Blame SOURCES/evolution-ews-3.28.5-cve-2019-3890.patch

1b1c34
diff -up evolution-ews-3.28.5/src/addressbook/e-book-backend-ews.c.cve-2019-3890 evolution-ews-3.28.5/src/addressbook/e-book-backend-ews.c
1b1c34
--- evolution-ews-3.28.5/src/addressbook/e-book-backend-ews.c.cve-2019-3890	2019-04-15 09:43:49.672771516 +0200
1b1c34
+++ evolution-ews-3.28.5/src/addressbook/e-book-backend-ews.c	2019-04-15 09:43:49.683771516 +0200
1b1c34
@@ -2901,7 +2901,8 @@ ebb_ews_connect_sync (EBookMetaBackend *
1b1c34
 		bbews->priv->cnc, "proxy-resolver",
1b1c34
 		G_BINDING_SYNC_CREATE);
1b1c34
 
1b1c34
-	*out_auth_result = e_ews_connection_try_credentials_sync (bbews->priv->cnc, credentials, cancellable, error);
1b1c34
+	*out_auth_result = e_ews_connection_try_credentials_sync (bbews->priv->cnc, credentials, NULL,
1b1c34
+		out_certificate_pem, out_certificate_errors, cancellable, error);
1b1c34
 
1b1c34
 	if (*out_auth_result == E_SOURCE_AUTHENTICATION_ACCEPTED) {
1b1c34
 		ESource *source = e_backend_get_source (E_BACKEND (bbews));
1b1c34
diff -up evolution-ews-3.28.5/src/calendar/e-cal-backend-ews.c.cve-2019-3890 evolution-ews-3.28.5/src/calendar/e-cal-backend-ews.c
1b1c34
--- evolution-ews-3.28.5/src/calendar/e-cal-backend-ews.c.cve-2019-3890	2019-04-15 09:43:49.676771516 +0200
1b1c34
+++ evolution-ews-3.28.5/src/calendar/e-cal-backend-ews.c	2019-04-15 09:43:49.684771516 +0200
1b1c34
@@ -1394,7 +1394,8 @@ ecb_ews_connect_sync (ECalMetaBackend *m
1b1c34
 		cbews->priv->cnc, "proxy-resolver",
1b1c34
 		G_BINDING_SYNC_CREATE);
1b1c34
 
1b1c34
-	*out_auth_result = e_ews_connection_try_credentials_sync (cbews->priv->cnc, credentials, cancellable, error);
1b1c34
+	*out_auth_result = e_ews_connection_try_credentials_sync (cbews->priv->cnc, credentials, NULL,
1b1c34
+		out_certificate_pem, out_certificate_errors, cancellable, error);
1b1c34
 
1b1c34
 	if (*out_auth_result == E_SOURCE_AUTHENTICATION_ACCEPTED) {
1b1c34
 		ESource *source = e_backend_get_source (E_BACKEND (cbews));
1b1c34
diff -up evolution-ews-3.28.5/src/camel/camel-ews-store.c.cve-2019-3890 evolution-ews-3.28.5/src/camel/camel-ews-store.c
1b1c34
--- evolution-ews-3.28.5/src/camel/camel-ews-store.c.cve-2019-3890	2018-07-30 16:01:00.000000000 +0200
1b1c34
+++ evolution-ews-3.28.5/src/camel/camel-ews-store.c	2019-04-15 09:43:49.684771516 +0200
1b1c34
@@ -1831,6 +1831,8 @@ ews_authenticate_sync (CamelService *ser
1b1c34
 	const gchar *password;
1b1c34
 	gchar *hosturl;
1b1c34
 	gchar *old_sync_state = NULL, *new_sync_state = NULL;
1b1c34
+	gchar *certificate_pem = NULL;
1b1c34
+	GTlsCertificateFlags certificate_errors = 0;
1b1c34
 	GError *local_error = NULL;
1b1c34
 
1b1c34
 	ews_store = CAMEL_EWS_STORE (service);
1b1c34
@@ -1959,6 +1961,18 @@ ews_authenticate_sync (CamelService *ser
1b1c34
 
1b1c34
 	g_slist_free_full (created_folder_ids, g_free);
1b1c34
 
1b1c34
+	if (g_error_matches (local_error, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED) &&
1b1c34
+	    e_ews_connection_get_ssl_error_details (connection, &certificate_pem, &certificate_errors)) {
1b1c34
+		source = e_ews_connection_get_source (connection);
1b1c34
+
1b1c34
+		if (source) {
1b1c34
+			e_source_emit_credentials_required (source, E_SOURCE_CREDENTIALS_REASON_SSL_FAILED,
1b1c34
+				certificate_pem, certificate_errors, local_error);
1b1c34
+		}
1b1c34
+
1b1c34
+		g_free (certificate_pem);
1b1c34
+	}
1b1c34
+
1b1c34
 	if (local_error == NULL) {
1b1c34
 		result = CAMEL_AUTHENTICATION_ACCEPTED;
1b1c34
 	} else if (g_error_matches (local_error, EWS_CONNECTION_ERROR, EWS_CONNECTION_ERROR_AUTHENTICATION_FAILED)) {
1b1c34
diff -up evolution-ews-3.28.5/src/collection/e-ews-backend.c.cve-2019-3890 evolution-ews-3.28.5/src/collection/e-ews-backend.c
1b1c34
--- evolution-ews-3.28.5/src/collection/e-ews-backend.c.cve-2019-3890	2019-04-15 09:43:49.679771516 +0200
1b1c34
+++ evolution-ews-3.28.5/src/collection/e-ews-backend.c	2019-04-15 09:43:49.685771516 +0200
1b1c34
@@ -727,6 +727,15 @@ ews_backend_constructed (GObject *object
1b1c34
 	/* Reset the connectable, it steals data from Authentication extension,
1b1c34
 	   where is written incorrect address */
1b1c34
 	e_backend_set_connectable (backend, NULL);
1b1c34
+
1b1c34
+	/* Eventually unset temporary SSL trust, but only once, when the process started.
1b1c34
+	   It might bee too often anywhere lease (like in the authenticate callback) */
1b1c34
+	if (e_source_has_extension (source, E_SOURCE_EXTENSION_WEBDAV_BACKEND)) {
1b1c34
+		ESourceWebdav *webdav_extension;
1b1c34
+
1b1c34
+		webdav_extension = e_source_get_extension (source, E_SOURCE_EXTENSION_WEBDAV_BACKEND);
1b1c34
+		e_source_webdav_unset_temporary_ssl_trust (webdav_extension);
1b1c34
+	}
1b1c34
 }
1b1c34
 
