[Bug 1207963] New: kdelibs3 3.5.10-241.19 causes kmail3 to stop being able to send
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 Bug ID: 1207963 Summary: kdelibs3 3.5.10-241.19 causes kmail3 to stop being able to send Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs@suse.de Reporter: michael@actrix.gen.nz QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- In TW 20230202 +, KDE3:kmail3 can no longer send via SMTP and SSL/TLS pop no longer works. The TW version doesn't seem to matter. The cause is something in kdelibs3 3.5.10-241.19, possibly in combination with kdepim3 3.5.10-290.18. There is a workaround... I used /var/cache/zypp with rpm --upgrade --force to revert to kdepim3-3.5.10-290.18.x86_64.rpm, which had no effect, but also reverting to kdelibs3-3.5.10-241.16.x86_64.rpm got everything working again. The following was logged, seems to point to protocol issues,
Feb 06 13:48:46 ksmserver[13902]: 40CF65DC027F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:ssl/statem/statem_lib.c:1952: Feb 06 13:48:49 ksmserver[13902]: 40CF65DC027F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:ssl/statem/statem_lib.c:1952: Feb 06 13:48:58 ksmserver[13923]: kioslave: ####### CRASH ###### protocol = smtps pid = 13923 signal = 11 Feb 06 13:49:00 ksmserver[13927]: kioslave: ####### CRASH ###### protocol = smtps pid = 13927 signal = 11 Feb 06 13:49:27 ksmserver[13902]: 40CF65DC027F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:ssl/statem/statem_lib.c:1952: Feb 06 13:49:37 ksmserver[13902]: 40CF65DC027F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:ssl/statem/statem_lib.c:1952: Feb 06 13:49:49 ksmserver[13946]: kioslave: ####### CRASH ###### protocol = smtps pid = 13946 signal = 11
Details of the SMTP server, no ports work, not even 25 Port with SSL: 465 or 587 Port with TLS: 587 Port without SSL/TLS: 25 Authentication method: Password Requires sign-in Yes SSL and TLS pop on 995 stopped working, but unencrypted port 110 still works: Port with SSL/TLS: 995 Port without SSL/TLS: 110 Username: Your username Password: Your password Authentication Type: Password -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c1 Yasuhiko Kamata <belphegor@belbel.or.jp> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED CC| |belphegor@belbel.or.jp Assignee|screening-team-bugs@suse.de |belphegor@belbel.or.jp --- Comment #1 from Yasuhiko Kamata <belphegor@belbel.or.jp> --- Thank you for screening team, I have already received an email from him (reporter), so I'll handle it as KDE3 maintainer (https://build.opensuse.org/users/belphegor_belbel). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c2 Yasuhiko Kamata <belphegor@belbel.or.jp> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #2 from Yasuhiko Kamata <belphegor@belbel.or.jp> --- This bug was caused by a version upgrade of openssl, which was recently became to 3.X as Tumbleweed's default. In version 3, SSL_get_peer_certificate() was removed from library and SSL_get1_peer_certificate() ("1" was added) was provided instead. Normally, this problem is automatically resolved in the build process (as other libs can do it), but kdelibs3 has a mechanism to load dynamically (specifying the function name directly), so that the loading was failed. So I added a patch named "kdelibs-3.5.10-ossl-3.patch" as follows: https://build.opensuse.org/request/show/1063699 Built binaries will be available after a short time. You can check it with "rpm -q --changelog kdelibs3 | less" after upgrade. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c3 Michael Hamilton <michael@actrix.gen.