Enable TLS > 1.0 in libetpan
Some people may have witnessed my struggle of the past few days to connect claws-mail to my mail server. Long story short : server only accepts TLS 1.2, claws-mail connects with TLS 1.0. The culprit here is libetpan v1.6, which calls TLSv1_client_method() before the TLS handshake. The diff below fixes the issue, claws-mail happily synchronized my imap folders when applied. Ok ? --- $OpenBSD$ --- src/data-types/mailstream_ssl.c.origMon Apr 18 23:45:10 2016 +++ src/data-types/mailstream_ssl.c Mon Apr 18 23:45:32 2016 @@ -491,7 +491,7 @@ static struct mailstream_ssl_data * ssl_data_new(int f static struct mailstream_ssl_data * tls_data_new(int fd, time_t timeout, void (* callback)(struct mailstream_ssl_context * ssl_context, void * cb_data), void * cb_data) { - return ssl_data_new_full(fd, timeout, TLSv1_client_method(), callback, cb_data); + return ssl_data_new_full(fd, timeout, TLS_client_method(), callback, cb_data); } #else
Re: Enable TLS > 1.0 in libetpan
On 2016/04/19 07:54, Vincent Gross wrote: > Some people may have witnessed my struggle of the past few days to > connect claws-mail to my mail server. Long story short : server only > accepts TLS 1.2, claws-mail connects with TLS 1.0. > > The culprit here is libetpan v1.6, which calls TLSv1_client_method() > before the TLS handshake. The diff below fixes the issue, claws-mail > happily synchronized my imap folders when applied. > > Ok ? Would you mind using the diff that was committed upstream instead? It makes it a little easier for future updates (i.e. when they have a new release) if the patches are the same. https://github.com/dinhviethoa/libetpan/commit/7f1f97f4d59d5724af97f4d32424c2841715561c.patch Needs a REVISION bump too.
Re: Enable TLS > 1.0 in libetpan
On Tue, 19 Apr 2016 07:45:27 +0100, Stuart Henderson wrote: > On 2016/04/19 07:54, Vincent Gross wrote: > > Some people may have witnessed my struggle of the past few days to > > connect claws-mail to my mail server. Long story short : server only > > accepts TLS 1.2, claws-mail connects with TLS 1.0. > > > > The culprit here is libetpan v1.6, which calls TLSv1_client_method() > > before the TLS handshake. The diff below fixes the issue, claws-mail > > happily synchronized my imap folders when applied. > > > > Ok ? > > Would you mind using the diff that was committed upstream instead? It > makes it a little easier for future updates (i.e. when they have a new > release) if the patches are the same. > > https://github.com/dinhviethoa/libetpan/commit/7f1f97f4d59d5724af97f4d32424c2841715561c.patch > > Needs a REVISION bump too. > claws-mail-wise, it's ok here's the diff I used. Vincent, does it fix your problem? Index: Makefile === RCS file: /cvs/ports/mail/libetpan/Makefile,v retrieving revision 1.19 diff -u -p -r1.19 Makefile --- Makefile11 Mar 2016 19:59:15 - 1.19 +++ Makefile19 Apr 2016 12:11:32 - @@ -6,7 +6,7 @@ GH_ACCOUNT= dinhviethoa GH_PROJECT=libetpan GH_TAGNAME=1.6 DISTNAME= libetpan-1.6 -REVISION= 0 +REVISION= 1 CATEGORIES=mail devel SHARED_LIBS= etpan 15.0 Index: patches/patch-src_data-types_mailstream_ssl_c === RCS file: patches/patch-src_data-types_mailstream_ssl_c diff -N patches/patch-src_data-types_mailstream_ssl_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-src_data-types_mailstream_ssl_c 19 Apr 2016 12:11:32 - @@ -0,0 +1,66 @@ +$OpenBSD$ + +When encrypting the connection with STARTTLS the only method +allowed was TLSv1. Change this to allow TLSv1.2 (or whatever the +strongest method is). + +Additionally