1b1c34
 static void
1b1c34
@@ -930,7 +939,7 @@ ews_backend_create_resource_sync (EColle
1b1c34
 	}
1b1c34
 
1b1c34
 	if (!success) {
1b1c34
-		connection = e_ews_backend_ref_connection_sync (E_EWS_BACKEND (backend), NULL, cancellable, error);
1b1c34
+		connection = e_ews_backend_ref_connection_sync (E_EWS_BACKEND (backend), NULL, NULL, NULL, cancellable, error);
1b1c34
 		if (connection == NULL)
1b1c34
 			return FALSE;
1b1c34
 
1b1c34
@@ -1037,7 +1046,7 @@ ews_backend_delete_resource_sync (EColle
1b1c34
 	const gchar *extension_name;
1b1c34
 	gboolean success = FALSE;
1b1c34
 
1b1c34
-	connection = e_ews_backend_ref_connection_sync (E_EWS_BACKEND (backend), NULL, cancellable, error);
1b1c34
+	connection = e_ews_backend_ref_connection_sync (E_EWS_BACKEND (backend), NULL, NULL, NULL, cancellable, error);
1b1c34
 	if (connection == NULL)
1b1c34
 		return FALSE;
1b1c34
 
1b1c34
@@ -1142,7 +1151,7 @@ ews_backend_authenticate_sync (EBackend
1b1c34
 	ews_backend->priv->credentials = e_named_parameters_new_clone (credentials);
1b1c34
 	g_mutex_unlock (&ews_backend->priv->connection_lock);
1b1c34
 
1b1c34
-	connection = e_ews_backend_ref_connection_sync (ews_backend, &result, cancellable, error);
1b1c34
+	connection = e_ews_backend_ref_connection_sync (ews_backend, &result, out_certificate_pem, out_certificate_errors, cancellable, error);
1b1c34
 	g_clear_object (&connection);
1b1c34
 
1b1c34
 	if (result == E_SOURCE_AUTHENTICATION_ACCEPTED) {
1b1c34
@@ -1223,7 +1232,7 @@ ews_backend_ref_connection_thread (GSimp
1b1c34
 	EEwsConnection *connection;
1b1c34
 	GError *error = NULL;
1b1c34
 
1b1c34
-	connection = e_ews_backend_ref_connection_sync (E_EWS_BACKEND (object), NULL, cancellable, &error);
1b1c34
+	connection = e_ews_backend_ref_connection_sync (E_EWS_BACKEND (object), NULL, NULL, NULL, cancellable, &error);
1b1c34
 
1b1c34
 	/* Sanity check. */
1b1c34
 	g_return_if_fail (
1b1c34
@@ -1241,6 +1250,8 @@ ews_backend_ref_connection_thread (GSimp
1b1c34
 EEwsConnection *
1b1c34
 e_ews_backend_ref_connection_sync (EEwsBackend *backend,
1b1c34
 				   ESourceAuthenticationResult *result,
1b1c34
+				   gchar **out_certificate_pem,
1b1c34
+				   GTlsCertificateFlags *out_certificate_errors,
1b1c34
                                    GCancellable *cancellable,
1b1c34
                                    GError **error)
1b1c34
 {
1b1c34
@@ -1272,7 +1283,8 @@ e_ews_backend_ref_connection_sync (EEwsB
1b1c34
 		connection, "proxy-resolver",
1b1c34
 		G_BINDING_SYNC_CREATE);
1b1c34
 
1b1c34
-	local_result = e_ews_connection_try_credentials_sync (connection, backend->priv->credentials, cancellable, error);
1b1c34
+	local_result = e_ews_connection_try_credentials_sync (connection, backend->priv->credentials, NULL,
1b1c34
+		out_certificate_pem, out_certificate_errors, cancellable, error);
1b1c34
 	if (result)
1b1c34
 		*result = local_result;
1b1c34
 
1b1c34
@@ -1413,7 +1425,7 @@ e_ews_backend_sync_folders_sync (EEwsBac
1b1c34
 		return TRUE;
1b1c34
 	}
1b1c34
 
1b1c34
-	connection = e_ews_backend_ref_connection_sync (backend, NULL, cancellable, error);
1b1c34
+	connection = e_ews_backend_ref_connection_sync (backend, NULL, NULL, NULL, cancellable, error);
1b1c34
 
1b1c34
 	if (connection == NULL) {
1b1c34
 		backend->priv->need_update_folders = TRUE;
1b1c34
diff -up evolution-ews-3.28.5/src/collection/e-ews-backend.h.cve-2019-3890 evolution-ews-3.28.5/src/collection/e-ews-backend.h
1b1c34
--- evolution-ews-3.28.5/src/collection/e-ews-backend.h.cve-2019-3890	2018-07-30 16:01:00.000000000 +0200
1b1c34
+++ evolution-ews-3.28.5/src/collection/e-ews-backend.h	2019-04-15 09:43:49.685771516 +0200
1b1c34
@@ -63,6 +63,8 @@ EEwsConnection *
1b1c34
 		e_ews_backend_ref_connection_sync
1b1c34
 						(EEwsBackend *backend,
1b1c34
 						 ESourceAuthenticationResult *result,
1b1c34
+						 gchar **out_certificate_pem,
1b1c34
+						 GTlsCertificateFlags *out_certificate_errors,
1b1c34
 						 GCancellable *cancellable,
1b1c34
 						 GError **error);
1b1c34
 void		e_ews_backend_ref_connection	(EEwsBackend *backend,
1b1c34
diff -up evolution-ews-3.28.5/src/configuration/e-ews-config-lookup.c.cve-2019-3890 evolution-ews-3.28.5/src/configuration/e-ews-config-lookup.c
1b1c34
--- evolution-ews-3.28.5/src/configuration/e-ews-config-lookup.c.cve-2019-3890	2018-07-30 16:01:00.000000000 +0200
1b1c34
+++ evolution-ews-3.28.5/src/configuration/e-ews-config-lookup.c	2019-04-15 09:43:49.685771516 +0200
1b1c34
@@ -344,9 +344,54 @@ ews_config_lookup_worker_run (EConfigLoo
1b1c34
 
