Bug #309

imap ssl_connect fails due to missing sni extension

Added by Arie Bikker 21 days ago.

Status:NewStart date:11/22/2018
Priority:NormalDue date:
Assignee:Hiroyuki Yamamoto% Done:

0%

Category:LibSylphSpent time:-
Target version:-

Description

Our mail provider uses a load balancer in front of the real server. For this to work the connection needs to be made with an additional "server name identification" (SNI).
Otherwise the connection fails because the balancer/server does not know which certificate to use - and consequently does not send any.
I found a workaround by adding the sni info to the ssl context in the file libsylph/ssl.c with the patch as below.
I am no specialist at ssl-programming, but this works for me. Please review the suggested change and possibly commit.

--->8---- additional sni workaround patch based on 3.7 source
  • libsylph/ssl.c Thu Feb 2 09:02:49 2017
    --- /home/user/src/sylpheed/libsylph_ssl.c Fri Nov 22 10:28:00 2018
    • 239,244 **
      --- 239,245 ----
      return FALSE;
      }
      sockinfo->ssl = SSL_new(ssl_ctx_SSLv23);
      + SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname);
      break;
      case SSL_METHOD_TLSv1:
      if (!ssl_ctx_TLSv1) { *******
    • 246,251 ***
      --- 247,253 ----
      return FALSE;
      }
      sockinfo->ssl = SSL_new(ssl_ctx_TLSv1);
      + SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname);
      break;
      default:
      g_warning(_("Unknown SSL method *PROGRAM BUG
      \n"));

Also available in: Atom PDF