Bug #306
IMAP connection to imap.gmail.com returns self-signed certificate when SNI not set
0%
Description
Hi,
since Debian unstable updated OpenSSL to 1.1.1~~pre9 I am getting a self-signed certificate from image.gmail.com:
LibSylph-Message: 10:07:12.055: creazione della connessione IMAP4 a imap.gmail.com:993 ... sock_connect_async_thread_wait: waiting thread Reloading /etc/resolv.conf sock_connect_async_func: connected sock_connect_async_func: exit sock_info_connect_async_thread_wait: thread exited with status 0 Connessione SSL usando ECDHE-RSA-CHACHA20-POLY1305 SSL protocol version: TLSv1.2 Certificato del server: Oggetto: /OU=No SNI provided; please fix your client./CN=invalid2.invalid Distributore: /OU=No SNI provided; please fix your client./CN=invalid2.invalid SHA1 fingerprint: 42:59:51:7c:d4:e4:8a:28:9d:33:2a:b3:f0:ab:52:a3:66:32:28:24 MD5 fingerprint: 90:4a:c8:d5:44:5a:d0:6a:8a:10:ff:cd:8b:11:be:16
I am not sure this is because this OpenSSL version prefers TLSv1.3 and/or something changed on gmail servers.
This is the same issue as in https://bugzilla.redhat.com/show_bug.cgi?id=1611815
The attached patch fixes the issue.
I can send a v2 of the patch which checks the return value if this is preferred.
Thanks,
Antonio
Files
Updated by Ricardo Mones about 4 years ago
Is that function available in all OpenSSL versions?
If not the patch needs checking for that function in configure.ac and setting an appropriate variable (e.g. HAS_SSL_set_tlsext_host_name) and surround the added line with #if HAS_SSL_set_tlsext_host_name ... #endif.
Alternatively you can check for the required version of OpenSSL where this function appears in configure.ac.
Otherwise when building with library versions lacking that function it will fail.
Updated by Antonio Ospite about 4 years ago
Ricardo Mones wrote:
Is that function available in all OpenSSL versions?
By looking at the git history, the function was added in commit ed3883d21b (Support TLS extensions (specifically, HostName), 2006-01-02):
https://github.com/openssl/openssl/commit/ed3883d21bb4ddfc21ec9d154e14e84c85db164d#diff-438f1b0413c10e826c8a334445f9d30eR113
The result of "git tag --contains ed3883d21b" tells that it's available since OpenSSL_0_9_8k.
The Windows port of Sylpheed relies on 0.9.8zh:
- 3.5.0 (stable)
... * Win32: OpenSSL was updated to v0.9.8zh.
So this part is covered.
Debian is also OK as shown by "rmadison openssl".
However I agree that some safeguard check can be put in place for older systems.
If not the patch needs checking for that function in configure.ac and setting an appropriate variable (e.g. HAS_SSL_set_tlsext_host_name) and surround the added line with #if HAS_SSL_set_tlsext_host_name ... #endif.
Alternatively you can check for the required version of OpenSSL where this function appears in configure.ac.
Otherwise when building with library versions lacking that function it will fail.
We can either use "#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME" or set the minimum supported version of openssl in configure.ac to what Hiro-san decides.
I'll submit a patch with the former option for distributions to use now, and wait for Hiro-san for the final upstream version.
Would that be OK?
Thanks,
Antonio
Updated by Antonio Ospite about 4 years ago
- File v2-0001-libsylph-ssl.c-Support-SNI-some-servers-imap.gmai.patch v2-0001-libsylph-ssl.c-Support-SNI-some-servers-imap.gmai.patch added
Antonio Ospite wrote:
I'll submit a patch with the former option for distributions to use now, and wait for Hiro-san for the final upstream version.
Attaching v2 of the patch.