1b1c34
 	if (password) {
1b1c34
 		const gchar *servers;
1b1c34
+		gchar *certificate_host = NULL;
1b1c34
+		gchar *certificate_pem = NULL;
1b1c34
+		GTlsCertificateFlags certificate_errors = 0;
1b1c34
+		GError *local_error = NULL;
1b1c34
+
1b1c34
+		if (e_named_parameters_exists (params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_PEM) &&
1b1c34
+		    e_named_parameters_exists (params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_TRUST) &&
1b1c34
+		    e_named_parameters_exists (params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_HOST)) {
1b1c34
+			GTlsCertificate *certificate;
1b1c34
+			const gchar *param_certificate_pem;
1b1c34
+
1b1c34
+			param_certificate_pem = e_named_parameters_get (params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_PEM);
1b1c34
+			certificate = g_tls_certificate_new_from_pem (param_certificate_pem, -1, NULL);
1b1c34
+
1b1c34
+			if (certificate) {
1b1c34
+				ETrustPromptResponse trust_response;
1b1c34
+
1b1c34
+				trust_response = e_config_lookup_decode_certificate_trust (
1b1c34
+					e_named_parameters_get (params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_TRUST));
1b1c34
+
1b1c34
+				if (trust_response != E_TRUST_PROMPT_RESPONSE_UNKNOWN) {
1b1c34
+					ESourceWebdav *webdav_extension;
1b1c34
+
1b1c34
+					webdav_extension = e_source_get_extension (source, E_SOURCE_EXTENSION_WEBDAV_BACKEND);
1b1c34
+					e_source_webdav_update_ssl_trust (webdav_extension,
1b1c34
+						e_named_parameters_get (params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_HOST),
1b1c34
+						certificate, trust_response);
1b1c34
+				}
1b1c34
+
1b1c34
+				g_object_unref (certificate);
1b1c34
+			}
1b1c34
+		}
1b1c34
 
1b1c34
-		if (e_ews_autodiscover_ws_url_sync (source, ews_settings, email_address, password, cancellable, NULL)) {
1b1c34
+		if (e_ews_autodiscover_ws_url_sync (source, ews_settings, email_address, password, &certificate_pem, &certificate_errors, cancellable, &local_error)) {
1b1c34
 			ews_config_lookup_worker_result_from_settings (lookup_worker, config_lookup, email_address, ews_settings, params);
1b1c34
+		} else if (g_error_matches (local_error, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED)) {
1b1c34
+			const gchar *hosturl;
1b1c34
+			SoupURI *suri;
1b1c34
+
1b1c34
+			hosturl = camel_ews_settings_get_hosturl (ews_settings);
1b1c34
+			suri = soup_uri_new (hosturl);
1b1c34
+			if (suri) {
1b1c34
+				certificate_host = g_strdup (soup_uri_get_host (suri));
1b1c34
+
1b1c34
+				soup_uri_free (suri);
1b1c34
+			}
1b1c34
+		} else {
1b1c34
+			g_clear_error (&local_error);
1b1c34
 		}
1b1c34
 
1b1c34
 		servers = e_named_parameters_get (params, E_CONFIG_LOOKUP_PARAM_SERVERS);
1b1c34
@@ -357,7 +402,7 @@ ews_config_lookup_worker_run (EConfigLoo
1b1c34
 
1b1c34
 			servers_strv = g_strsplit (servers, ";", 0);
1b1c34
 
1b1c34
-			for (ii = 0; servers_strv && servers_strv[ii] && !g_cancellable_is_cancelled (cancellable); ii++) {
1b1c34
+			for (ii = 0; servers_strv && servers_strv[ii] && !g_cancellable_is_cancelled (cancellable) && !local_error; ii++) {
1b1c34
 				const gchar *server = servers_strv[ii];
1b1c34
 				gchar *tmp = NULL;
1b1c34
 
1b1c34
@@ -368,8 +413,21 @@ ews_config_lookup_worker_run (EConfigLoo
1b1c34
 
1b1c34
 				camel_ews_settings_set_hosturl (ews_settings, server);
1b1c34
 
1b1c34
-				if (e_ews_autodiscover_ws_url_sync (source, ews_settings, email_address, password, cancellable, NULL)) {
1b1c34
+				if (e_ews_autodiscover_ws_url_sync (source, ews_settings, email_address, password, &certificate_pem, &certificate_errors, cancellable, &local_error)) {
1b1c34
 					ews_config_lookup_worker_result_from_settings (lookup_worker, config_lookup, email_address, ews_settings, params);
1b1c34
+				} else if (g_error_matches (local_error, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED)) {
1b1c34
+					const gchar *hosturl;
1b1c34
+					SoupURI *suri;
1b1c34
+
1b1c34
+					hosturl = camel_ews_settings_get_hosturl (ews_settings);
1b1c34
+					suri = soup_uri_new (hosturl);
1b1c34
+					if (suri) {
1b1c34
+						certificate_host = g_strdup (soup_uri_get_host (suri));
1b1c34
+
1b1c34
+						soup_uri_free (suri);
1b1c34
+					}
1b1c34
+				} else {
1b1c34
+					g_clear_error (&local_error);
1b1c34
 				}
1b1c34
 
1b1c34
 				g_free (tmp);
1b1c34
@@ -378,7 +436,31 @@ ews_config_lookup_worker_run (EConfigLoo
1b1c34
 			g_strfreev (servers_strv);
1b1c34
 		}
1b1c34
 
1b1c34
-		if (out_restart_params)
1b1c34
+		if (g_error_matches (local_error, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED) &&
1b1c34
+		    certificate_pem && *certificate_pem && certificate_errors) {
1b1c34
+			gchar *description = e_trust_prompt_describe_certificate_errors (certificate_errors);
1b1c34
+
1b1c34
+			if (description) {
1b1c34
+				g_set_error_literal (error, E_CONFIG_LOOKUP_WORKER_ERROR,
1b1c34
+					E_CONFIG_LOOKUP_WORKER_ERROR_CERTIFICATE, description);
1b1c34
+
1b1c34
+				g_free (description);
1b1c34
+
1b1c34
+				if (out_restart_params) {
1b1c34
+					if (!*out_restart_params)
1b1c34
+						*out_restart_params = e_named_parameters_new_clone (params);
1b1c34
+
1b1c34
+					e_named_parameters_set (*out_restart_params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_PEM, certificate_pem);
1b1c34
+					e_named_parameters_set (*out_restart_params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_HOST, certificate_host);
1b1c34
+				}
1b1c34
+			}
1b1c34
+		}
1b1c34
+
1b1c34
+		g_clear_error (&local_error);
1b1c34
+		g_free (certificate_host);
1b1c34
+		g_free (certificate_pem);
1b1c34
+
1b1c34
+		if (out_restart_params && !*out_restart_params)
1b1c34
 			*out_restart_params = e_named_parameters_new_clone (params);
1b1c34
 	}
1b1c34
 
