Re: [nmh-workers] fetchmail and SNI (and pop.gmail.com)
Hi Ken, > I guess the core issue is that for Google servers when using TLS 1.2 > SNI isn't required, but for TLS 1.3 it is; well, let me rephrase that. > If you negotiate TLS 1.3 you get the bogus certificate if you don't > send a SNI. But it seems like the 'right' solution is we should be > sending a SNI to avoid this problem? I agree nmh should employ SNI; I was just getting Michael up and running the simplest way possible. -- Cheers, Ralph. -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] fetchmail and SNI (and pop.gmail.com)
Ken Hornstein wrote: > It looks like Debian buster is the earliest version of Debian which has > nmh 1.7.1. And it looks like that will be officially released next week. > If you upgraded, would that be enough for you to switch away from > fetchmail? :-) We support XOAUTH2! I won't upgrade, I just installed from source. I needed libcurl-dev. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] fetchmail and SNI (and pop.gmail.com)
>> And geez Mike, we talked about this a lot! Wasn't a secret! > >I read the man page. I wonder if my man pages are coming from debian, while >my binaries are manually installed. It looks like Debian buster is the earliest version of Debian which has nmh 1.7.1. And it looks like that will be officially released next week. If you upgraded, would that be enough for you to switch away from fetchmail? :-) We support XOAUTH2! --Ken -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] fetchmail and SNI (and pop.gmail.com)
Ralph Corderoy wrote: >> I have used: >> >> fetchmail --verbose --sslcertpath="/etc/ssl/certs" --sslcertck >> --proto POP3 --mda "rcvstore -sequence gmail +inbox" >> --logfile /var/tmp/gmail.log pop.gmail.com >> >> to get my gmail downloaded for some time now. > Has your OpenSSL been upgraded recently? Yes-ish, I'm usually running something from git. >> It seems that fetchmail doesn't enable SNI for it's TLS connection > Try adding `--sslproto TLS1' to fetchmail's arguments. That worked perfectly. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] fetchmail and SNI (and pop.gmail.com)
Ken Hornstein wrote: > And geez Mike, we talked about this a lot! Wasn't a secret! I read the man page. I wonder if my man pages are coming from debian, while my binaries are manually installed. SNI === Server Name Indicator, which lets a server know which name a client meant to connect to, and therefore, which certificate to respond to. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] fetchmail and SNI (and pop.gmail.com)
>> It seems that fetchmail doesn't enable SNI for it's TLS connection > >Try adding `--sslproto TLS1' to fetchmail's arguments. I guess the core issue is that for Google servers when using TLS 1.2 SNI isn't required, but for TLS 1.3 it is; well, let me rephrase that. If you negotiate TLS 1.3 you get the bogus certificate if you don't send a SNI. But it seems like the 'right' solution is we should be sending a SNI to avoid this problem? --Ken -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] fetchmail and SNI (and pop.gmail.com)
Hi Michael, > I have used: > >fetchmail --verbose --sslcertpath="/etc/ssl/certs" --sslcertck >--proto POP3 --mda "rcvstore -sequence gmail +inbox" >--logfile /var/tmp/gmail.log pop.gmail.com > > to get my gmail downloaded for some time now. Has your OpenSSL been upgraded recently? > It seems that fetchmail doesn't enable SNI for it's TLS connection Try adding `--sslproto TLS1' to fetchmail's arguments. -- Cheers, Ralph. -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [nmh-workers] fetchmail and SNI (and pop.gmail.com)
>I don't think that inc has any TLS support. You are incorrect! Supported as of 1.7 when the unified security framework was implemented. From the NEWS file: - Complete unification of network security support. All network protocols (currently, POP and SMTP) have been refactored to use a common set of security routines. This means all protocols support all SASL mechanisms (via the Cyrus-SASL library) and TLS. TLS support has been strengthened to perform certificate name validation and to require TLS 1.1 as a minimum protocol. Also, all protocols can make use of the OAuth2/XOAUTH SASL mechanism, which is supported by Gmail. The last may be interesting to you. I had not heard of SNI before, but a quick test suggests to me that we work fine with pop.gmail.com (we don't error out, at least). The Interwebs suggest I should use a special API call to make that work and I definitely didn't do that, but it seems to be ok? And geez Mike, we talked about this a lot! Wasn't a secret! --Ken -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
[nmh-workers] fetchmail and SNI (and pop.gmail.com)
I have used: fetchmail --verbose --sslcertpath="/etc/ssl/certs" --sslcertck --proto POP3 --mda "rcvstore -sequence gmail +inbox" --logfile /var/tmp/gmail.log pop.gmail.com to get my gmail downloaded for some time now. It seems that fetchmail doesn't enable SNI for it's TLS connection, and I don't see any new versions of fetchmail in years. It looks like pop.gmail.com wants SNI: fetchmail: Trying to connect to 2607:f8b0:4001:c16::6c/995...connected. fetchmail: Server certificate: fetchmail: Unknown Organization fetchmail: Issuer CommonName: invalid2.invalid fetchmail: Subject CommonName: invalid2.invalid fetchmail: Server CommonName mismatch: invalid2.invalid != pop.gmail.com fetchmail: pop.gmail.com key fingerprint: 90:4A:C8:D5:44:5A:D0:6A:8A:10:FF:CD:8B:11:BE:16 fetchmail: Server certificate verification error: self signed certificate fetchmail: Missing trust anchor certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid [nice hack to send a message back to the user Google...] I don't think that inc has any TLS support. (kerberos support, yes) Maybe there are other ways to skin this cat? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers