1821934 – Fedora 32: It looks like the protocol TLS 1.0/1.1 are disabled by default

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1821934 - Fedora 32: It looks like the protocol TLS 1.0/1.1 are disabled by default

Summary: Fedora 32: It looks like the protocol TLS 1.0/1.1 are disabled by default

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	glib-networking
Sub Component:
Version:	32
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Matthias Clasen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-07 21:00 UTC by Dario Lesca
Modified:	2020-04-25 02:22 UTC (History)
CC List:	10 users (show)
Fixed In Version:	glib-networking-2.64.2-1.fc32
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-25 02:22:33 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dario Lesca 2020-04-07 21:00:40 UTC

Description of problem:

Run Evolution and configure POP3 point it to old server with TLS protocoll < 1.2 cause this error: "Error performing TLS handshake: A packet with illegal or unsupported version was received."

Version-Release number of selected component (if applicable):
Fedora 32 beta with crypto-policies-20191128-5.gitcd267a5.fc32.noarch

How reproducible:

Steps to Reproduce:
1.Install and run evolution 
2.Configure it on a pop3/imap/smtp with TLS < 1.2
3.Try download mails

Actual results:
You get TLS handshake error

Expected results:
work as expect also with old TLS protocol.

The change of default TLS protocol and drop TLS 1.[01] will done into Fedora 33

Additional info:
See also this thread
https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org/thread/BUNGWYSPMVR2ZKMDUKBGFVEJSTNUC5F7/

Comment 1 Tomas Mraz 2020-04-08 09:47:19 UTC

Daiki, apparently GnuTLS does not enable TLS 1.0 and 1.1 with NORMAL priority by default. Is that true?

If so, we will need the gnutls back-end generator updated to enable TLS 1.0 and TLS 1.1 if in policy.

Comment 2 Michael Catanzaro 2020-04-14 14:48:52 UTC

(In reply to Tomas Mraz from comment #1)
> Daiki, apparently GnuTLS does not enable TLS 1.0 and 1.1 with NORMAL
> priority by default. Is that true?

Beginning with GnuTLS 3.7, yes. But in Fedora 32 we have GnuTLS 3.6 still.

Problem is, glib-networking tries to match web browsers in addition to system policy, so it uses -VERS-TLS1.1:-VERS-TLS1.0 because web browsers planned TLS 1.0/1.1 disablement for March 2020 and glib-networking 2.64 release was scheduled for March. That made sense at the time, but browsers have delayed TLS 1.0/1.1 disablement indefinitely because some government COVID-19 website only supported TLS 1.0. So we need to push an update to reenable these protocols for F32.

(glib-networking can't directly use system policy because, although Fedora system policy might not be too far behind what web browsers are doing, upstream policies move much too slow. E.g. GnuTLS 3.6 branch will never disable TLS 1.0/1.1, but it might be a long time before GnuTLS 3.7 is stable.)

Comment 3 Fedora Update System 2020-04-14 21:02:14 UTC

FEDORA-2020-60b926a6f5 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-60b926a6f5

Comment 4 Fedora Update System 2020-04-16 19:27:58 UTC

FEDORA-2020-60b926a6f5 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-60b926a6f5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-60b926a6f5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Dario Lesca 2020-04-19 20:55:54 UTC

(In reply to Fedora Update System from comment #4)
> FEDORA-2020-60b926a6f5 has been pushed to the Fedora 32 testing repository.
> In short time you'll be able to install the update with the following
> command:
> `sudo dnf upgrade --enablerepo=updates-testing
> --advisory=FEDORA-2020-60b926a6f5`
> You can provide feedback for this update here:
> https://bodhi.fedoraproject.org/updates/FEDORA-2020-60b926a6f5
> 
> See also https://fedoraproject.org/wiki/QA:Updates_Testing for more
> information on how to test updates.

I have install this update testing and the access to old email server (TLS<1.2) via evolution work again.

Thank to all
Dario

Comment 6 Fedora Update System 2020-04-25 02:22:33 UTC

FEDORA-2020-60b926a6f5 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.