1b1c34
diff -up evolution-ews-3.28.5/src/configuration/e-ews-config-utils.c.cve-2019-3890 evolution-ews-3.28.5/src/configuration/e-ews-config-utils.c
1b1c34
--- evolution-ews-3.28.5/src/configuration/e-ews-config-utils.c.cve-2019-3890	2018-07-30 16:01:00.000000000 +0200
1b1c34
+++ evolution-ews-3.28.5/src/configuration/e-ews-config-utils.c	2019-04-15 09:43:49.686771516 +0200
1b1c34
@@ -317,7 +317,7 @@ ews_config_utils_try_credentials_sync (E
1b1c34
 	if (data->try_credentials_func)
1b1c34
 		auth_result = data->try_credentials_func (data->conn, credentials, data->user_data, cancellable, error);
1b1c34
 	else
1b1c34
-		auth_result = e_ews_connection_try_credentials_sync (data->conn, credentials, cancellable, error);
1b1c34
+		auth_result = e_ews_connection_try_credentials_sync (data->conn, credentials, NULL, NULL, NULL, cancellable, error);
1b1c34
 
1b1c34
 	if (auth_result == E_SOURCE_AUTHENTICATION_ACCEPTED) {
1b1c34
 		*out_authenticated = TRUE;
1b1c34
@@ -377,7 +377,7 @@ e_ews_config_utils_open_connection_for (
1b1c34
 			if (try_credentials_func)
1b1c34
 				result = try_credentials_func (conn, NULL, user_data, cancellable, &local_error);
1b1c34
 			else
1b1c34
-				result = e_ews_connection_try_credentials_sync (conn, NULL, cancellable, &local_error);
1b1c34
+				result = e_ews_connection_try_credentials_sync (conn, NULL, NULL, NULL, NULL, cancellable, &local_error);
1b1c34
 
1b1c34
 			if (result != E_SOURCE_AUTHENTICATION_ACCEPTED) {
1b1c34
 				g_clear_object (&conn;;
1b1c34
diff -up evolution-ews-3.28.5/src/configuration/e-mail-config-ews-autodiscover.c.cve-2019-3890 evolution-ews-3.28.5/src/configuration/e-mail-config-ews-autodiscover.c
1b1c34
--- evolution-ews-3.28.5/src/configuration/e-mail-config-ews-autodiscover.c.cve-2019-3890	2018-07-30 16:01:00.000000000 +0200
1b1c34
+++ evolution-ews-3.28.5/src/configuration/e-mail-config-ews-autodiscover.c	2019-04-15 09:43:49.686771516 +0200
1b1c34
@@ -45,6 +45,8 @@ struct _AsyncContext {
1b1c34
 	ESource *source;
1b1c34
 	CamelEwsSettings *ews_settings;
1b1c34
 	gchar *email_address;
1b1c34
+	gchar *certificate_pem;
1b1c34
+	GTlsCertificateFlags certificate_errors;
1b1c34
 };
1b1c34
 
1b1c34
 enum {
1b1c34
@@ -67,6 +69,7 @@ async_context_free (gpointer ptr)
1b1c34
 	g_clear_object (&async_context->source);
1b1c34
 	g_clear_object (&async_context->ews_settings);
1b1c34
 	g_free (async_context->email_address);
1b1c34
+	g_free (async_context->certificate_pem);
1b1c34
 
1b1c34
 	g_slice_free (AsyncContext, async_context);
1b1c34
 }
1b1c34
@@ -87,6 +90,9 @@ mail_config_ews_autodiscover_finish (EMa
1b1c34
 }
1b1c34
 
1b1c34
 static void
1b1c34
+mail_config_ews_autodiscover_run (EMailConfigEwsAutodiscover *autodiscover);
1b1c34
+
1b1c34
+static void
1b1c34
 mail_config_ews_autodiscover_run_cb (GObject *source_object,
1b1c34
                                      GAsyncResult *result,
1b1c34
                                      gpointer user_data)
1b1c34
@@ -111,17 +117,62 @@ mail_config_ews_autodiscover_run_cb (GOb
1b1c34
 	g_object_thaw_notify (G_OBJECT (settings));
1b1c34
 
1b1c34
 	if (e_activity_handle_cancellation (async_context->activity, error)) {
1b1c34
-		g_error_free (error);
1b1c34
+		/* Do nothing, just free the error below */
1b1c34
+	} else if (g_error_matches (error, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED) &&
1b1c34
+		   async_context->certificate_pem && *async_context->certificate_pem && async_context->certificate_errors) {
1b1c34
+		ETrustPromptResponse response;
1b1c34
+		GtkWidget *parent;
1b1c34
+		const gchar *host;
1b1c34
+
1b1c34
+		parent = gtk_widget_get_toplevel (GTK_WIDGET (autodiscover));
1b1c34
+		if (!GTK_IS_WINDOW (parent))
1b1c34
+			parent = NULL;
1b1c34
+
1b1c34
+		host = camel_network_settings_get_host (CAMEL_NETWORK_SETTINGS (settings));
1b1c34
+
1b1c34
+		response = e_trust_prompt_run_modal (parent ? GTK_WINDOW (parent) : NULL,
1b1c34
+			E_SOURCE_EXTENSION_COLLECTION, _("Exchange Web Services"),
1b1c34
+			host, async_context->certificate_pem, async_context->certificate_errors,
1b1c34
+			error->message);
1b1c34
+
1b1c34
+		g_clear_error (&error);
1b1c34
+
1b1c34
+		if (response != E_TRUST_PROMPT_RESPONSE_UNKNOWN) {
1b1c34
+			GTlsCertificate *certificate;
1b1c34
+
1b1c34
+			certificate = g_tls_certificate_new_from_pem (async_context->certificate_pem, -1, &error);
1b1c34
+			if (certificate) {
1b1c34
+				ESourceWebdav *extension_webdav;
1b1c34
+
1b1c34
+				extension_webdav = e_source_get_extension (async_context->source, E_SOURCE_EXTENSION_WEBDAV_BACKEND);
1b1c34
+
1b1c34
+				e_source_webdav_update_ssl_trust (extension_webdav, host, certificate, response);
1b1c34
+
1b1c34
+				g_object_unref (certificate);
1b1c34
+			}
1b1c34
+
1b1c34
+			if (error) {
1b1c34
+				e_alert_submit (
1b1c34
+					alert_sink,
1b1c34
+					"ews:autodiscovery-error",
1b1c34
+					error->message, NULL);
1b1c34
+			}
1b1c34
+		}
1b1c34
 
