Bug#916041: libc-client2007e: add SNI support

Sun, 09 Dec 2018 07:16:09 -0800 

Package: libc-client2007e
Version: 8:2007f~dfsg-5
Severity: important
Tags: patch

Dear Maintainer,

When used with openssl 1.1.1 this library cannot work with Google IMAP servers
because Google wants SNI request if client supports TLS 1.3.

This breaks simple php script:
$hostname = '{imap.googlemail.com:993/imap/ssl}INBOX';
$username = '...';
$password = '...';
$inbox = imap_open($hostname, $username, $password) or die(imap_last_error());


More information here:
https://mta.openssl.org/pipermail/openssl-project/2018-April/000628.html
https://mta.openssl.org/pipermail/openssl-project/2018-April/000635.html


-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (450, 'stable'), (150, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), 
LANGUAGE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: sysvinit (via /sbin/init)

Versions of packages libc-client2007e depends on:
ii  libc6             2.24-11+deb9u1
ii  libcom-err2       1.44.4-2
ii  libgssapi-krb5-2  1.15-1+deb9u1
ii  libk5crypto3      1.15-1+deb9u1
ii  libkrb5-3         1.15-1+deb9u1
ii  libpam-modules    1.1.8-3.6
ii  libpam0g          1.1.8-3.6
ii  libssl1.1         1.1.1-2+0~20181105132527.5+stretch~1.gbp90eb86
ii  mlock             8:2007f~dfsg-5

libc-client2007e recommends no packages.

Versions of packages libc-client2007e suggests:
pn  uw-mailutils  <none>

-- no debconf information

Add SNI support for openssl 1.1.1Index: 
uw-imap-2007f~dfsg/src/osdep/unix/ssl_unix.c
===================================================================
--- uw-imap-2007f~dfsg.orig/src/osdep/unix/ssl_unix.c
+++ uw-imap-2007f~dfsg/src/osdep/unix/ssl_unix.c
@@ -266,6 +266,9 @@ static char *ssl_start_work (SSLSTREAM *
                                /* create connection */
   if (!(stream->con = (SSL *) SSL_new (stream->context)))
     return "SSL connection failed";
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+  SSL_set_tlsext_host_name(stream->con,host);
+#endif
   bio = BIO_new_socket (stream->tcpstream->tcpsi,BIO_NOCLOSE);
   SSL_set_bio (stream->con,bio,bio);
   SSL_set_connect_state (stream->con);

Reply via email to