Bug #309

imap ssl_connect fails due to missing sni extension

Added by Arie Bikker 10 months ago. Updated 5 months ago.

Status:NewStart date:11/22/2018
Priority:NormalDue date:
Assignee:Hiroyuki Yamamoto% Done:

0%

Category:LibSylphSpent time:-
Target version:-

Description

Our mail provider uses a load balancer in front of the real server. For this to work the connection needs to be made with an additional "server name identification" (SNI).
Otherwise the connection fails because the balancer/server does not know which certificate to use - and consequently does not send any.
I found a workaround by adding the sni info to the ssl context in the file libsylph/ssl.c with the patch as below.
I am no specialist at ssl-programming, but this works for me. Please review the suggested change and possibly commit.

--->8---- additional sni workaround patch based on 3.7 source
  • libsylph/ssl.c Thu Feb 2 09:02:49 2017
    --- /home/user/src/sylpheed/libsylph_ssl.c Fri Nov 22 10:28:00 2018
    • 239,244 **
      --- 239,245 ----
      return FALSE;
      }
      sockinfo->ssl = SSL_new(ssl_ctx_SSLv23);
      + SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname);
      break;
      case SSL_METHOD_TLSv1:
      if (!ssl_ctx_TLSv1) { *******
    • 246,251 ***
      --- 247,253 ----
      return FALSE;
      }
      sockinfo->ssl = SSL_new(ssl_ctx_TLSv1);
      + SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname);
      break;
      default:
      g_warning(_("Unknown SSL method *PROGRAM BUG
      \n"));

History

#1 Updated by Antonio Ospite 5 months ago

Duplicate of https://sylpheed.sraoss.jp/redmine/issues/306 this can be closed

Also available in: Atom PDF