Ciao,
Antonio
Updated by George Koehler almost 3 years ago
OpenBSD's package of sylpheed now patches this bug. It is the v2 patch from the previous comment, plus an additional error check on SSL_set_tlsext_host_name(). I left the check #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME in the patch, but we don't need this check in OpenBSD. This is the patch in OpenBSD:
Index: libsylph/ssl.c
--- libsylph/ssl.c.orig
+++ libsylph/ssl.c
@@ -258,6 +258,13 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinf
return FALSE;
}
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ if (!SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname)) {
+ g_warning("Error setting servername extension\n");
+ return FALSE;
+ }
+#endif
+
SSL_set_fd(sockinfo->ssl, sockinfo->sock);
while ((ret = SSL_connect(sockinfo->ssl)) != 1) {
err = SSL_get_error(sockinfo->ssl, ret);
Updated by replica watches 9 months ago
https://www.bestwatchaaa.com/Ebel-replica.html replica https://www.replicawatchsshop.cc/Audemars-Piguet-Replica.html https://www.hotwatchsreplica.com/Graham.html https://www.hotwatchsreplica.com/Bell-Ross.html https://www.bestwatchss.com/Ulysse-Nardin-Replica-Watches.html are https://www.allshopwatch.com/Glashutte-a-hot.html https://www.allshopwatch.com/R-M-a-hot.html https://www.allshopwatch.com/Blancpain-a-hot.html the https://www.replicawatchsshop.cc/Glashutte-Original-Replica.html https://www.allshopwatch.com/Longines-a-hot.html https://www.hotwatchsreplica.com/Oris.html https://www.replicawatchsshop.cc/Oris-Replica.html https://www.hotwatchsreplica.com/ https://www.replicawatchsshop.cc/ https://www.allshopwatch.com/Harry-Winston-a-hot.html Replica https://www.replicawatchsshop.cc/Hublot-Replica.html watches https://www.hotwatchsreplica.com/Jacob-Co.html https://www.allshopwatch.com/Philip-Stein-a-hot.html https://www.bestwatchaaa.com/Bulgari-replica.html https://www.allshopwatch.com/A.-Lange-Sohne-a-hot.html https://www.replicawatchsshop.cc/IWC-Replica.html as https://www.allshopwatch.com/Breitling-a-hot.html https://www.bestwatchaaa.com/Zenith-replica.html https://www.replicawatchsshop.cc/Bvlgari-Replica.html in https://www.bestwatchss.com/Chronoswiss-Replica-Watches.html https://www.hotwatchsreplica.com/Chopard.html https://www.bestwatchss.com/Porsche-Design-Replica-Watches.html https://www.bestwatchaaa.com/Blancpain-replica.html https://www.bestwatchss.com/Cartier-Replica-Watches.html https://www.allshopwatch.com/Piaget-a-hot.html https://www.hotwatchsreplica.com/Panerai.html https://www.replicawatchsshop.cc/Panerai-Replica.html https://www.allshopwatch.com/Vacheron-Constantin-a-hot.html https://www.bestwatchss.com/Montblanc-Replica-Watches.html https://www.bestwatchss.com/Bvlgari-Replica-Watches.html https://www.hotwatchsreplica.com/Ebel.html ones.
Updated by Aurora Harris 2 months ago
The guide to connecting IMAP with imap.gmail.com returning self-signed certificate https://driftboss.net when not setting SNI that you share is very detailed and easy to follow, https://smash-karts.com thanks for sharing how to fix this connection error.
Updated by seo mind 2 months ago
I found Hubwit as a transparent s ite, a social hub which is a conglomerate of Buyers and Sellers who are ready to offer online digital consultancy at decent cost. Matilda Jane
Updated by seo mind 2 months ago
A good blog always comes-up with new and exciting information and while reading I have feel that this blog is really have all those quality that qualify a blog to be a one. Matilda Jane
Updated by seo mind 2 months ago
Your blog provided us with valuable information to work with. Each & every tips of your post are awesome. Thanks a lot for sharing. Keep blogging, OPM Wealth
Updated by seo mind 2 months ago
Mmm.. good to be here in your article or post, whatever, I think I should also work hard for my own website like I see some good and updated working in your site. OPM Wealth
Updated by seo mind 2 months ago
It is perfect time to make some plans for the future and it is time to be happy. I’ve read this post and if I could I desire to suggest you few interesting things or tips. Perhaps you could write next articles referring to this article. I want to read more things about it! OPM Wealth
Updated by seo mind 2 months ago
It is the intent to provide valuable information and best practices, including an understanding of the regulatory process. Data Dollars Pro
Updated by seo mind 2 months ago
I'm happy to see the considerable subtle element here!. Data Dollars Pro