboron) - Tuesday, 15 November 2022, 15:44 GMT
I don't think this is actionable.

Nobody should be using TLS1.0 so this should be fixed by your email administrators.
Comment by Evangelos Foutras (foutrelis) - Tuesday, 15 November 2022, 20:49 GMT
To expand a bit, the explanation for this failure can be found at [1]:

"SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0, except when RSA key exchange without SHA1 is used."

While it can be worked around on the client side, it's not advisable to do so. It's about time service providers support more secure protocols. :)

[1] https://www.openssl.org/news/openssl-3.0-notes.html

Loading...