1b1c34
+		if (response == E_TRUST_PROMPT_RESPONSE_ACCEPT ||
1b1c34
+		    response == E_TRUST_PROMPT_RESPONSE_ACCEPT_TEMPORARILY) {
1b1c34
+			mail_config_ews_autodiscover_run (autodiscover);
1b1c34
+		}
1b1c34
 	} else if (error != NULL) {
1b1c34
 		e_alert_submit (
1b1c34
 			alert_sink,
1b1c34
 			"ews:autodiscovery-error",
1b1c34
 			error->message, NULL);
1b1c34
-		g_error_free (error);
1b1c34
 	}
1b1c34
 
1b1c34
 	gtk_widget_set_sensitive (GTK_WIDGET (autodiscover), TRUE);
1b1c34
+
1b1c34
+	g_clear_error (&error);
1b1c34
 }
1b1c34
 
1b1c34
 static gboolean
1b1c34
@@ -141,6 +192,7 @@ mail_config_ews_autodiscover_sync (ECred
1b1c34
 		async_context->ews_settings, async_context->email_address,
1b1c34
 		credentials && e_named_parameters_get (credentials, E_SOURCE_CREDENTIAL_PASSWORD) ?
1b1c34
 		e_named_parameters_get (credentials, E_SOURCE_CREDENTIAL_PASSWORD) : "",
1b1c34
+		&async_context->certificate_pem, &async_context->certificate_errors,
1b1c34
 		cancellable, &local_error);
1b1c34
 
1b1c34
 	if (local_error == NULL) {
1b1c34
@@ -173,6 +225,7 @@ mail_config_ews_autodiscover_run_thread
1b1c34
 		if (without_password) {
1b1c34
 			success = e_ews_autodiscover_ws_url_sync (async_context->source,
1b1c34
 				async_context->ews_settings, async_context->email_address, "",
1b1c34
+				&async_context->certificate_pem, &async_context->certificate_errors,
1b1c34
 				cancellable, &local_error);
1b1c34
 		}
1b1c34
 
1b1c34
@@ -236,6 +289,8 @@ mail_config_ews_autodiscover_run (EMailC
1b1c34
 	async_context->source = g_object_ref (source);
1b1c34
 	async_context->ews_settings = g_object_ref (settings);
1b1c34
 	async_context->email_address = g_strdup (e_mail_config_service_page_get_email_address (page));
1b1c34
+	async_context->certificate_pem = NULL;
1b1c34
+	async_context->certificate_errors = 0;
1b1c34
 
1b1c34
 	/*
1b1c34
 	 * The GTask will be run in a new thread, which will invoke
1b1c34
diff -up evolution-ews-3.28.5/src/server/e-ews-connection.c.cve-2019-3890 evolution-ews-3.28.5/src/server/e-ews-connection.c
1b1c34
--- evolution-ews-3.28.5/src/server/e-ews-connection.c.cve-2019-3890	2018-07-30 16:01:00.000000000 +0200
1b1c34
+++ evolution-ews-3.28.5/src/server/e-ews-connection.c	2019-04-15 09:43:49.689771516 +0200
1b1c34
@@ -111,6 +111,10 @@ struct _EEwsConnectionPrivate {
1b1c34
 
1b1c34
 	/* Set to TRUE when this connection had been disconnected and cannot be used anymore */
1b1c34
 	gboolean disconnected_flag;
1b1c34
+
1b1c34
+	gboolean ssl_info_set;
1b1c34
+	gchar *ssl_certificate_pem;
1b1c34
+	GTlsCertificateFlags ssl_certificate_errors;
1b1c34
 };
1b1c34
 
1b1c34
 enum {
1b1c34
@@ -836,6 +840,37 @@ ews_connection_credentials_failed (EEwsC
1b1c34
 	return expired;
1b1c34
 }
1b1c34
 
1b1c34
+static void
1b1c34
+ews_connection_check_ssl_error (EEwsConnection *connection,
1b1c34
+				SoupMessage *message)
1b1c34
+{
1b1c34
+	g_return_if_fail (E_IS_EWS_CONNECTION (connection));
1b1c34
+	g_return_if_fail (SOUP_IS_MESSAGE (message));
1b1c34
+
1b1c34
+	if (message->status_code == SOUP_STATUS_SSL_FAILED) {
1b1c34
+		GTlsCertificate *certificate = NULL;
1b1c34
+
1b1c34
+		g_mutex_lock (&connection->priv->property_lock);
1b1c34
+
1b1c34
+		g_clear_pointer (&connection->priv->ssl_certificate_pem, g_free);
1b1c34
+		connection->priv->ssl_info_set = FALSE;
1b1c34
+
1b1c34
+		g_object_get (G_OBJECT (message),
1b1c34
+			"tls-certificate", &certificate,
1b1c34
+			"tls-errors", &connection->priv->ssl_certificate_errors,
1b1c34
+			NULL);
1b1c34
+
1b1c34
+		if (certificate) {
1b1c34
+			g_object_get (certificate, "certificate-pem", &connection->priv->ssl_certificate_pem, NULL);
1b1c34
+			connection->priv->ssl_info_set = TRUE;
1b1c34
+
1b1c34
+			g_object_unref (certificate);
1b1c34
+		}
1b1c34
+
1b1c34
+		g_mutex_unlock (&connection->priv->property_lock);
1b1c34
+	}
1b1c34
+}
1b1c34
+
1b1c34
 /* Response callbacks */
1b1c34
 
1b1c34
 static void
1b1c34
@@ -852,8 +887,15 @@ ews_response_cb (SoupSession *session,
1b1c34
 	if (g_cancellable_is_cancelled (enode->cancellable))
1b1c34
 		goto exit;
1b1c34
 
