GNOME Bugzilla – Bug 350617
[PATCH] Evolution sends IMAP LOGIN even though plaintext authentication is disabled on the server
Last modified: 2013-09-10 13:42:14 UTC
Please describe the problem: If I select TLS encryption for an IMAP connection but I reject the certificate so that it can't use TLS it will fall back to unencrypted and send a plaintext LOGIN even if the server has indicated in the CAPABILITY response that plaintext authentication is disabled Steps to reproduce: 1. Configure an IMAP server to support TLS with a self-signed certificate 2. Configure Evolution to use TLS as the encryption mechanism 3. Give the password but reject the certificate Actual results: Evolution attempts a plaintext LOGIN and an alert is given with a message from the server saying "Plaintext authentication is disabled, but your client sent password in plaintext anyway. If anyone was listening, the password was exposed." Expected results: Evolution should see from the CAPABILITY response that LOGIN is not allowed and give up. Does this happen every time? Yes Other information: Here is the IMAP transaction captured by ethereal: * OK Dovecot ready. A00000 CAPABILITY * CAPABILITY IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS STARTTLS LOGINDISABLED A00000 OK Capability completed. A00001 LOGIN user password * BAD [ALERT] Plaintext authentication is disabled, but your client sent password in plaintext anyway. If anyone was listening, the password was exposed. A00001 NO Plaintext authentication disabled.
oO raising prio
This is a must-fix for the release.
Created attachment 71751 [details] [review] Fix Should probably fix the issue. Needs to be tested and reviewed.
Created attachment 71753 [details] [review] Fix The previous patch doesnt have the changes in the .h file Attaching the correct/complete patch.
Sankar : Is this blocked for want of review. Varadhan : can you please look into this ?
patch adds a new string, can only go into 2.8 after request.
This fix works fine. Its ok to commit. sankar, cant this go into the head now??
I feel the fix is a Must Have for 2.8 too. Sankar : Can you request for a String freeze break and get this in for 2.8 as well.
Created attachment 73075 [details] [review] Fix The error message in the previous patch was too technical. The new patch has a better error message. Requesting for string break.
Please use complete sentences: Failed to connect to IMAP server %s in secure mode, and plain-text password authentication is disabled in the server.
Can I commit the patch with changing the string as suggested ?
Fix committed by modifying the patch w/o a string change. (using an existing string). Sankar : Please follow this up again after the release incase you want a more precise error message.