Bug#981338: self signed ssl cert unusuable after upgrade
Hi Joey, On Sun, Feb 14, 2021 at 5:24 PM Joey Hess wrote: > > Sudip Mukherjee wrote: > > I was looking into this error and this has been caused by an upstream > > commit which is supposed to be an improvement for new users. More > > details at > > https://github.com/OfflineIMAP/offlineimap3/issues/41#issuecomment-778798223. > > > > The attached patch should fix this. > > > > @Joey Hess It will be great if you test the patch and confirm if it > > fixes your problem. > > It does, but only after I fixed an unrelated problem: Yes, sorry I should have said you will face that. Its known issue. #/981063 and #981385 And I have raised an upstream PR for this at https://github.com/OfflineIMAP/offlineimap3/pull/51 -- Regards Sudip
Bug#981338: self signed ssl cert unusuable after upgrade
Sudip Mukherjee wrote: > I was looking into this error and this has been caused by an upstream > commit which is supposed to be an improvement for new users. More > details at > https://github.com/OfflineIMAP/offlineimap3/issues/41#issuecomment-778798223. > > The attached patch should fix this. > > @Joey Hess It will be great if you test the patch and confirm if it > fixes your problem. It does, but only after I fixed an unrelated problem: OfflineIMAP 7.3.0 Licensed under the GNU GPL v2 or any later version (with an OpenSSL exception) imaplib2 v3.05, Python v3.9.1+, OpenSSL 1.1.1i 8 Dec 2020 Account sync joey: *** Processing account joey Establishing connection to kitenet.net:993 (kite) ERROR: While attempting to sync account 'joey' sequence item 2: expected str instance, bytes found *** Finished account 'joey' in 0:03 ERROR: Exceptions occurred during the run! ERROR: While attempting to sync account 'joey' sequence item 2: expected str instance, bytes found Traceback: File "/usr/share/offlineimap3/offlineimap/accounts.py", line 298, in syncrunner self.__sync() File "/usr/share/offlineimap3/offlineimap/accounts.py", line 374, in __sync remoterepos.getfolders() File "/usr/share/offlineimap3/offlineimap/repository/IMAP.py", line 646, in getfolders imapobj = self.imapserver.acquireconnection() File "/usr/share/offlineimap3/offlineimap/imapserver.py", line 592, in acquireconnection self.__authn_helper(imapobj) File "/usr/share/offlineimap3/offlineimap/imapserver.py", line 449, in __authn_helper if func(imapobj): File "/usr/share/offlineimap3/offlineimap/imapserver.py", line 375, in __authn_plain imapobj.authenticate('PLAIN', self.__plainhandler) File "/usr/lib/python3/dist-packages/imaplib2.py", line 691, in authenticate typ, dat = self._simple_command('AUTHENTICATE', mechanism.upper()) File "/usr/lib/python3/dist-packages/imaplib2.py", line 1684, in _simple_command return self._command_complete(self._command(name, *args), kw) File "/usr/lib/python3/dist-packages/imaplib2.py", line 1404, in _command literal = literator(data, rqb) File "/usr/lib/python3/dist-packages/imaplib2.py", line 2247, in process ret = self.mech(self.decode(data)) File "/usr/share/offlineimap3/offlineimap/imapserver.py", line 217, in __plainhandler retval = NULL.join((authz, authc, passwd)) Which seems to be caused by remotepassfile being set, pointing at a file that contained a password in plain text. I unset that and it prompted for the password and worked. (Also I remember seeing this "expected str instance" failure before, when I was trying lots of config file changes to work around the ssl cert problem, so one of those changes must have worked at the time. I don't remember what change it was.) -- see shy jo signature.asc Description: PGP signature
Bug#981338: self signed ssl cert unusuable after upgrade
I was looking into this error and this has been caused by an upstream commit which is supposed to be an improvement for new users. More details at https://github.com/OfflineIMAP/offlineimap3/issues/41#issuecomment-778798223. The attached patch should fix this. @Joey Hess It will be great if you test the patch and confirm if it fixes your problem. -- Regards Sudip From df8565493613128fbc0ad2e9cbf476d4481853c1 Mon Sep 17 00:00:00 2001 From: Sudip Mukherjee Date: Sun, 14 Feb 2021 16:22:30 + Subject: [PATCH] Revert "Use system sslcacertfile by default" This reverts commit a4863b2f04adf25b9989bafbb9df21ea8b98a674. --- offlineimap/repository/IMAP.py | 19 +++ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/offlineimap/repository/IMAP.py b/offlineimap/repository/IMAP.py index 56ebe74..06d77ab 100644 --- a/offlineimap/repository/IMAP.py +++ b/offlineimap/repository/IMAP.py @@ -296,15 +296,13 @@ class IMAPRepository(BaseRepository): def getsslcacertfile(self): """Determines CA bundle. -Returns path to the CA bundle. It is explicitely specified or -requested via "OS-DEFAULT" value (and we will search known -locations for the current OS and distribution). If it is not -specified, we will search it in the known locations. +Returns path to the CA bundle. It is either explicitely specified +or requested via "OS-DEFAULT" value (and we will search known +locations for the current OS and distribution). -If search route, via "OS-DEFAULT" or because is not specified, -yields nothing, we will throw an exception to make our callers -distinguish between not specified value and non-existent -default CA bundle. +If search via "OS-DEFAULT" route yields nothing, we will