Package: curl Version: 7.88.1-10+deb12u5 Severity: normal Tags: upstream X-Debbugs-Cc: dan...@haxx.se, debbug.c...@sideload.33mail.com
cURL is unable to get a list of emails via POP3 from any of the onionmail.info servers¹. These servers are fragile with quality issues that show astonishing behaviour in some cases, but fetchmail works nonetheless. cURL should be able to emulate the working fetchmail session. The access instructions from the server (which may have changed): ===8<---------------------------------------- POP3 Server yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion Server type POP3 Server Port 110 SSL Mode Use SSL via STLS (TLS) Password type Clear Connect via TOR network ===8<---------------------------------------- Fetchmail has no problem accessing the server. A successful fetchmail transcript looks like this: ===8<---------------------------------------- fetchmail: 6.4.37 querying onionmail (protocol POP3) at Sat 11 May 2024 00:00:00 AM CEST: poll started fetchmail: Trying to connect to 127.0.0.1/12345...connected. fetchmail: POP3< +OK POP3 yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion INF N/A t2gi9 fetchmail: POP3> CAPA fetchmail: POP3< +OK Capability list follows fetchmail: POP3< USER fetchmail: POP3< LOGIN-DELAY 900 fetchmail: POP3< EXPIRE 30 fetchmail: POP3< UIDL fetchmail: POP3< STLS fetchmail: POP3< STARTTLS fetchmail: POP3< RQUS fetchmail: POP3< RQEX fetchmail: POP3< IMPLEMENTATION POP3 fetchmail: POP3< . fetchmail: POP3> STLS fetchmail: POP3< +OK Begin TLS negotiation fetchmail: Loaded OpenSSL library 0x300000b0 newer than headers 0x30000080, trying to continue. fetchmail: Server certificate: fetchmail: Issuer Organization: anonmail fetchmail: Issuer CommonName: yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion fetchmail: Subject CommonName: yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion fetchmail: Server CommonName mismatch: yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion != 127.0.0.1 fetchmail: onionmail key fingerprint: 25:95:69:E6:A9:3A:97:7B:B1:4A:4B:36:09:14:EF:93 fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Broken certification chain at: /ST=onionland/OU=anonmail/O=anonmail/C=XX/CN=yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion fetchmail: This could mean that the server did not provide the intermediate CA's certificate(s), which is nothing fetchmail could do anything about. For details, please see the README.SSL-SERVER document that ships with fetchmail. fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details. fetchmail: Server certificate: fetchmail: Issuer Organization: anonmail fetchmail: Issuer CommonName: yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion fetchmail: Subject CommonName: yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion fetchmail: Server CommonName mismatch: yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion != 127.0.0.1 fetchmail: Server certificate verification error: hostname mismatch fetchmail: Server certificate: fetchmail: Issuer Organization: anonmail fetchmail: Issuer CommonName: yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion fetchmail: Subject CommonName: yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion fetchmail: Server CommonName mismatch: yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion != 127.0.0.1 fetchmail: Server certificate verification error: unable to verify the first certificate fetchmail: Server certificate: fetchmail: Issuer Organization: anonmail fetchmail: Issuer CommonName: yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion fetchmail: Subject CommonName: yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion fetchmail: Server CommonName mismatch: yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion != 127.0.0.1 fetchmail: SSL/TLS: using protocol TLSv1.2, cipher AES256-GCM-SHA384, 256/256 secret/processed bits fetchmail: Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!) fetchmail: 127.0.0.1: upgrade to TLS succeeded. fetchmail: POP3> CAPA fetchmail: POP3< +OK Capability list follows fetchmail: POP3< USER fetchmail: POP3< LOGIN-DELAY 900 fetchmail: POP3< EXPIRE 30 fetchmail: POP3< UIDL fetchmail: POP3< RQUS fetchmail: POP3< RQEX fetchmail: POP3< IMPLEMENTATION POP3 fetchmail: POP3< . fetchmail: POP3> USER mannysUID fetchmail: POP3< +OK fetchmail: POP3> PASS * fetchmail: POP3< +OK fetchmail: POP3> STAT fetchmail: POP3< +OK 0 0 fetchmail: No mail for onionsoup at onionmail fetchmail: POP3> QUIT fetchmail: POP3< +OK 0 messages deleted fetchmail: 6.4.37 querying onionmail (protocol POP3) at Sat 11 May 2024 00:00:00 AM CEST: poll completed fetchmail: normal termination, status 1 ===8<---------------------------------------- This is the cURL version attempting the same session: ===8<---------------------------------------- $ curl --socks4a 127.0.0.1:9050 --ssl -k --trace-ascii - --user "$mannysUID:$mannysPW" --list-only pop3://yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion:110 == Info: Trying 127.0.0.1:9050... == Info: Connected to 127.0.0.1 (127.0.0.1) port 9050 (#0) == Info: SOCKS4 communication to yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion:110 == Info: SOCKS4a request granted. == Info: Connected to 127.0.0.1 (127.0.0.1) port 9050 (#0) <= Recv header, 87 bytes (0x57) 0000: +OK POP3 yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dq 0040: d.onion INF N/A t2gi9 => Send header, 6 bytes (0x6) 0000: CAPA <= Recv header, 29 bytes (0x1d) 0000: +OK Capability list follows <= Recv header, 6 bytes (0x6) 0000: USER <= Recv header, 17 bytes (0x11) 0000: LOGIN-DELAY 900 <= Recv header, 11 bytes (0xb) 0000: EXPIRE 30 <= Recv header, 6 bytes (0x6) 0000: UIDL <= Recv header, 6 bytes (0x6) 0000: STLS <= Recv header, 10 bytes (0xa) 0000: STARTTLS <= Recv header, 6 bytes (0x6) 0000: RQUS <= Recv header, 6 bytes (0x6) 0000: RQEX <= Recv header, 21 bytes (0x15) 0000: IMPLEMENTATION POP3 <= Recv header, 3 bytes (0x3) 0000: . => Send header, 6 bytes (0x6) 0000: STLS <= Recv header, 27 bytes (0x1b) 0000: +OK Begin TLS negotiation => Send SSL data, 5 bytes (0x5) 0000: ..... == Info: TLSv1.3 (OUT), TLS handshake, Client hello (1): => Send SSL data, 512 bytes (0x200) [blob snipped] <= Recv SSL data, 5 bytes (0x5) 0000: ....C == Info: TLSv1.3 (IN), TLS handshake, Server hello (2): <= Recv SSL data, 85 bytes (0x55) 0000: ...Q..f?<Z..~h,.w.........W..J...a..x. f?<Z.o...K.8......V:.-... 0040: d..(:.3.............. == Info: TLSv1.2 (IN), TLS handshake, Certificate (11): <= Recv SSL data, 1002 bytes (0x3ea) [blob snipped] == Info: TLSv1.2 (IN), TLS handshake, Server finished (14): <= Recv SSL data, 4 bytes (0x4) 0000: .... => Send SSL data, 5 bytes (0x5) 0000: ..... == Info: TLSv1.2 (OUT), TLS handshake, Client key exchange (16): => Send SSL data, 262 bytes (0x106) [blob snipped] => Send SSL data, 5 bytes (0x5) 0000: ..... == Info: TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): => Send SSL data, 1 bytes (0x1) 0000: . => Send SSL data, 5 bytes (0x5) 0000: ....( == Info: TLSv1.2 (OUT), TLS handshake, Finished (20): => Send SSL data, 16 bytes (0x10) 0000: .....$..5Pp$p... <= Recv SSL data, 5 bytes (0x5) 0000: ..... <= Recv SSL data, 5 bytes (0x5) 0000: ....( == Info: TLSv1.2 (IN), TLS handshake, Finished (20): <= Recv SSL data, 16 bytes (0x10) 0000: ....W...6..