1b1c34
+	ews_connection_check_ssl_error (enode->cnc, msg);
1b1c34
+
1b1c34
 	if (ews_connection_credentials_failed (enode->cnc, msg, enode->simple)) {
1b1c34
 		goto exit;
1b1c34
+	} else if (msg->status_code == SOUP_STATUS_SSL_FAILED) {
1b1c34
+		g_simple_async_result_set_error (
1b1c34
+			enode->simple, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED,
1b1c34
+			"%s", msg->reason_phrase);
1b1c34
+		goto exit;
1b1c34
 	} else if (msg->status_code == SOUP_STATUS_UNAUTHORIZED) {
1b1c34
 		if (msg->response_headers) {
1b1c34
 			const gchar *diagnostics;
1b1c34
@@ -1855,6 +1897,9 @@ ews_connection_constructed (GObject *obj
1b1c34
 	cnc->priv->soup_thread = g_thread_new (NULL, e_ews_soup_thread, cnc);
1b1c34
 
1b1c34
 	cnc->priv->soup_session = soup_session_async_new_with_options (
1b1c34
+		SOUP_SESSION_TIMEOUT, 90,
1b1c34
+		SOUP_SESSION_SSL_STRICT, TRUE,
1b1c34
+		SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
1b1c34
 		SOUP_SESSION_ASYNC_CONTEXT, cnc->priv->soup_context,
1b1c34
 		NULL);
1b1c34
 
1b1c34
@@ -1971,6 +2016,7 @@ ews_connection_finalize (GObject *object
1b1c34
 	g_free (priv->email);
1b1c34
 	g_free (priv->hash_key);
1b1c34
 	g_free (priv->impersonate_user);
1b1c34
+	g_free (priv->ssl_certificate_pem);
1b1c34
 
1b1c34
 	g_clear_object (&priv->bearer_auth);
1b1c34
 
1b1c34
@@ -2557,10 +2603,15 @@ e_ews_connection_update_credentials (EEw
1b1c34
 ESourceAuthenticationResult
1b1c34
 e_ews_connection_try_credentials_sync (EEwsConnection *cnc,
1b1c34
 				       const ENamedParameters *credentials,
1b1c34
+				       ESource *use_source,
1b1c34
+				       gchar **out_certificate_pem,
1b1c34
+				       GTlsCertificateFlags *out_certificate_errors,
1b1c34
 				       GCancellable *cancellable,
1b1c34
 				       GError **error)
1b1c34
 {
1b1c34
 	ESourceAuthenticationResult result;
1b1c34
+	ESource *source;
1b1c34
+	gboolean de_set_source;
1b1c34
 	EwsFolderId *fid = NULL;
1b1c34
 	GSList *ids = NULL;
1b1c34
 	GError *local_error = NULL;
1b1c34
@@ -2574,14 +2625,31 @@ e_ews_connection_try_credentials_sync (E
1b1c34
 	fid->is_distinguished_id = TRUE;
1b1c34
 	ids = g_slist_append (ids, fid);
1b1c34
 
1b1c34
+	source = e_ews_connection_get_source (cnc);
1b1c34
+	if (use_source && use_source != source) {
1b1c34
+		cnc->priv->source = g_object_ref (use_source);
1b1c34
+		de_set_source = TRUE;
1b1c34
+	} else {
1b1c34
+		source = NULL;
1b1c34
+		de_set_source = FALSE;
1b1c34
+	}
1b1c34
+
1b1c34
 	e_ews_connection_get_folder_sync (
1b1c34
 		cnc, EWS_PRIORITY_MEDIUM, "Default",
1b1c34
 		NULL, ids, NULL, cancellable, &local_error);
1b1c34
 
1b1c34
+	if (de_set_source) {
1b1c34
+		g_clear_object (&cnc->priv->source);
1b1c34
+		cnc->priv->source = source;
1b1c34
+	}
1b1c34
+
1b1c34
 	g_slist_free_full (ids, (GDestroyNotify) e_ews_folder_id_free);
1b1c34
 
1b1c34
 	if (local_error == NULL) {
1b1c34
 		result = E_SOURCE_AUTHENTICATION_ACCEPTED;
1b1c34
+	} else if (g_error_matches (local_error, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED) &&
1b1c34
+		   e_ews_connection_get_ssl_error_details (cnc, out_certificate_pem, out_certificate_errors)) {
1b1c34
+		result = E_SOURCE_AUTHENTICATION_ERROR_SSL_FAILED;
1b1c34
 	} else {
1b1c34
 		gboolean auth_failed;
1b1c34
 
1b1c34
@@ -2618,6 +2686,29 @@ e_ews_connection_get_source (EEwsConnect
1b1c34
 	return cnc->priv->source;
1b1c34
 }
1b1c34
 
1b1c34
+gboolean
1b1c34
+e_ews_connection_get_ssl_error_details (EEwsConnection *cnc,
1b1c34
+					gchar **out_certificate_pem,
1b1c34
+					GTlsCertificateFlags *out_certificate_errors)
1b1c34
+{
1b1c34
+	g_return_val_if_fail (E_IS_EWS_CONNECTION (cnc), FALSE);
1b1c34
+	g_return_val_if_fail (out_certificate_pem != NULL, FALSE);
1b1c34
+	g_return_val_if_fail (out_certificate_errors != NULL, FALSE);
1b1c34
+
1b1c34
+	g_mutex_lock (&cnc->priv->property_lock);
1b1c34
+	if (!cnc->priv->ssl_info_set) {
1b1c34
+		g_mutex_unlock (&cnc->priv->property_lock);
1b1c34
+		return FALSE;
1b1c34
+	}
1b1c34
+
1b1c34
+	*out_certificate_pem = g_strdup (cnc->priv->ssl_certificate_pem);
1b1c34
+	*out_certificate_errors = cnc->priv->ssl_certificate_errors;
1b1c34
+
1b1c34
+	g_mutex_unlock (&cnc->priv->property_lock);
1b1c34
+
1b1c34
+	return TRUE;
1b1c34
+}
1b1c34
+
1b1c34
 const gchar *
1b1c34
 e_ews_connection_get_uri (EEwsConnection *cnc)
1b1c34
 {
1b1c34
@@ -2906,6 +2997,9 @@ autodiscover_response_cb (SoupSession *s
1b1c34
 			g_set_error (
1b1c34
 				&error, SOUP_HTTP_ERROR, status,
1b1c34
 				"%d %s", status, msg->reason_phrase);
1b1c34
+
1b1c34
+			if (status == SOUP_STATUS_SSL_FAILED)
1b1c34
+				ews_connection_check_ssl_error (ad->cnc, msg);
1b1c34
 		}
1b1c34
 
1b1c34
 		g_free (service_url);
1b1c34
@@ -3056,7 +3150,8 @@ static void post_restarted (SoupMessage
1b1c34
 }
1b1c34
 
