Bug#981338: self signed ssl cert unusuable after upgrade
Hi Joey, On Sun, Feb 14, 2021 at 5:24 PM Joey Hess wrote: > > Sudip Mukherjee wrote: > > I was looking into this error and this has been caused by an upstream > > commit which is supposed to be an improvement for new users. More > > details at > > https://github.com/OfflineIMAP/offlineimap3/issues/41#issuecomment-778798223. > > > > The attached patch should fix this. > > > > @Joey Hess It will be great if you test the patch and confirm if it > > fixes your problem. > > It does, but only after I fixed an unrelated problem: Yes, sorry I should have said you will face that. Its known issue. #/981063 and #981385 And I have raised an upstream PR for this at https://github.com/OfflineIMAP/offlineimap3/pull/51 -- Regards Sudip
Bug#981338: self signed ssl cert unusuable after upgrade
Sudip Mukherjee wrote:
> I was looking into this error and this has been caused by an upstream
> commit which is supposed to be an improvement for new users. More
> details at
> https://github.com/OfflineIMAP/offlineimap3/issues/41#issuecomment-778798223.
>
> The attached patch should fix this.
>
> @Joey Hess It will be great if you test the patch and confirm if it
> fixes your problem.
It does, but only after I fixed an unrelated problem:
OfflineIMAP 7.3.0
Licensed under the GNU GPL v2 or any later version (with an OpenSSL exception)
imaplib2 v3.05, Python v3.9.1+, OpenSSL 1.1.1i 8 Dec 2020
Account sync joey:
*** Processing account joey
Establishing connection to kitenet.net:993 (kite)
ERROR: While attempting to sync account 'joey'
sequence item 2: expected str instance, bytes found
*** Finished account 'joey' in 0:03
ERROR: Exceptions occurred during the run!
ERROR: While attempting to sync account 'joey'
sequence item 2: expected str instance, bytes found
Traceback:
File "/usr/share/offlineimap3/offlineimap/accounts.py", line 298, in
syncrunner
self.__sync()
File "/usr/share/offlineimap3/offlineimap/accounts.py", line 374, in __sync
remoterepos.getfolders()
File "/usr/share/offlineimap3/offlineimap/repository/IMAP.py", line 646, in
getfolders
imapobj = self.imapserver.acquireconnection()
File "/usr/share/offlineimap3/offlineimap/imapserver.py", line 592, in
acquireconnection
self.__authn_helper(imapobj)
File "/usr/share/offlineimap3/offlineimap/imapserver.py", line 449, in
__authn_helper
if func(imapobj):
File "/usr/share/offlineimap3/offlineimap/imapserver.py", line 375, in
__authn_plain
imapobj.authenticate('PLAIN', self.__plainhandler)
File "/usr/lib/python3/dist-packages/imaplib2.py", line 691, in authenticate
typ, dat = self._simple_command('AUTHENTICATE', mechanism.upper())
File "/usr/lib/python3/dist-packages/imaplib2.py", line 1684, in
_simple_command
return self._command_complete(self._command(name, *args), kw)
File "/usr/lib/python3/dist-packages/imaplib2.py", line 1404, in _command
literal = literator(data, rqb)
File "/usr/lib/python3/dist-packages/imaplib2.py", line 2247, in process
ret = self.mech(self.decode(data))
File "/usr/share/offlineimap3/offlineimap/imapserver.py", line 217, in
__plainhandler
retval = NULL.join((authz, authc, passwd))
Which seems to be caused by remotepassfile being set, pointing at a file
that contained a password in plain text. I unset that and it prompted
for the password and worked.
(Also I remember seeing this "expected str instance" failure before,
when I was trying lots of config file changes to work around the ssl cert
problem, so one of those changes must have worked at the time. I don't
remember what change it was.)
--
see shy jo
signature.asc
Description: PGP signature
Bug#981338: self signed ssl cert unusuable after upgrade
I was looking into this error and this has been caused by an upstream
commit which is supposed to be an improvement for new users. More
details at
https://github.com/OfflineIMAP/offlineimap3/issues/41#issuecomment-778798223.
The attached patch should fix this.
@Joey Hess It will be great if you test the patch and confirm if it
fixes your problem.
--
Regards
Sudip
From df8565493613128fbc0ad2e9cbf476d4481853c1 Mon Sep 17 00:00:00 2001
From: Sudip Mukherjee
Date: Sun, 14 Feb 2021 16:22:30 +
Subject: [PATCH] Revert "Use system sslcacertfile by default"
This reverts commit a4863b2f04adf25b9989bafbb9df21ea8b98a674.
---
offlineimap/repository/IMAP.py | 19 +++
1 file changed, 7 insertions(+), 12 deletions(-)
diff --git a/offlineimap/repository/IMAP.py b/offlineimap/repository/IMAP.py
index 56ebe74..06d77ab 100644
--- a/offlineimap/repository/IMAP.py
+++ b/offlineimap/repository/IMAP.py
@@ -296,15 +296,13 @@ class IMAPRepository(BaseRepository):
def getsslcacertfile(self):
"""Determines CA bundle.
-Returns path to the CA bundle. It is explicitely specified or
-requested via "OS-DEFAULT" value (and we will search known
-locations for the current OS and distribution). If it is not
-specified, we will search it in the known locations.
+Returns path to the CA bundle. It is either explicitely specified
+or requested via "OS-DEFAULT" value (and we will search known
+locations for the current OS and distribution).