throw an +exception to make our callers distinguish between not specified +value and non-existent default CA bundle. It is also an error to specify non-existent file via configuration: it will error out later, but, perhaps, with less verbose explanation, @@ -315,10 +313,7 @@ class IMAPRepository(BaseRepository): xforms = [os.path.expanduser, os.path.expandvars, os.path.abspath] cacertfile = self.getconf_xform('sslcacertfile', xforms, None) # Can't use above cacertfile because of abspath. -conf_sslacertfile = self.getconf('sslcacertfile', None) -if conf_sslacertfile == "OS-DEFAULT" or \ -conf_sslacertfile is None or \ -conf_sslacertfile == '': +if self.getconf('sslcacertfile', None) == "OS-DEFAULT": cacertfile = get_os_sslcertfile() if cacertfile is None: searchpath = get_os_sslcertfile_searchpath() -- 2.30.0
Bug#981338: self signed ssl cert unusuable after upgrade
Hi Joey, On Mon, Feb 1, 2021 at 5:23 PM Joey Hess wrote: > > Sudip Mukherjee wrote: > > I have also faced the same issue while trying to debug another issue and > > this happens when 'cert_fingerprint' is used. I had to use 'sslcacertfile' > > in my setup. > > Anyways, this has been reported upstream already at > > 'https://github.com/OfflineIMAP/offlineimap3/issues/41'. > > Thanks for finding the upstream bug report. > > I did try setting sslcacertfile before, and was not able to get it to > work. However, I also can't get it to work the the older version of > offlineimap, so either there must be something about my cert chain that > doesn't work with that, or perhaps I was putting the wrong thing in the > file. I checked your certificate at 'kitenet.net' imaps, it has: subject=O = Dovecot mail server, OU = localhost, CN = localhost, emailAddress = root@debian The CN should have been 'kitenet.net' and that is the reason offlineimap is failing to verify the certificate. -- Regards Sudip
Bug#981338: self signed ssl cert unusuable after upgrade
Sudip Mukherjee wrote: > I have also faced the same issue while trying to debug another issue and > this happens when 'cert_fingerprint' is used. I had to use 'sslcacertfile' > in my setup. > Anyways, this has been reported upstream already at > 'https://github.com/OfflineIMAP/offlineimap3/issues/41'. Thanks for finding the upstream bug report. I did try setting sslcacertfile before, and was not able to get it to work. However, I also can't get it to work the the older version of offlineimap, so either there must be something about my cert chain that doesn't work with that, or perhaps I was putting the wrong thing in the file. -- see shy jo signature.asc Description: PGP signature
Bug#981338: self signed ssl cert unusuable after upgrade
Hi Joey, On Fri, Jan 29, 2021 at 11:05:28AM -0400, Joey Hess wrote: > Package: offlineimap > Version: 7.3.3+dfsg1-1+0.0~git20210105.00d395b+dfsg-2 > Severity: normal > > ERROR: Exceptions occurred during the run! > ERROR: Unknown SSL protocol connecting to host 'kitenet.net' for repository > 'kite'. OpenSSL responded: > [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed > certificate (_ssl.c:1123) > > I was using offlineimap 7.3.3+dfsg1-1 and this cert was working fine. > It is not expired and the server has not changed. > > I have tried all available ssl configuration settings to try to work > around the problem, but nothing seems to work. What I was using before, > which works with the old version, is: > > type = IMAP > ssl = yes > remotehost = kitenet.net > remoteuser = joey > cert_fingerprint = a8bda27c49ba6390e477960014caa672e2beb01d I have also faced the same issue while trying to debug another issue and this happens when 'cert_fingerprint' is used. I had to use 'sslcacertfile' in my setup. Anyways, this has been reported upstream already at 'https://github.com/OfflineIMAP/offlineimap3/issues/41'. -- Regards Sudip
Bug#981338: self signed ssl cert unusuable after upgrade
Package: offlineimap Version: 7.3.3+dfsg1-1+0.0~git20210105.00d395b+dfsg-2 Severity: normal ERROR: Exceptions occurred during the run! ERROR: Unknown SSL protocol connecting to host 'kitenet.net' for repository 'kite'. OpenSSL responded: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1123) I was using offlineimap 7.3.3+dfsg1-1 and this cert was working fine. It is not expired and the server has not changed. I have tried all available ssl configuration settings to try to work around the problem, but nothing seems to work. What I was using before, which works with the old version, is: type = IMAP ssl = yes remotehost = kitenet.net remoteuser = joey cert_fingerprint = a8bda27c49ba6390e477960014caa672e2beb01d Of course, the server could be changed to use a lets encrypt ssl cert instead of the old self-signed cert, but I'm currently unable to access and fix all the users' devices that would need to be tweaked to work with a new cert. I've currently downgraded offlineimap, but hope there's some solution that makes self-signed ssl certs work again. -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.9.0-1-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_USER, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages offlineimap depends on: ii offlineimap3 0.0~git20210105.00d395b+dfsg-2 offlineimap recommends no packages. offlineimap suggests no packages. -- no debconf information -- see shy jo signature.asc Description: PGP signature