1b1c34
 static SoupMessage *
1b1c34
-e_ews_get_msg_for_url (CamelEwsSettings *settings,
1b1c34
+e_ews_get_msg_for_url (EEwsConnection *cnc,
1b1c34
+		       CamelEwsSettings *settings,
1b1c34
 		       const gchar *url,
1b1c34
                        xmlOutputBuffer *buf,
1b1c34
                        GError **error)
1b1c34
@@ -3078,6 +3173,9 @@ e_ews_get_msg_for_url (CamelEwsSettings
1b1c34
 		return NULL;
1b1c34
 	}
1b1c34
 
1b1c34
+	if (cnc->priv->source)
1b1c34
+		e_soup_ssl_trust_connect (msg, cnc->priv->source);
1b1c34
+
1b1c34
 	e_ews_message_attach_chunk_allocator (msg);
1b1c34
 
1b1c34
 	e_ews_message_set_user_agent_header (msg, settings);
1b1c34
@@ -3107,6 +3205,8 @@ e_ews_autodiscover_ws_url_sync (ESource
1b1c34
 				CamelEwsSettings *settings,
1b1c34
                                 const gchar *email_address,
1b1c34
                                 const gchar *password,
1b1c34
+				gchar **out_certificate_pem,
1b1c34
+				GTlsCertificateFlags *out_certificate_errors,
1b1c34
                                 GCancellable *cancellable,
1b1c34
                                 GError **error)
1b1c34
 {
1b1c34
@@ -3125,7 +3225,7 @@ e_ews_autodiscover_ws_url_sync (ESource
1b1c34
 
1b1c34
 	result = e_async_closure_wait (closure);
1b1c34
 
1b1c34
-	success = e_ews_autodiscover_ws_url_finish (settings, result, error);
1b1c34
+	success = e_ews_autodiscover_ws_url_finish (settings, result, out_certificate_pem, out_certificate_errors, error);
1b1c34
 
1b1c34
 	e_async_closure_free (closure);
1b1c34
 
1b1c34
@@ -3236,11 +3336,11 @@ e_ews_autodiscover_ws_url (ESource *sour
1b1c34
 		simple, ad, (GDestroyNotify) autodiscover_data_free);
1b1c34
 
1b1c34
 	/* Passing a NULL URL string returns NULL. */
1b1c34
-	ad->msgs[0] = e_ews_get_msg_for_url (settings, url1, buf, &error);
1b1c34
-	ad->msgs[1] = e_ews_get_msg_for_url (settings, url2, buf, NULL);
1b1c34
-	ad->msgs[2] = e_ews_get_msg_for_url (settings, url3, buf, NULL);
1b1c34
-	ad->msgs[3] = e_ews_get_msg_for_url (settings, url4, buf, NULL);
1b1c34
-	ad->msgs[4] = e_ews_get_msg_for_url (settings, url5, buf, NULL);
1b1c34
+	ad->msgs[0] = e_ews_get_msg_for_url (cnc, settings, url1, buf, &error);
1b1c34
+	ad->msgs[1] = e_ews_get_msg_for_url (cnc, settings, url2, buf, NULL);
1b1c34
+	ad->msgs[2] = e_ews_get_msg_for_url (cnc, settings, url3, buf, NULL);
1b1c34
+	ad->msgs[3] = e_ews_get_msg_for_url (cnc, settings, url4, buf, NULL);
1b1c34
+	ad->msgs[4] = e_ews_get_msg_for_url (cnc, settings, url5, buf, NULL);
1b1c34
 
1b1c34
 	/* These have to be submitted only after they're both set in ad->msgs[]
1b1c34
 	 * or there will be races with fast completion */
1b1c34
@@ -3300,10 +3400,13 @@ has_suffix_icmp (const gchar *text,
1b1c34
 gboolean
1b1c34
 e_ews_autodiscover_ws_url_finish (CamelEwsSettings *settings,
1b1c34
                                   GAsyncResult *result,
1b1c34
+				  gchar **out_certificate_pem,
1b1c34
+				  GTlsCertificateFlags *out_certificate_errors,
1b1c34
                                   GError **error)
1b1c34
 {
1b1c34
 	GSimpleAsyncResult *simple;
1b1c34
 	struct _autodiscover_data *ad;
1b1c34
+	GError *local_error = NULL;
1b1c34
 
1b1c34
 	g_return_val_if_fail (
1b1c34
 		g_simple_async_result_is_valid (
1b1c34
@@ -3313,8 +3416,20 @@ e_ews_autodiscover_ws_url_finish (CamelE
1b1c34
 	simple = G_SIMPLE_ASYNC_RESULT (result);
1b1c34
 	ad = g_simple_async_result_get_op_res_gpointer (simple);
1b1c34
 
1b1c34
-	if (g_simple_async_result_propagate_error (simple, error))
1b1c34
+	if (g_simple_async_result_propagate_error (simple, &local_error)) {
1b1c34
+		if (g_error_matches (local_error, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED)) {
1b1c34
+			if (!e_ews_connection_get_ssl_error_details (ad->cnc, out_certificate_pem, out_certificate_errors)) {
1b1c34
+				if (out_certificate_pem)
1b1c34
+					*out_certificate_pem = NULL;
1b1c34
+				if (out_certificate_errors)
1b1c34
+					*out_certificate_errors = 0;
1b1c34
+			}
1b1c34
+		}
1b1c34
+
1b1c34
+		g_propagate_error (error, local_error);
1b1c34
+
1b1c34
 		return FALSE;
1b1c34
+	}
1b1c34
 
1b1c34
 	g_warn_if_fail (ad->as_url != NULL);
1b1c34
 	g_warn_if_fail (ad->oab_url != NULL);
1b1c34
@@ -3473,6 +3588,8 @@ oal_response_cb (SoupSession *soup_sessi
1b1c34
 	simple = G_SIMPLE_ASYNC_RESULT (user_data);
1b1c34
 	data = g_simple_async_result_get_op_res_gpointer (simple);
1b1c34
 
1b1c34
+	ews_connection_check_ssl_error (data->cnc, soup_message);
1b1c34
+
1b1c34
 	if (ews_connection_credentials_failed (data->cnc, soup_message, simple)) {
1b1c34
 		goto exit;
1b1c34
 	} else if (soup_message->status_code != 200) {
1b1c34
@@ -3618,7 +3735,7 @@ e_ews_connection_get_oal_list (EEwsConne
1b1c34
 