tls_data_new() and ssl_data_new() did the same (with +exception to the nailed method in tls_data_new()), so drop one +of them. +https://github.com/dinhviethoa/libetpan/commit/7f1f97f4d59d5724af97f4d32424c2841715561c.patch + +--- src/data-types/mailstream_ssl.c.orig Tue Apr 19 14:04:46 2016 src/data-types/mailstream_ssl.cTue Apr 19 14:03:25 2016 +@@ -485,15 +485,21 @@ again: + static struct mailstream_ssl_data * ssl_data_new(int fd, time_t timeout, + void (* callback)(struct mailstream_ssl_context * ssl_context, void * cb_data), void * cb_data) + { +- return ssl_data_new_full(fd, timeout, SSLv23_client_method(), callback, cb_data); ++ return ssl_data_new_full(fd, timeout, ++#if (OPENSSL_VERSION_NUMBER >= 0x1010L) ++ TLS_client_method(), ++#else ++ /* Despite their name the SSLv23_*method() functions have nothing to do ++ * with the availability of SSLv2 or SSLv3. What these functions do is ++ * negotiate with the peer the highest available SSL/TLS protocol version ++ * available. The name is as it is for historic reasons. This is a very ++ * common confusion and is the main reason why these names have been ++ * deprecated in the latest dev version of OpenSSL. */ ++ SSLv23_client_method(), ++#endif ++ callback, cb_data); + } + +-static struct mailstream_ssl_data * tls_data_new(int fd, time_t timeout, +- void (* callback)(struct mailstream_ssl_context * ssl_context, void * cb_data), void * cb_data) +-{ +- return ssl_data_new_full(fd, timeout, TLSv1_client_method(), callback, cb_data); +-} +- + #else + + static struct mailstream_ssl_context * mailstream_ssl_context_new(gnutls_session session, int fd); +@@ -625,11 +631,6 @@ static struct mailstream_ssl_data * ssl_data_new(int f + err: + return NULL; + } +-static struct mailstream_ssl_data * tls_data_new(int fd, time_t timeout, +- void (* callback)(struct mailstream_ssl_context * ssl_context, void * cb_data), void * cb_data) +-{ +- return ssl_data_new(fd, timeout, callback, cb_data); +-} + #endif + + static void ssl_data_free(struct mailstream_ssl_data * ssl_data) +@@ -681,10 +682,7 @@ static mailstream_low * mailstream_low_ssl_open_full(i + mailstream_low * s; + struct mailstream_ssl_data * ssl_data; + +- if (starttls) +-ssl_data = tls_data_new(fd, timeout, callback, cb_data); +- else +-ssl_data = ssl_data_new(fd, timeout, callback, cb_data); ++ ssl_data = ssl_data_new(fd, timeout, callback, cb_data); + + if (ssl_data == NULL) + goto err;
Re: Enable TLS > 1.0 in libetpan
On Tue, 19 Apr 2016 15:02:46 +0200 Daniel Jakots wrote: > On Tue, 19 Apr 2016 07:45:27 +0100, Stuart Henderson > wrote: > > > On 2016/04/19 07:54, Vincent Gross wrote: > > > Some people may have witnessed my struggle of the past few days to > > > connect claws-mail to my mail server. Long story short : server > > > only accepts TLS 1.2, claws-mail connects with TLS 1.0. > > > > > > The culprit here is libetpan v1.6, which calls > > > TLSv1_client_method() before the TLS handshake. The diff below > > > fixes the issue, claws-mail happily synchronized my imap folders > > > when applied. > > > > > > Ok ? > > > > Would you mind using the diff that was committed upstream instead? > > It makes it a little easier for future updates (i.e. when they have > > a new release) if the patches are the same. > > > > https://github.com/dinhviethoa/libetpan/commit/7f1f97f4d59d5724af97f4d32424c2841715561c.patch > > > > Needs a REVISION bump too. > > > > claws-mail-wise, it's ok > > here's the diff I used. Vincent, does it fix your problem? Yes, I just compiled