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- --- Comment #3 from Michael Hamilton <michael@actrix.gen.nz> --- Thanks for the prompt response. Unfortunately, I'm still getting TLS errors. I've experimented using rpm to change between versions: # rpm -q --changelog /var/cache/zypp/packages/Tumbleweed_KDE3/x86_64/kdelibs3-3.5.10-242.1.x86_64.rpm | head * Wed Feb 08 2023 Yasuhiko Kamata <belphegor@belbel.or.jp> - Added kdelibs-3.5.10-ossl-3.patch for supporting openssl 3.0 (SSL_get_peer_certificate() was renamed to SSL_get1_peer_certificate, boo#1207963). # rpm --upgrade /var/cache/zypp/packages/Tumbleweed_KDE3/x86_64/kdelibs3-3.5.10-242.1.x86_64.rpm Verifying packages... Preparing packages... kdelibs3-3.5.10-242.1.x86_64 /opt/kde3/bin/kpac_dhcp_helper: no configuration entry in active permission profiles found. Cannot check this path. kdelibs3-3.5.10-241.16.x86_64 # rpm -q --changelog kdelibs3 | head * Wed Feb 08 2023 Yasuhiko Kamata <belphegor@belbel.or.jp> - Added kdelibs-3.5.10-ossl-3.patch for supporting openssl 3.0 (SSL_get_peer_certificate() was renamed to SSL_get1_peer_certificate, boo#1207963). # zypper ps -s # check that all kmail kde3 kdeinit processes and are gone or reboot Back to getting TLS errors, so I rebooted to be sure, but that didn't help. I've appended a journal message that was logged to the end of the comment. I reverted to old package: # rpm --upgrade --force /var/cache/zypp/packages/Tumbleweed_KDE3/x86_64/kdelibs3-3.5.10-241.16.x86_64.rpm # zypper ps -s # check that all kmail kde3 processes and are gone or reboot I restarted kmail, no TLS errors. Now that the linkage issue is resolved, could there be some other settings changes needed for openssl 3.X - perhaps for backward compatibility? -------- Journal message follows: Journal Entry 2023-02-08 17:29:15.137584+13:00 MESSAGE : 409FC5BA497F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:ssl/statem/statem_lib.c:1952: PRIORITY : 6 SYSLOG_FACILITY : 3 SYSLOG_IDENTIFIER : plasmashell _AUDIT_LOGINUID : 500 _AUDIT_SESSION : 4 _BOOT_ID : 9109cb9b-0f7e-418d-b434-110bee0dec11 _CAP_EFFECTIVE : 0 _CMDLINE : "kio_pop3 [kdeinit] pop3 /tmp/ksocket-michae" _COMM : kio_pop3 _EXE : /opt/kde3/bin/kdeinit _GID : 500 _HOSTNAME : kosmos1.gentoo.co.nz _MACHINE_ID : f46fb36d-a070-7527-1a4e-af8f58081717 _PID : 5267 _RUNTIME_SCOPE : system _SELINUX_CONTEXT : unconfined _STREAM_ID : 44c5230e15a34ee9a7d72dcd339fd9e4 _SYSTEMD_CGROUP : /user.slice/user-500.slice/user@500.service/session.slice/plasma-plasmashell.service _SYSTEMD_INVOCATION_ID : 5c457c19b2b045758c806dd626e56c8c _SYSTEMD_OWNER_UID : 500 _SYSTEMD_SLICE : user-500.slice _SYSTEMD_UNIT : user@500.service _SYSTEMD_USER_SLICE : session.slice _SYSTEMD_USER_UNIT : plasma-plasmashell.service _TRANSPORT : stdout _UID : 500 __CURSOR : s=aa0a9e554fe34b308777e5fc5d3112c6;i=31b01b;b=9109cb9b0f7e418db434110bee0dec11;m=56aba6ca;t=5f428b4f15630;x=51f3588561bcf708 __MONOTONIC_TIMESTAMP : journal.Monotonic(timestamp=datetime.timedelta(seconds=1454, microseconds=89930), bootid=UUID('9109cb9b-0f7e-418d-b434-110bee0dec11')) __REALTIME_TIMESTAMP : 2023-02-08 17:29:15.137584+13:00 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c4 --- Comment #4 from Michael Hamilton <michael@actrix.gen.nz> --- In case it helps, here are the actual ISP's connection details: https://voyager.powerappsportals.com/knowledgebase/article/KA-01103/en-us I wonder if they're running with old protocols that openssl-3X might not like. I'm not sure how to check that. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c5 --- Comment #5 from Michael Hamilton <michael@actrix.gen.nz> --- I've found the cause of my continuing problem with kmail3/kdelibs3, which is no longer really to blame. It has something to do with /etc/crypto-policies/back-ends/opensslcnf.config. The file opensslcnf.conf does not appear to have changed with the upgrade to openssl3.X. I have a machine that has not been updated for many months with the same file contents. However, it seems that if I change: TLS.MinProtocol = TLSv1.2 to TLS.MinProtocol = TLSv1.0 then I no longer see any errors. I'm not actually sure what this means. 1) Was MinProtocol not being enforced prior to openssl3.X? 2) Is my ISP actually still using TLSv1.0? I don't know how to confirm what they are using. I'm not sure if this is a bug. The bug against KDE3 should probably be closed as resolved. Should a new one be raised against openssl3? Or crypto-policies-20210917.c9d86d1-1.11.noarch which owns the config file: # rpm -q -f /etc/crypto-policies/back-ends/opensslcnf.config crypto-policies-20210917.c9d86d1-1.11.noarch Or is this not a bug, more of a missing release note issue. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c6 --- Comment #6 from Michael Hamilton <michael@actrix.gen.nz> --- If I use openssl to connect to my ISP I can see errors with MinProtocol TLSv1.2 and I succeed with TLSv1.1. ----------------------------------------------------- With TLS.MinProtocol = TLSv1.2 # openssl s_client -connect pop.actrix.co.nz:995 CONNECTED(00000003) 40B7E358697F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:ssl/statem/statem_lib.c:1952: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 58 bytes and written 327 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- -------------------------------------------------------- With TLS.MinProtocol = TLSv1.1 CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = "DigiCert, Inc.", CN = RapidSSL Global TLS RSA4096 SHA256 2022 CA1 verify return:1 depth=0 CN = *.actrix.co.nz verify return:1 --- Certificate chain 0 s:CN = *.actrix.co.nz i:C = US, O = "DigiCert, Inc.", CN = RapidSSL Global TLS RSA4096 SHA256 2022 CA1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Dec 6 00:00:00 2022 GMT; NotAfter: Dec 23 23:59:59 2023 GMT 1 s:C = US, O = "DigiCert, Inc.", CN = RapidSSL Global TLS RSA4096 SHA256 2022 CA1 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: May 4 00:00:00 2022 GMT; NotAfter: Nov 9 23:59:59 2031 GMT 2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1 v:NotBefore: Nov 10 00:00:00 2006 GMT; NotAfter: Nov 10 00:00:00 2031 GMT --- ... --- +OK Hello there. --------------------------------------------- No idea who is at fault, my ISP, or openssl? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c7 --- Comment #7 from Michael Hamilton <michael@actrix.gen.nz> --- One more note. I find that kmail3 only works with LS.MinProtocol = TLSv1.0, whereas the openssl command appear to reach "+OK Hello there." with it set to TLSv1.1. So that's a bit weird. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c8 Yasuhiko Kamata <belphegor@belbel.or.jp> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |michael@actrix.gen.nz Flags| |needinfo?(michael@actrix.ge | |n.nz) --- Comment #8 from Yasuhiko Kamata <belphegor@belbel.or.jp> --- Thanks for testing again, I've found one more problem. Due to upgrading of openssl-3, "libssl.so.3" and "libcrypto.so.3" should be included in candidate file names. (Because they are dynamically (manually) loaded as mentioned above, these file names should be specified in source code). So I updated the patch and submitted again. Could you upgrade it and test again? I'll leave this report open. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c9 --- Comment #9 from Michael Hamilton <michael@actrix.gen.nz> --- (In reply to Yasuhiko Kamata from comment #8)
Thanks for testing again, I've found one more problem.
Due to upgrading of openssl-3, "libssl.so.3" and "libcrypto.so.3" should be included in candidate file names. (Because they are dynamically (manually) loaded as mentioned above, these file names should be specified in source code).
So I updated the patch and submitted again. Could you upgrade it and test again? I'll leave this report open.
I see that it's building now. I'll check again in the morning. I've also found that the openssl command can work OK on TLSv1.2, but sometimes it fails with an error (maybe 1 time in 5). So perhaps I'm just seeing a normal kind of handshake or timeout error. So the openssl testing may just be a false trail. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c10 --- Comment #10 from Michael Hamilton <michael@actrix.gen.nz> --- (In reply to Yasuhiko Kamata from comment #8)
Thanks for testing again, I've found one more problem.
Due to upgrading of openssl-3, "libssl.so.3" and "libcrypto.so.3" should be included in candidate file names. (Because they are dynamically (manually) loaded as mentioned above, these file names should be specified in source code).