1b1c34
 	g_return_if_fail (E_IS_EWS_CONNECTION (cnc));
1b1c34
 
1b1c34
-	soup_message = e_ews_get_msg_for_url (cnc->priv->settings, cnc->priv->uri, NULL, &error);
1b1c34
+	soup_message = e_ews_get_msg_for_url (cnc, cnc->priv->settings, cnc->priv->uri, NULL, &error);
1b1c34
 
1b1c34
 	simple = g_simple_async_result_new (
1b1c34
 		G_OBJECT (cnc), callback, user_data,
1b1c34
@@ -3739,7 +3856,7 @@ e_ews_connection_get_oal_detail (EEwsCon
1b1c34
 
1b1c34
 	g_return_if_fail (E_IS_EWS_CONNECTION (cnc));
1b1c34
 
1b1c34
-	soup_message = e_ews_get_msg_for_url (cnc->priv->settings, cnc->priv->uri, NULL, &error);
1b1c34
+	soup_message = e_ews_get_msg_for_url (cnc, cnc->priv->settings, cnc->priv->uri, NULL, &error);
1b1c34
 
1b1c34
 	simple = g_simple_async_result_new (
1b1c34
 		G_OBJECT (cnc), callback, user_data,
1b1c34
@@ -3826,6 +3943,8 @@ oal_download_response_cb (SoupSession *s
1b1c34
 	simple = G_SIMPLE_ASYNC_RESULT (user_data);
1b1c34
 	data = g_simple_async_result_get_op_res_gpointer (simple);
1b1c34
 
1b1c34
+	ews_connection_check_ssl_error (data->cnc, soup_message);
1b1c34
+
1b1c34
 	if (ews_connection_credentials_failed (data->cnc, soup_message, simple)) {
1b1c34
 		g_unlink (data->cache_filename);
1b1c34
 	} else if (soup_message->status_code != 200) {
1b1c34
@@ -3954,7 +4073,7 @@ e_ews_connection_download_oal_file (EEws
1b1c34
 
1b1c34
 	g_return_if_fail (E_IS_EWS_CONNECTION (cnc));
1b1c34
 
1b1c34
-	soup_message = e_ews_get_msg_for_url (cnc->priv->settings, cnc->priv->uri, NULL, &error);
1b1c34
+	soup_message = e_ews_get_msg_for_url (cnc, cnc->priv->settings, cnc->priv->uri, NULL, &error);
1b1c34
 
1b1c34
 	simple = g_simple_async_result_new (
1b1c34
 		G_OBJECT (cnc), callback, user_data,
1b1c34
diff -up evolution-ews-3.28.5/src/server/e-ews-connection.h.cve-2019-3890 evolution-ews-3.28.5/src/server/e-ews-connection.h
1b1c34
--- evolution-ews-3.28.5/src/server/e-ews-connection.h.cve-2019-3890	2018-07-30 16:01:00.000000000 +0200
1b1c34
+++ evolution-ews-3.28.5/src/server/e-ews-connection.h	2019-04-15 09:43:49.689771516 +0200
1b1c34
@@ -426,9 +426,16 @@ ESourceAuthenticationResult
1b1c34
 		e_ews_connection_try_credentials_sync
1b1c34
 						(EEwsConnection *cnc,
1b1c34
 						 const ENamedParameters *credentials,
1b1c34
+						 ESource *use_source,
1b1c34
+						 gchar **out_certificate_pem,
1b1c34
+						 GTlsCertificateFlags *out_certificate_errors,
1b1c34
 						 GCancellable *cancellable,
1b1c34
 						 GError **error);
1b1c34
 ESource *	e_ews_connection_get_source	(EEwsConnection *cnc);
1b1c34
+gboolean	e_ews_connection_get_ssl_error_details
1b1c34
+						(EEwsConnection *cnc,
1b1c34
+						 gchar **out_certificate_pem,
1b1c34
+						 GTlsCertificateFlags *out_certificate_errors);
1b1c34
 const gchar *	e_ews_connection_get_uri	(EEwsConnection *cnc);
1b1c34
 ESoupAuthBearer *
1b1c34
 		e_ews_connection_ref_bearer_auth(EEwsConnection *cnc);
1b1c34
@@ -469,6 +476,8 @@ gboolean	e_ews_autodiscover_ws_url_sync
1b1c34
 						 CamelEwsSettings *settings,
1b1c34
 						 const gchar *email_address,
1b1c34
 						 const gchar *password,
1b1c34
+						 gchar **out_certificate_pem,
1b1c34
+						 GTlsCertificateFlags *out_certificate_errors,
1b1c34
 						 GCancellable *cancellable,
1b1c34
 						 GError **error);
1b1c34
 void		e_ews_autodiscover_ws_url	(ESource *source,
1b1c34
@@ -481,6 +490,8 @@ void		e_ews_autodiscover_ws_url	(ESource
1b1c34
 gboolean	e_ews_autodiscover_ws_url_finish
1b1c34
 						(CamelEwsSettings *settings,
1b1c34
 						 GAsyncResult *result,
1b1c34
+						 gchar **out_certificate_pem,
1b1c34
+						 GTlsCertificateFlags *out_certificate_errors,
1b1c34
 						 GError **error);
1b1c34
 const gchar *	e_ews_connection_get_mailbox	(EEwsConnection *cnc);
1b1c34
 void		e_ews_connection_set_mailbox	(EEwsConnection *cnc,
1b1c34
diff -up evolution-ews-3.28.5/src/server/e-ews-connection-utils.c.cve-2019-3890 evolution-ews-3.28.5/src/server/e-ews-connection-utils.c
1b1c34
--- evolution-ews-3.28.5/src/server/e-ews-connection-utils.c.cve-2019-3890	2018-07-30 16:01:00.000000000 +0200
1b1c34
+++ evolution-ews-3.28.5/src/server/e-ews-connection-utils.c	2019-04-15 09:43:49.690771516 +0200
1b1c34
@@ -522,8 +522,13 @@ e_ews_connection_utils_prepare_message (
1b1c34
 					GCancellable *cancellable)
1b1c34
 {
1b1c34
 	ESoupAuthBearer *using_bearer_auth;
1b1c34
+	ESource *source;
1b1c34
 	GError *local_error = NULL;
1b1c34
 
1b1c34
+	source = e_ews_connection_get_source (cnc);
1b1c34
+	if (source)
1b1c34
+		e_soup_ssl_trust_connect (message, source);
1b1c34
+
1b1c34
 	if (!ews_connection_utils_maybe_prepare_bearer_auth (cnc, message, cancellable))
1b1c34
 		return FALSE;
1b1c34