Enable TLS > 1.0 in libetpan
Some people may have witnessed my struggle of the past few days to
connect claws-mail to my mail server. Long story short : server only
accepts TLS 1.2, claws-mail connects with TLS 1.0.
The culprit here is libetpan v1.6, which calls TLSv1_client_method()
before the TLS handshake. The diff below fixes the issue, claws-mail
happily synchronized my imap folders when applied.
Ok ?
---
$OpenBSD$
--- src/data-types/mailstream_ssl.c.origMon Apr 18 23:45:10 2016
+++ src/data-types/mailstream_ssl.c Mon Apr 18 23:45:32 2016
@@ -491,7 +491,7 @@ static struct mailstream_ssl_data * ssl_data_new(int f
static struct mailstream_ssl_data * tls_data_new(int fd, time_t timeout,
void (* callback)(struct mailstream_ssl_context * ssl_context, void *
cb_data), void * cb_data)
{
- return ssl_data_new_full(fd, timeout, TLSv1_client_method(), callback,
cb_data);
+ return ssl_data_new_full(fd, timeout, TLS_client_method(), callback,
cb_data);
}
#else
Re: Enable TLS > 1.0 in libetpan
On 2016/04/19 07:54, Vincent Gross wrote: > Some people may have witnessed my struggle of the past few days to > connect claws-mail to my mail server. Long story short : server only > accepts TLS 1.2, claws-mail connects with TLS 1.0. > > The culprit here is libetpan v1.6, which calls TLSv1_client_method() > before the TLS handshake. The diff below fixes the issue, claws-mail > happily synchronized my imap folders when applied. > > Ok ? Would you mind using the diff that was committed upstream instead? It makes it a little easier for future updates (i.e. when they have a new release) if the patches are the same. https://github.com/dinhviethoa/libetpan/commit/7f1f97f4d59d5724af97f4d32424c2841715561c.patch Needs a REVISION bump too.
Re: Enable TLS > 1.0 in libetpan
On Tue, 19 Apr 2016 07:45:27 +0100, Stuart Henderson
wrote:
> On 2016/04/19 07:54, Vincent Gross wrote:
> > Some people may have witnessed my struggle of the past few days to
> > connect claws-mail to my mail server. Long story short : server only
> > accepts TLS 1.2, claws-mail connects with TLS 1.0.
> >
> > The culprit here is libetpan v1.6, which calls TLSv1_client_method()
> > before the TLS handshake. The diff below fixes the issue, claws-mail
> > happily synchronized my imap folders when applied.
> >
> > Ok ?
>
> Would you mind using the diff that was committed upstream instead? It
> makes it a little easier for future updates (i.e. when they have a new
> release) if the patches are the same.
>
> https://github.com/dinhviethoa/libetpan/commit/7f1f97f4d59d5724af97f4d32424c2841715561c.patch
>
> Needs a REVISION bump too.
>
claws-mail-wise, it's ok
here's the diff I used. Vincent, does it fix your problem?
Index: Makefile
===
RCS file: /cvs/ports/mail/libetpan/Makefile,v
retrieving revision 1.19
diff -u -p -r1.19 Makefile
--- Makefile11 Mar 2016 19:59:15 - 1.19
+++ Makefile19 Apr 2016 12:11:32 -
@@ -6,7 +6,7 @@ GH_ACCOUNT= dinhviethoa
GH_PROJECT=libetpan
GH_TAGNAME=1.6
DISTNAME= libetpan-1.6
-REVISION= 0
+REVISION= 1
CATEGORIES=mail devel
SHARED_LIBS= etpan 15.0
Index: patches/patch-src_data-types_mailstream_ssl_c
===
RCS file: patches/patch-src_data-types_mailstream_ssl_c
diff -N patches/patch-src_data-types_mailstream_ssl_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-src_data-types_mailstream_ssl_c 19 Apr 2016 12:11:32
-
@@ -0,0 +1,66 @@
+$OpenBSD$
+
+When encrypting the connection with STARTTLS the only method
+allowed was TLSv1. Change this to allow TLSv1.2 (or whatever the
+strongest method is).
+
+Additionally tls_data_new() and ssl_data_new() did the same (with
+exception to the nailed method in tls_data_new()), so drop one
+of them.