So I updated the patch and submitted again. Could you upgrade it and test again? I'll leave this report open.
Some progress I think with TLS.MinProtocol = TLSv1.2 After the latest patch, TLS for SMTP worked right away. So that's fixed for sure. I had a lot of trouble with POP because somehow experimenting with the POP settings sometimes resets the POP port to 110. It took quite some time for me to realise that had been reset. I was further confused when I set the port back to 995. I was getting the error dialog: "Could not connect to host Your POP3 server claims to support TLS but negotiation was unsuccessful. You can disable TLS in KDE using the crypto settings module..". I decided to enable POP SSL instead of TLS and I checked that the port stayed set at 995. At which point pop started to work, including after a reboot (for most of my testing I just made sure kmail3 and any kdeinit processes had exited before restarting kmail). As with the openssl command, a kmail pop connection occasionally fails, perhaps because I try too frequently. BTW, the openssl command I use is: openssl s_client -connect pop.actrix.co.nz:995 I think the failure may be prior to login, so it is possible to test against this server without having a username or password. I just looked in my backups at old copies of .kde/share/config/kmailrc. It seems prior to all this trouble commencing, I was actually using POP on port 110 with TLS, which was not supposed to be a TLS port. I have no idea how that was working. Now POP on port 995 TLS doesn't work, but 995 SSL does. That's fine by me, but I don't know whether that is a true pass for this patch. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c11 --- Comment #11 from Yasuhiko Kamata <belphegor@belbel.or.jp> --- Thanks again for testing. As a side note, the "TLS" setting in kmail means to use STARTTLS command. This is specified at RFC-2595 (POP3) and RFC-3207 (SMTP). https://www.rfc-editor.org/rfc/rfc2595.html https://www.rfc-editor.org/rfc/rfc3207.html You can use STARTTLS them with: openssl s_client -starttls pop3 -connect pop.actrix.co.nz:110 openssl s_client -starttls smtp -connect smtp.actrix.co.nz:587 In a (normal) SSL connection, encryption is performed from the beginning of the connection. But in a STARTTLS ("TLS") connection, encryption is performed only AFTER the "STARTTLS" command. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c12 --- Comment #12 from Michael Hamilton <michael@actrix.gen.nz> --- (In reply to Yasuhiko Kamata from comment #11)
Thanks again for testing.
As a side note, the "TLS" setting in kmail means to use STARTTLS command. This is specified at RFC-2595 (POP3) and RFC-3207 (SMTP).
https://www.rfc-editor.org/rfc/rfc2595.html https://www.rfc-editor.org/rfc/rfc3207.html
You can use STARTTLS them with: openssl s_client -starttls pop3 -connect pop.actrix.co.nz:110 openssl s_client -starttls smtp -connect smtp.actrix.co.nz:587
In a (normal) SSL connection, encryption is performed from the beginning of the connection. But in a STARTTLS ("TLS") connection, encryption is performed only AFTER the "STARTTLS" command.
Thanks for the clarification. The two options make a lot more sense now. So kmail3 should work with port 110 and TLS (STARTTLS) - that explains why it used to work. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c13 --- Comment #13 from Yasuhiko Kamata <belphegor@belbel.or.jp> --- This is just a reminder, is KDE3 working fine? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c14 --- Comment #14 from Michael Hamilton <michael@actrix.gen.nz> --- (In reply to Yasuhiko Kamata from comment #13)
This is just a reminder, is KDE3 working fine?
Sorry, some confusion, I wasn't aware you were waiting on me. I did previous add:
Now POP on port 995 TLS doesn't work, but 995 SSL does. That's fine by me, but I don't know whether that is a true pass for this patch.
I didn't know how to interpret the failure of port 995 with TLS. From what you wrote earlier, that sounds like might be OK. As long as that's OK, I'm happily using port 995 with SSL. Everything is working. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207963 http://bugzilla.opensuse.org/show_bug.cgi?id=1207963#c15 Yasuhiko Kamata <belphegor@belbel.or.jp> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |FIXED Flags|needinfo?(michael@actrix.ge | |n.nz) | --- Comment #15 from Yasuhiko Kamata <belphegor@belbel.or.jp> --- Thanks for reply. Marked as resolved. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com