Re: [Evolution] Fatal TLS Alert

From: Pete Biggs <pete biggs org uk>
To: evolution-list gnome org
Subject: Re: [Evolution] Fatal TLS Alert
Date: Sun, 04 Nov 2018 12:03:35 +0000

On Sat, 2018-11-03 at 21:13 -0400, Iain McVey via evolution-list wrote:

I just upgraded to Ubuntu 18.10 (Pop_OS! 18.10) so I now have Evolution
version 3.30.1-1 build1

I am getting the following error when I try connecting to my IMAP work
email account:

The reported error was “Failed to get capabilities: Peer sent fatal
TLS alert: Illegal parameter”.


I tried changing between TLS and STARTTLS, and connecting via port 143
(this is the one suggested in the IMAP server setup page) and also 993

these settings worked before the upgrade to 18.10.   And still work on
the gmail client on my phone.

I tried setting up the same account on geary, and claws.  Geary didn't
get th email, but didn't provide any useful feedback.  Claws showed the
same error.


Evolution (and presumably the others you mention) uses OpenSSL (I
think) for the encrypted links. I suspect that it's to do with the
upgrade of that rather than Evolution itself.


When I set up this account on Thunderbird, I got a messages about the
sites certificate being from an unrecognized source, and did I want to
grant an exception.   When I granted the exception, thunderbird
conencted to the server and got my mail.


Thunderbird (like the other Mozilla products) are self contained so
don't rely on external libraries.


So, I am going on the assumption that the TLS problems with Evolution
might be casued by the dodgy certificate my employers email provider is
using??

I looked around a bit, but couldn't find any means to tell Evolution to
trust a particular certificate.  Is this possible?  Can you point me to
some instructions?

Evolution will ask, but I suspect that's not the underlying problem.

There have been a lot of changes to what are considered to be secure
cyphers recently. The old insecure cyphers have been deprecated for a
while in OpenSSL. What I suspect is happening is that the group of
cyphers OpenSSL will use does not overlap with the cyphers offered by
your server. Specifically SSLv2 and TLSv1.0 are now considered to be
vulnerable.  You need to talk to your sysadmin to find out what cyphers
are offered by the server - if it doesn't offer SSLv3 or TLSv1.2 or
better then you are going to have problems. (I suspect that some would
SSLv3 also shouldn't be used.)

P.

ps for the non British: s/cypher/cipher/

Follow-Ups:
- Re: [Evolution] Fatal TLS Alert
  - From: Milan Crha

References:
- [Evolution] Fatal TLS Alert
  - From: Iain McVey

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]