+https://github.com/dinhviethoa/libetpan/commit/7f1f97f4d59d5724af97f4d32424c2841715561c.patch
+
+--- src/data-types/mailstream_ssl.c.orig Tue Apr 19 14:04:46 2016
src/data-types/mailstream_ssl.cTue Apr 19 14:03:25 2016
+@@ -485,15 +485,21 @@ again:
+ static struct mailstream_ssl_data * ssl_data_new(int fd, time_t timeout,
+ void (* callback)(struct mailstream_ssl_context * ssl_context, void *
cb_data), void * cb_data)
+ {
+- return ssl_data_new_full(fd, timeout, SSLv23_client_method(), callback,
cb_data);
++ return ssl_data_new_full(fd, timeout,
++#if (OPENSSL_VERSION_NUMBER >= 0x1010L)
++ TLS_client_method(),
++#else
++ /* Despite their name the SSLv23_*method() functions have nothing to do
++ * with the availability of SSLv2 or SSLv3. What these functions do is
++ * negotiate with the peer the highest available SSL/TLS protocol
version
++ * available. The name is as it is for historic reasons. This is a very
++ * common confusion and is the main reason why these names have been
++ * deprecated in the latest dev version of OpenSSL. */
++ SSLv23_client_method(),
++#endif
++ callback, cb_data);
+ }
+
+-static struct mailstream_ssl_data * tls_data_new(int fd, time_t timeout,
+- void (* callback)(struct mailstream_ssl_context * ssl_context, void *
cb_data), void * cb_data)
+-{
+- return ssl_data_new_full(fd, timeout, TLSv1_client_method(), callback,
cb_data);
+-}
+-
+ #else
+
+ static struct mailstream_ssl_context *
mailstream_ssl_context_new(gnutls_session session, int fd);
+@@ -625,11 +631,6 @@ static struct mailstream_ssl_data * ssl_data_new(int f
+ err:
+ return NULL;
+ }
+-static struct mailstream_ssl_data * tls_data_new(int fd, time_t timeout,
+- void (* callback)(struct mailstream_ssl_context * ssl_context, void *
cb_data), void * cb_data)
+-{
+- return ssl_data_new(fd, timeout, callback, cb_data);
+-}
+ #endif
+
+ static void ssl_data_free(struct mailstream_ssl_data * ssl_data)
+@@ -681,10 +682,7 @@ static mailstream_low * mailstream_low_ssl_open_full(i
+ mailstream_low * s;
+ struct mailstream_ssl_data * ssl_data;
+
+- if (starttls)
+-ssl_data = tls_data_new(fd, timeout, callback, cb_data);
+- else
+-ssl_data = ssl_data_new(fd, timeout, callback, cb_data);
++ ssl_data = ssl_data_new(fd, timeout, callback, cb_data);
+
+ if (ssl_data == NULL)
+ goto err;
Re: Enable TLS > 1.0 in libetpan
On Tue, 19 Apr 2016 15:02:46 +0200
Daniel Jakots wrote:
> On Tue, 19 Apr 2016 07:45:27 +0100, Stuart Henderson
> wrote:
>
> > On 2016/04/19 07:54, Vincent Gross wrote:
> > > Some people may have witnessed my struggle of the past few days to
> > > connect claws-mail to my mail server. Long story short : server
> > > only accepts TLS 1.2, claws-mail connects with TLS 1.0.
> > >
> > > The culprit here is libetpan v1.6, which calls
> > > TLSv1_client_method() before the TLS handshake. The diff below
> > > fixes the issue, claws-mail happily synchronized my imap folders
> > > when applied.
> > >
> > > Ok ?
> >
> > Would you mind using the diff that was committed upstream instead?
> > It makes it a little easier for future updates (i.e. when they have
> > a new release) if the patches are the same.
> >
> > https://github.com/dinhviethoa/libetpan/commit/7f1f97f4d59d5724af97f4d32424c2841715561c.patch
> >
> > Needs a REVISION bump too.
> >
>
> claws-mail-wise, it's ok
>
> here's the diff I used. Vincent, does it fix your problem?
Yes, I just compiled libetpan with this diff and claws-mail runs
smoothly :) put it in !