$F@0. == Info: SSL connection using TLSv1.2 / AES256-GCM-SHA384 == Info: Server certificate: == Info: subject: ST=onionland; OU=anonmail; O=anonmail; C=XX; CN=yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion == Info: start date: Jun 5 22:16:19 2021 GMT == Info: expire date: Mar 19 22:16:19 2032 GMT == Info: issuer: ST=onionland; OU=anonmail; O=anonmail; C=XX; CN=yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion == Info: SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. => Send SSL data, 5 bytes (0x5) 0000: ..... => Send header, 6 bytes (0x6) 0000: CAPA <= Recv SSL data, 5 bytes (0x5) 0000: ..... <= Recv header, 29 bytes (0x1d) 0000: +OK Capability list follows <= Recv header, 6 bytes (0x6) 0000: USER <= Recv header, 17 bytes (0x11) 0000: LOGIN-DELAY 900 <= Recv header, 11 bytes (0xb) 0000: EXPIRE 30 <= Recv header, 6 bytes (0x6) 0000: UIDL <= Recv header, 6 bytes (0x6) 0000: RQUS <= Recv header, 6 bytes (0x6) 0000: RQEX <= Recv header, 21 bytes (0x15) 0000: IMPLEMENTATION POP3 <= Recv header, 3 bytes (0x3) 0000: . => Send SSL data, 5 bytes (0x5) 0000: ....( => Send header, 20 bytes 0000: USER mannysUID <= Recv SSL data, 5 bytes (0x5) 0000: ..... <= Recv header, 5 bytes (0x5) 0000: +OK => Send SSL data, 5 bytes (0x5) 0000: ....F => Send header, 50 bytes 0000: PASS mannysPW <= Recv SSL data, 5 bytes (0x5) 0000: ...., <= Recv header, 20 bytes (0x14) 0000: -ERR Access denied == Info: Access denied. - == Info: Closing connection 0 => Send SSL data, 5 bytes (0x5) 0000: ..... == Info: TLSv1.2 (OUT), TLS alert, close notify (256): => Send SSL data, 2 bytes (0x2) 0000: .. ===8<---------------------------------------- The two sessions are similar. The 1st line below is a condensed version of the sequence of commands sent by fetchmail, and the 2nd is the same for cURL: 1. CAPA, STLS, (TLSv1.2 negotiated), CAPA, USER, PASS, STAT, (happy ending) 2. CAPA, STLS, (TLSv1.2 negotiated), CAPA, “....(”, USER, “....F”, PASS, (auth.fail) Notice that curl sends a 5 byte binary blob before sending the USER construct and then another 5 byte blob before sending the PASS construct. What is that? Apparently it’s causing access to be denied. As an extra experiment, explicit SSL was tried by adding an “s” to the scheme, apparently revealing another unrelated bug: ===8<---------------------------------------- $ curl --socks4a 127.0.0.1:9050 --tls-max 1.2 -k --trace-ascii - --user "$mannysUID:$mannysPW" --list-only pop3s://yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion:110 == Info: Trying 127.0.0.1:9050... == Info: Connected to 127.0.0.1 (127.0.0.1) port 9050 (#0) == Info: SOCKS4 communication to yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion:110 == Info: SOCKS4a request granted. == Info: Connected to 127.0.0.1 (127.0.0.1) port 9050 (#0) => Send SSL data, 5 bytes (0x5) 0000: ..... == Info: TLSv1.2 (OUT), TLS handshake, Client hello (1): => Send SSL data, 250 bytes (0xfa) [blob snipped] <= Recv SSL data, 5 bytes (0x5) 0000: +OK P == Info: OpenSSL/3.0.11: error:0A00010B:SSL routines::wrong version number == Info: Closing connection 0 curl: (35) OpenSSL/3.0.11: error:0A00010B:SSL routines::wrong version number ===8<---------------------------------------- This configuration was not necessarily expected to work on this server, but it seems like the error message here reflects an interoperability problem between OpenSSL and curl. It resembles this bug: https://github.com/curl/curl/issues/9931 Note that curl 7.88.1 should already be fixed w.r.t that bug. footnotes: ¹ https://onionmail.info/directory.html -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-28-amd64 (SMP w/2 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages curl depends on: ii libc6 2.36-9+deb12u6 ii libcurl4 7.88.1-10+deb12u5 ii zlib1g 1:1.2.13.dfsg-1 curl recommends no packages. curl suggests no packages. -- no debconf information