-If search route, via "OS-DEFAULT" or because is not specified,
-yields nothing, we will throw an exception to make our callers
-distinguish between not specified value and non-existent
-default CA bundle.
+If search via "OS-DEFAULT" route yields nothing, we will throw an
+exception to make our callers distinguish between not specified
+value and non-existent default CA bundle.
It is also an error to specify non-existent file via configuration:
it will error out later, but, perhaps, with less verbose explanation,
@@ -315,10 +313,7 @@ class IMAPRepository(BaseRepository):
xforms = [os.path.expanduser, os.path.expandvars, os.path.abspath]
cacertfile = self.getconf_xform('sslcacertfile', xforms, None)
# Can't use above cacertfile because of abspath.
-conf_sslacertfile = self.getconf('sslcacertfile', None)
-if conf_sslacertfile == "OS-DEFAULT" or \
-conf_sslacertfile is None or \
-conf_sslacertfile == '':
+if self.getconf('sslcacertfile', None) == "OS-DEFAULT":
cacertfile = get_os_sslcertfile()
if cacertfile is None:
searchpath = get_os_sslcertfile_searchpath()
--
2.30.0
Bug#981338: self signed ssl cert unusuable after upgrade
Hi Joey, On Mon, Feb 1, 2021 at 5:23 PM Joey Hess wrote: > > Sudip Mukherjee wrote: > > I have also faced the same issue while trying to debug another issue and > > this happens when 'cert_fingerprint' is used. I had to use 'sslcacertfile' > > in my setup. > > Anyways, this has been reported upstream already at > > 'https://github.com/OfflineIMAP/offlineimap3/issues/41'. > > Thanks for finding the upstream bug report. > > I did try setting sslcacertfile before, and was not able to get it to > work. However, I also can't get it to work the the older version of > offlineimap, so either there must be something about my cert chain that > doesn't work with that, or perhaps I was putting the wrong thing in the > file. I checked your certificate at 'kitenet.net' imaps, it has: subject=O = Dovecot mail server, OU = localhost, CN = localhost, emailAddress = root@debian The CN should have been 'kitenet.net' and that is the reason offlineimap is failing to verify the certificate. -- Regards Sudip
Bug#981338: self signed ssl cert unusuable after upgrade
Sudip Mukherjee wrote: > I have also faced the same issue while trying to debug another issue and > this happens when 'cert_fingerprint' is used. I had to use 'sslcacertfile' > in my setup. > Anyways, this has been reported upstream already at > 'https://github.com/OfflineIMAP/offlineimap3/issues/41'. Thanks for finding the upstream bug report. I did try setting sslcacertfile before, and was not able to get it to work. However, I also can't get it to work the the older version of offlineimap, so either there must be something about my cert chain that doesn't work with that, or perhaps I was putting the wrong thing in the file. -- see shy jo signature.asc Description: PGP signature
Bug#981338: self signed ssl cert unusuable after upgrade
Hi Joey, On Fri, Jan 29, 2021 at 11:05:28AM -0400, Joey Hess wrote: > Package: offlineimap > Version: 7.3.3+dfsg1-1+0.0~git20210105.00d395b+dfsg-2 > Severity: normal > > ERROR: Exceptions occurred during the run! > ERROR: Unknown SSL protocol connecting to host 'kitenet.net' for repository > 'kite'. OpenSSL responded: > [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed > certificate (_ssl.c:1123) > > I was using offlineimap 7.3.3+dfsg1-1 and this cert was working fine. > It is not expired and the server has not changed. > > I have tried all available ssl configuration settings to try to work > around the problem, but nothing seems to work. What I was using before, > which works with the old version, is: > > type = IMAP > ssl = yes > remotehost = kitenet.net > remoteuser = joey > cert_fingerprint = a8bda27c49ba6390e477960014caa672e2beb01d I have also faced the same issue while trying to debug another issue and this happens when 'cert_fingerprint' is used. I had to use 'sslcacertfile' in my setup. Anyways, this has been reported upstream already at 'https://github.com/OfflineIMAP/offlineimap3/issues/41'. -- Regards Sudip
Bug#981338: self signed ssl cert unusuable after upgrade
Package: offlineimap Version: 7.3.3+dfsg1-1+0.0~git20210105.00d395b+dfsg-2 Severity: normal ERROR: Exceptions occurred during the run! ERROR: Unknown SSL protocol connecting to host 'kitenet.net' for repository 'kite'. OpenSSL responded: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1123) I was using offlineimap 7.3.3+dfsg1-1 and this cert was working fine. It is not expired and the server has not changed. I have tried all available ssl configuration settings to try to work around the problem, but nothing seems to work. What I was using before, which works with the old version, is: type = IMAP ssl = yes remotehost = kitenet.net remoteuser = joey cert_fingerprint = a8bda27c49ba6390e477960014caa672e2beb01d Of course, the server could be changed to use a lets encrypt ssl cert instead of the old self-signed cert, but I'm currently unable to access and fix all the users' devices that would need to be tweaked to work with a new cert. I've currently downgraded offlineimap, but hope there's some solution that makes self-signed ssl certs work again. -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.9.0-1-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_USER, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages offlineimap depends on: ii offlineimap3 0.0~git20210105.00d395b+dfsg-2 offlineimap recommends no packages. offlineimap suggests no packages. -- no debconf information -- see shy jo signature.asc Description: PGP signature
