TLS with Kmail

Hi all,

A few days ago my ISP sent this notice:-

“**Please note: **From **7 November 2022 **onwards we will no longer be supporting TLS versions 1.0 and 1.1 for email. TLS 1.0 and 1.1 have been around for a long time and have become outdated. The security of TLS 1.2 and TLS 1.3 is significantly higher compared to the older versions making sending and receiving emails more secure.”

Since then I cannot access my emails via Kmail. I have tried numerous settings in Kmail, but no luck.

I’m using Tumbleweed & Kmail 5.21.3.

Does anyone know how to fix this?

Thanking you
Pedro

AFAICS, KMail uses both TLSv1.2 and TLSv1.3 – checked the behaviour of my ISP’s e-mail accounts with a Wireshark trace …

Have you setup the Port correctly?
Have you setup the authentication correctly?

  • Please check your ISP’s documentation for the relevant information – you can usually use the settings recommended for the Mozilla Thunderbird e-Mail client with KMail.

Thank you for your reply dcurtisfra.

I believe it had been working with TLS, but don’t know what version. I can only assume since it is not working now, that it was a version other than V1.2 or V1.3.

I believe I have the authentication setup correctly.

I don’t know what checks I need to do for the Port setup. Do you have a check-list?

Thanking you
Pedro

PS:
I have used the ISP’s settings, they have not worked. I have also tried other variations without success.
Is there a way to check/ set what version of TLS kmail is using?
Are there any Firewall settings for the ports that I can check?

This problem also affected my win7 machine. To fix it, I had to change some Registry values to enable TLSV1.3

Thanking you
Pedro

Trace the network traffic with Wireshark.

  • Filter on the fully qualified IP host and domain name of the ISP’s IMAP/POP3 servers and SMTP servers.

Looking into this issue a bit deeper, it seems that Tumbleweed/Openssl only supports TLS V1.0, V1.1 & V3.0.

Would that be correct?

Kind regards
Pedro

No, it would not (besides, TLS V3.0 does not even exist).

Thank you for your reply arvidjaar. Could you please enlighten me on which TSL versions are supported by Tumbleweed/openssl?

Kind regards
Pedro

Up to and including TLSv1.3.

Thank you arvidjaar for that info. However, I can’t find any evidence that TLSv1.2 or v1.3 are available or operational.

Kind regards
Pedro

Read comment 5 how to investigate what happens. You can also use s_client to test connection to server using selected ciphers and/or TLS versions.

Just for info openssl TLSv1.2/3 support could be checked with these commands:


> openssl ciphers -v |grep TLSv1.3  
TLS_AES_256_GCM_SHA384  **TLSv1.3** Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD 
TLS_CHACHA20_POLY1305_SHA256 **TLSv1.3** Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD 
TLS_AES_128_GCM_SHA256  **TLSv1.3** Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD


> openssl ciphers -v |grep TLSv1.3  
TLS_AES_256_GCM_SHA384  **TLSv1.3** Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD 
TLS_CHACHA20_POLY1305_SHA256 **TLSv1.3** Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD 
TLS_AES_128_GCM_SHA256  **TLSv1.3** Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD 
rolf@linux:~> openssl ciphers -v |grep TLSv1.2 
ECDHE-ECDSA-AES256-GCM-SHA384 **TLSv1.2** Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD 
ECDHE-RSA-AES256-GCM-SHA384 **TLSv1.2** Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
....

Test TLSv1.3 connection could be done with:


> openssl s_client -tls1_3 -connect tls13.cloudflare.com:443 < /dev/null

Thank you for your reply rawar.

The openssl ciphers -v commands seem to work as expected.

I received the following from the command:-

openssl s_client -tls1_3 -connect tls13.cloudflare.com:443 < /dev/null
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare.com
   i:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
 1 s:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
   i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
<certificate removed for clarity>
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare.com

issuer=C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2676 bytes and written 324 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

Is this response what I should expect?

Thanking you
Pedro

Yes this connection does use TLS 1.3 as expected.


New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bitoder füge den Code hier ein

As already mentioned a trace with Wireshark would be helpful.

Thank you very much for that rawar.

At least I a different direction to look…

I have installed Wireshark, but I am NOT finding it intuitive to use. I have used Windows Network Monitor in the past, with success. If only I had the time to drop everything else to look into this…

I can still get my emails with my Win7 or Win10 machine.

My Win7 machine also stopped working with this ISP, with very similar symptoms to TW – “can’t log onto server”. I quickly found a hack where I manually changed some Registry settings to enable TLSv1.2, then it started working again.

KDE/ Kmail can still access emails from my other ISPs, but they don’t block earlier versions of TLS.

Maybe there is a problem in the protocol negotiation…

Kind regards
Pedro

Hi All,

Does anyone know how I can disable TLSv1.0 and TLSv1.1 temporarily while do I some testing?

Thanks
Pedro

Theoretically OpenSSL 1.1.1 have MinProtocol configuration file option; there is no indication what openSUSE release you are using (lost in forum transition) but at least Leap 15.4 has OpenSSL 1.1.1.

config - OpenSSL CONF library configuration files

Thank you for your reply arvidjaar.

My version of OpenSSL is - 1.1.1s 1 Nov 2022.
My OS is Tumbleweed - VERSION=“20221218”.

I hope that is helpful.

Kind regards
Pedro

Hi,

I have just noticed that this issue has fixed itself. I don’t know if the fix was from my ISP, or in an OS update… Anyway I’m happy that it’s now working. :slight_smile:

Thank
Pedro