GNOME Bugzilla – Bug 339939
Evolution sent my IMAP password out in the clear even though I enabled TLS
Last modified: 2006-04-27 18:28:38 UTC
Please describe the problem: Evolution fails to establish a TLS-secured session with my IMAP server. It then *silently* falls back to clear text and transmits my password over the unsecured connection! The IMAP server is Courier IMAP; it logs the following error: Apr 27 17:34:22 blah imaplogin: couriertls: accept: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Since the server continually replies with 'NO STARTTLS required', it is impossible to escape from the password dialog without having to kill Evolution--as soon as I press cancel, it comes back, and this repeats forever. Steps to reproduce: 1. Configure IMAP account to use TLS 2. Enter password at password prompt 3. Evolution issues the STARTTLS command, but then drops back to clear text when the TLS negotiation fails Actual results: Evolution sends my password out in clear text even though the server advertised the LOGINDISABLED capability. According to RFC 2595 section 3.2: The current IMAP protocol specification (RFC 2060) requires the implementation of the LOGIN command which uses clear-text passwords. Many sites may choose to disable this command unless encryption is active for security reasons. An IMAP server MAY advertise that the LOGIN command is disabled by including the LOGINDISABLED capability in the capability response. Such a server will respond with a tagged "NO" response to any attempt to use the LOGIN command. ... An IMAP client which complies with this specification MUST NOT issue the LOGIN command if this capability is present. Expected results: Evolution should display an error message to the user and not fall back to a clear connection. I think there should also be some kind of indicator in the password dialog box showing whether the connection is secured. An obvious indicator is a padlock that appears locked/unlocked depending on whether the connection is secured or not. Does this happen every time? Yes Other information: Here is a transcript of the IMAP session: #### T 1.2.3.4:143 -> 100.101.102.103:42060 [AP] * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS LOGINDISABLED] C ourier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information... ## T 100.101.102.103:42060 -> 1.2.3.4:143 [AP] A00000 CAPABILITY.. ## T 1.2.3.4:143 -> 100.101.102.103:42060 [AP] * CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THR EAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS LOGINDISABLED..A0000 0 OK CAPABILITY completed.. ## T 100.101.102.103:42060 -> 1.2.3.4:143 [AP] A00001 STARTTLS.. # T 1.2.3.4:143 -> 100.101.102.103:42060 [AP] A00001 OK Begin SSL/TLS negotiation now... ## T 100.101.102.103:42060 -> 1.2.3.4:143 [AP] .4..........................d..b......' Z[...V.....}.. ##### T 1.2.3.4:143 -> 100.101.102.103:42061 [AP] * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS LOGINDISABLED] C ourier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information... ## T 100.101.102.103:42061 -> 1.2.3.4:143 [AP] A00000 CAPABILITY.. ## T 1.2.3.4:143 -> 100.101.102.103:42061 [AP] * CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THR EAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS LOGINDISABLED..A0000 0 OK CAPABILITY completed.. ## T 100.101.102.103:42061 -> 1.2.3.4:143 [AP] A00001 LOGIN user password.. # T 1.2.3.4:143 -> 100.101.102.103:42061 [AP] A00001 NO STARTTLS required.. #### T 100.101.102.103:42061 -> 1.2.3.4:143 [AP] A00002 LOGOUT.. <repeats until I kill evolution>
hi sam, thanks for reporting this. this is already fixed in cvs, see bug 321797. *** This bug has been marked as a duplicate of 321797 ***