libetpan with this diff and claws-mail runs smoothly :) put it in ! > > Index: Makefile > === > RCS file: /cvs/ports/mail/libetpan/Makefile,v > retrieving revision 1.19 > diff -u -p -r1.19 Makefile > --- Makefile 11 Mar 2016 19:59:15 - 1.19 > +++ Makefile 19 Apr 2016 12:11:32 - > @@ -6,7 +6,7 @@ GH_ACCOUNT= dinhviethoa > GH_PROJECT= libetpan > GH_TAGNAME= 1.6 > DISTNAME=libetpan-1.6 > -REVISION=0 > +REVISION=1 > CATEGORIES= mail devel > > SHARED_LIBS= etpan 15.0 > Index: patches/patch-src_data-types_mailstream_ssl_c > === > RCS file: patches/patch-src_data-types_mailstream_ssl_c > diff -N patches/patch-src_data-types_mailstream_ssl_c > --- /dev/null 1 Jan 1970 00:00:00 - > +++ patches/patch-src_data-types_mailstream_ssl_c 19 Apr 2016 > 12:11:32 - @@ -0,0 +1,66 @@ > +$OpenBSD$ > + > +When encrypting the connection with STARTTLS the only method > +allowed was TLSv1. Change this to allow TLSv1.2 (or whatever the > +strongest method is). > + > +Additionally tls_data_new() and ssl_data_new() did the same (with > +exception to the nailed method in tls_data_new()), so drop one > +of them. > +https://github.com/dinhviethoa/libetpan/commit/7f1f97f4d59d5724af97f4d32424c2841715561c.patch > + > +--- src/data-types/mailstream_ssl.c.orig Tue Apr 19 14:04:46 > 2016 src/data-types/mailstream_ssl.c Tue Apr 19 14:03:25 > 2016 +@@ -485,15 +485,21 @@ again: > + static struct mailstream_ssl_data * ssl_data_new(int fd, time_t > timeout, > + void (* callback)(struct mailstream_ssl_context * > ssl_context, void * cb_data), void * cb_data) > + { > +- return ssl_data_new_full(fd, timeout, SSLv23_client_method(), > callback, cb_data); ++ return ssl_data_new_full(fd, timeout, > ++#if (OPENSSL_VERSION_NUMBER >= 0x1010L) > ++TLS_client_method(), > ++#else > ++/* Despite their name the SSLv23_*method() functions have > nothing to do ++ * with the availability of SSLv2 or SSLv3. > What these functions do is ++ * negotiate with the peer the > highest available SSL/TLS protocol version ++ * available. > The name is as it is for historic reasons. This is a very ++ > * common confusion and is the main reason why these names have been > ++ * deprecated in the latest dev version of OpenSSL. */ > ++SSLv23_client_method(), ++#endif > ++callback, cb_data); > + } > + > +-static struct mailstream_ssl_data * tls_data_new(int fd, time_t > timeout, +- void (* callback)(struct mailstream_ssl_context * > ssl_context, void * cb_data), void * cb_data) +-{ > +- return ssl_data_new_full(fd, timeout, TLSv1_client_method(), > callback, cb_data); +-} > +- > + #else > + > + static struct mailstream_ssl_context * > mailstream_ssl_context_new(gnutls_session session, int fd); +@@ > -625,11 +631,6 @@ static struct mailstream_ssl_data * > ssl_data_new(int f > + err: > + return NULL; > + } > +-static struct mailstream_ssl_data * tls_data_new(int fd, time_t > timeout, +- void (* callback)(struct mailstream_ssl_context * > ssl_context, void * cb_data), void * cb_data) +-{ > +- return ssl_data_new(fd, timeout, callback, cb_data); > +-} > + #endif > + > + static void ssl_data_free(struct mailstream_ssl_data * ssl_data) > +@@ -681,10 +682,7 @@ static mailstream_low * > mailstream_low_ssl_open_full(i > + mailstream_low * s; > + struct mailstream_ssl_data * ssl_data; > + > +- if (starttls) > +-ssl_data = tls_data_new(fd, timeout, callback, cb_data); > +- else > +-ssl_data = ssl_data_new(fd, timeout, callback, cb_data); > ++ ssl_data = ssl_data_new(fd, timeout, callback, cb_data); > + > + if (ssl_data == NULL) > + goto err; >