Bug#787665: gnutls28: gnutls 3.3.15-5 breaks the tls connection between evolution and my cyrus imapd on debian stable

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jun 4 13:11:16 UTC 2015 

On Thu 2015-06-04 08:02:25 -0400, Andreas Metzler wrote:
> On 2015-06-03 Erik Tews <erik at datenzone.de> wrote:
>> Source: gnutls28
>> Version: 3.3.15-5
>> Severity: important
>
>> Dear Maintainer,
>
>> After having updated gnutls to 3.3.15-5, my evolution is unable to
>> connect to my imap server on mail.datenzone.de port 993 using imap-ssl.
>> However I can still connect to that server using gnutls-cli or icedove.
> [...]
>
> Hello,
>
> can you reproduce the issue if you you use the same gnutls priority
> string with gnutls-cli as evolution. I guess it's using
> glib-networking's default value,
> NORMAL:%COMPAT:%LATEST_RECORD_VERSION

I'm not able to reproduce this particular problem, varying between
gnutls-cli 3.3.15-2 and 3.3.15-5, using the connection attempt:

  gnutls-cli --priority NORMAL:%COMPAT:%LATEST_RECORD_VERSION --port imaps mail.datenzone.de --tofu

(i'm using --tofu because i don't have the CACert trust anchor handy).

However, i do see a difference when connecting to alioth's HTTPS
service:

0 dkg at alice:/tmp/cdtemp.qzeQ2t$ dpkg -l libgnutls-deb0-28 
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  libgnutls-deb0 3.3.15-5     amd64        GNU TLS library - main runtime li
0 dkg at alice:/tmp/cdtemp.qzeQ2t$ git clone https://anonscm.debian.org/git/qa/jenkins.debian.net
Cloning into 'jenkins.debian.net'...
fatal: unable to access 'https://anonscm.debian.org/git/qa/jenkins.debian.net/': gnutls_handshake() failed: Public key signature verification has failed.
128 dkg at alice:/tmp/cdtemp.qzeQ2t$


Then downgrade just the gnutls packages:

0 dkg at alice:/tmp/cdtemp.qzeQ2t$ dpkg -l libgnutls-deb0-28 
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  libgnutls-deb0 3.3.15-2     amd64        GNU TLS library - main runtime li
0 dkg at alice:/tmp/cdtemp.qzeQ2t$ git clone https://anonscm.debian.org/git/qa/jenkins.debian.net
Cloning into 'jenkins.debian.net'...
remote: Counting objects: 15996, done.
remote: Compressing objects: 100% (10517/10517), done.
remote: Total 15996 (delta 11587), reused 7302 (delta 5260)
Receiving objects: 100% (15996/15996), 2.21 MiB | 672.00 KiB/s, done.
Resolving deltas: 100% (11587/11587), done.
Checking connectivity... done.
0 dkg at alice:/tmp/cdtemp.qzeQ2t$ 

Is this the same thing?  Andreas, does this help you to reproduce the
problem?

   --dkg

More information about the Pkg-gnutls-maint mailing list