On Tue, 19 Apr 2016 07:45:27 +0100, Stuart Henderson <s...@spacehopper.org> wrote:
> On 2016/04/19 07:54, Vincent Gross wrote: > > Some people may have witnessed my struggle of the past few days to > > connect claws-mail to my mail server. Long story short : server only > > accepts TLS 1.2, claws-mail connects with TLS 1.0. > > > > The culprit here is libetpan v1.6, which calls TLSv1_client_method() > > before the TLS handshake. The diff below fixes the issue, claws-mail > > happily synchronized my imap folders when applied. > > > > Ok ? > > Would you mind using the diff that was committed upstream instead? It > makes it a little easier for future updates (i.e. when they have a new > release) if the patches are the same. > > https://github.com/dinhviethoa/libetpan/commit/7f1f97f4d59d5724af97f4d32424c2841715561c.patch > > Needs a REVISION bump too. > claws-mail-wise, it's ok here's the diff I used. Vincent, does it fix your problem? Index: Makefile =================================================================== RCS file: /cvs/ports/mail/libetpan/Makefile,v retrieving revision 1.19 diff -u -p -r1.19 Makefile --- Makefile 11 Mar 2016 19:59:15 -0000 1.19 +++ Makefile 19 Apr 2016 12:11:32 -0000 @@ -6,7 +6,7 @@ GH_ACCOUNT= dinhviethoa GH_PROJECT= libetpan GH_TAGNAME= 1.6 DISTNAME= libetpan-1.6 -REVISION= 0 +REVISION= 1 CATEGORIES= mail devel SHARED_LIBS= etpan 15.0 Index: patches/patch-src_data-types_mailstream_ssl_c =================================================================== RCS file: patches/patch-src_data-types_mailstream_ssl_c diff -N patches/patch-src_data-types_mailstream_ssl_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_data-types_mailstream_ssl_c 19 Apr 2016 12:11:32 -0000 @@ -0,0 +1,66 @@ +$OpenBSD$ + +When encrypting the connection with STARTTLS the only method +allowed was TLSv1. Change this to allow TLSv1.2 (or whatever the +strongest method is). + +Additionally tls_data_new() and ssl_data_new() did the same (with +exception to the nailed method in tls_data_new()), so drop one +of them. +https://github.com/dinhviethoa/libetpan/commit/7f1f97f4d59d5724af97f4d32424c2841715561c.patch + +--- src/data-types/mailstream_ssl.c.orig Tue Apr 19 14:04:46 2016 ++++ src/data-types/mailstream_ssl.c Tue Apr 19 14:03:25 2016 +@@ -485,15 +485,21 @@ again: + static struct mailstream_ssl_data * ssl_data_new(int fd, time_t timeout, + void (* callback)(struct mailstream_ssl_context * ssl_context, void * cb_data), void * cb_data) + { +- return ssl_data_new_full(fd, timeout, SSLv23_client_method(), callback, cb_data); ++ return ssl_data_new_full(fd, timeout, ++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) ++ TLS_client_method(), ++#else ++ /* Despite their name the SSLv23_*method() functions have nothing to do ++ * with the availability of SSLv2 or SSLv3. What these functions do is ++ * negotiate with the peer the highest available SSL/TLS protocol version ++ * available. The name is as it is for historic reasons. This is a very ++ * common confusion and is the main reason why these names have been ++ * deprecated in the latest dev version of OpenSSL. */ ++ SSLv23_client_method(), ++#endif ++ callback, cb_data); + } + +-static struct mailstream_ssl_data * tls_data_new(int fd, time_t timeout, +- void (* callback)(struct mailstream_ssl_context * ssl_context, void * cb_data), void * cb_data) +-{ +- return ssl_data_new_full(fd, timeout, TLSv1_client_method(), callback, cb_data); +-} +- + #else + + static struct mailstream_ssl_context * mailstream_ssl_context_new(gnutls_session session, int fd); +@@ -625,11 +631,6 @@ static struct mailstream_ssl_data * ssl_data_new(int f + err: + return NULL; + } +-static struct mailstream_ssl_data * tls_data_new(int fd, time_t timeout, +- void (* callback)(struct mailstream_ssl_context * ssl_context, void * cb_data), void * cb_data) +-{ +- return ssl_data_new(fd, timeout, callback, cb_data); +-} + #endif + + static void ssl_data_free(struct mailstream_ssl_data * ssl_data) +@@ -681,10 +682,7 @@ static mailstream_low * mailstream_low_ssl_open_full(i + mailstream_low * s; + struct mailstream_ssl_data * ssl_data; + +- if (starttls) +- ssl_data = tls_data_new(fd, timeout, callback, cb_data); +- else +- ssl_data = ssl_data_new(fd, timeout, callback, cb_data); ++ ssl_data = ssl_data_new(fd, timeout, callback, cb_data); + + if (ssl_data == NULL) + goto err;