>
> Index: Makefile
> ===
> RCS file: /cvs/ports/mail/libetpan/Makefile,v
> retrieving revision 1.19
> diff -u -p -r1.19 Makefile
> --- Makefile 11 Mar 2016 19:59:15 - 1.19
> +++ Makefile 19 Apr 2016 12:11:32 -
> @@ -6,7 +6,7 @@ GH_ACCOUNT= dinhviethoa
> GH_PROJECT= libetpan
> GH_TAGNAME= 1.6
> DISTNAME=libetpan-1.6
> -REVISION=0
> +REVISION=1
> CATEGORIES= mail devel
>
> SHARED_LIBS= etpan 15.0
> Index: patches/patch-src_data-types_mailstream_ssl_c
> ===
> RCS file: patches/patch-src_data-types_mailstream_ssl_c
> diff -N patches/patch-src_data-types_mailstream_ssl_c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-src_data-types_mailstream_ssl_c 19 Apr 2016
> 12:11:32 - @@ -0,0 +1,66 @@
> +$OpenBSD$
> +
> +When encrypting the connection with STARTTLS the only method
> +allowed was TLSv1. Change this to allow TLSv1.2 (or whatever the
> +strongest method is).
> +
> +Additionally tls_data_new() and ssl_data_new() did the same (with
> +exception to the nailed method in tls_data_new()), so drop one
> +of them.
> +https://github.com/dinhviethoa/libetpan/commit/7f1f97f4d59d5724af97f4d32424c2841715561c.patch
> +
> +--- src/data-types/mailstream_ssl.c.orig Tue Apr 19 14:04:46
> 2016 src/data-types/mailstream_ssl.c Tue Apr 19 14:03:25
> 2016 +@@ -485,15 +485,21 @@ again:
> + static struct mailstream_ssl_data * ssl_data_new(int fd, time_t
> timeout,
> + void (* callback)(struct mailstream_ssl_context *
> ssl_context, void * cb_data), void * cb_data)
> + {
> +- return ssl_data_new_full(fd, timeout, SSLv23_client_method(),
> callback, cb_data); ++ return ssl_data_new_full(fd, timeout,
> ++#if (OPENSSL_VERSION_NUMBER >= 0x1010L)
> ++TLS_client_method(),
> ++#else
> ++/* Despite their name the SSLv23_*method() functions have
> nothing to do ++ * with the availability of SSLv2 or SSLv3.
> What these functions do is ++ * negotiate with the peer the
> highest available SSL/TLS protocol version ++ * available.
> The name is as it is for historic reasons. This is a very ++
> * common confusion and is the main reason why these names have been
> ++ * deprecated in the latest dev version of OpenSSL. */
> ++SSLv23_client_method(), ++#endif
> ++callback, cb_data);
> + }
> +
> +-static struct mailstream_ssl_data * tls_data_new(int fd, time_t
> timeout, +- void (* callback)(struct mailstream_ssl_context *
> ssl_context, void * cb_data), void * cb_data) +-{
> +- return ssl_data_new_full(fd, timeout, TLSv1_client_method(),
> callback, cb_data); +-}
> +-
> + #else
> +
> + static struct mailstream_ssl_context *
> mailstream_ssl_context_new(gnutls_session session, int fd); +@@
> -625,11 +631,6 @@ static struct mailstream_ssl_data *
> ssl_data_new(int f
> + err:
> + return NULL;
> + }
> +-static struct mailstream_ssl_data * tls_data_new(int fd, time_t
> timeout, +- void (* callback)(struct mailstream_ssl_context *
> ssl_context, void * cb_data), void * cb_data) +-{
> +- return ssl_data_new(fd, timeout, callback, cb_data);
> +-}
> + #endif
> +
> + static void ssl_data_free(struct mailstream_ssl_data * ssl_data)
> +@@ -681,10 +682,7 @@ static mailstream_low *
> mailstream_low_ssl_open_full(i
> + mailstream_low * s;
> + struct mailstream_ssl_data * ssl_data;
> +
> +- if (starttls)
> +-ssl_data = tls_data_new(fd, timeout, callback, cb_data);
> +- else
> +-ssl_data = ssl_data_new(fd, timeout, callback, cb_data);
> ++ ssl_data = ssl_data_new(fd, timeout, callback, cb_data);
> +
> + if (ssl_data == NULL)
> + goto err;
>
