Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com
On 2020/01/26 23:06, George Koehler wrote: > On Sun, 26 Jan 2020 20:43:16 -0600 > Amit Kulkarni wrote: > > > Got the same problem you describe now. Please go ahead George! > > > > thanks > > I have added tb's error check. I will commit it tommorrow. --George OK sthen@. Interestingly google present a different certificate for a TLS 1.3 connection than 1.2. subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=imap.gmail.com issuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1 vs subject=/OU=No SNI provided; please fix your client./CN=invalid2.invalid issuer=/OU=No SNI provided; please fix your client./CN=invalid2.invalid
Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com
On Sun, 26 Jan 2020 20:43:16 -0600
Amit Kulkarni wrote:
> Got the same problem you describe now. Please go ahead George!
>
> thanks
I have added tb's error check. I will commit it tommorrow. --George
Index: Makefile
===
RCS file: /cvs/ports/mail/sylpheed/Makefile,v
retrieving revision 1.125
diff -u -p -r1.125 Makefile
--- Makefile12 Jul 2019 20:47:38 - 1.125
+++ Makefile27 Jan 2020 03:53:47 -
@@ -3,7 +3,7 @@
COMMENT = lightweight and user-friendly e-mail client
DISTNAME = sylpheed-3.7.0
-REVISION = 4
+REVISION = 5
SHARED_LIBS += sylph-0 4.1 # 4.0
SHARED_LIBS += sylpheed-plugin-0 4.0 # 4.0
Index: patches/patch-libsylph_ssl_c
===
RCS file: patches/patch-libsylph_ssl_c
diff -N patches/patch-libsylph_ssl_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-libsylph_ssl_c27 Jan 2020 03:53:47 -
@@ -0,0 +1,24 @@
+$OpenBSD$
+
+Use SNI; fixes TLSv1.3 to imap.gmail.com.
+Patch from Antonio Ospite,
+https://sylpheed.sraoss.jp/redmine/issues/306#note-3
+but with the addition of an error check.
+
+Index: libsylph/ssl.c
+--- libsylph/ssl.c.orig
libsylph/ssl.c
+@@ -258,6 +258,13 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinf
+ return FALSE;
+ }
+
++#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
++ if (!SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname)) {
++ g_warning("Error setting servername extension\n");
++ return FALSE;
++ }
++#endif
++
+ SSL_set_fd(sockinfo->ssl, sockinfo->sock);
+ while ((ret = SSL_connect(sockinfo->ssl)) != 1) {
+ err = SSL_get_error(sockinfo->ssl, ret);
Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com
On Mon, 27 Jan 2020 00:57:28 +0100 Klemens Nanni wrote: > On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote: > > I fixed it with this patch from Sylpheed's bug tracker, also in Debian: > > https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/ > That diff is from 2018 already, what is upstream's response? I didn't find a response in English. I don't understand Japanese. I have not contacted upstream. The bug tracker has - https://sylpheed.sraoss.jp/redmine/issues/306 from Aug/Sep 2018, where I got the patch - https://sylpheed.sraoss.jp/redmine/issues/309 from Nov 2018/Apr 2019, a duplicate report The English mailing list has a thread about GMail in June 2019, but it doesn't mention this SNI problem. https://www.sraoss.jp/pipermail/sylpheed/2019-June/thread.html#6759 I didn't look at the Japanese mailing list. --George
Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com
On Sun, Jan 26, 2020 at 7:10 PM Theo Buehler wrote: > > On Mon, Jan 27, 2020 at 12:05:47PM +1100, Theo Buehler wrote: > > On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote: > > > To OpenBSD ports list and MAINTAINER Amit Kulkarni, > > > > > > After I did sysupgrade today, Sylpheed can't connect to imap.gmail.com. > > > It uses TLSv1.3 (sylpheed --debug) and shows a dialog box with a > > > self-signed certificate for an invalid host. The cert tells me to > > > enable SNI in my client. I then reject the certificate. Recent changes > > > in OpenBSD seem to have enabled TLSv1.3 in libssl. > > > > > > I fixed it with this patch from Sylpheed's bug tracker, also in Debian: > > > https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/ > > > > > > Amit, I see that you have GMail; does your Sylpheed work? > > > > > > This isn't where I expected to make my first commit, > > > but is this OK to commit? Got the same problem you describe now. Please go ahead George! thanks
Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com
On Mon, Jan 27, 2020 at 12:05:47PM +1100, Theo Buehler wrote:
> On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote:
> > To OpenBSD ports list and MAINTAINER Amit Kulkarni,
> >
> > After I did sysupgrade today, Sylpheed can't connect to imap.gmail.com.
> > It uses TLSv1.3 (sylpheed --debug) and shows a dialog box with a
> > self-signed certificate for an invalid host. The cert tells me to
> > enable SNI in my client. I then reject the certificate. Recent changes
> > in OpenBSD seem to have enabled TLSv1.3 in libssl.
> >
> > I fixed it with this patch from Sylpheed's bug tracker, also in Debian:
> > https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/
> >
> > Amit, I see that you have GMail; does your Sylpheed work?
> >
> > This isn't where I expected to make my first commit,
> > but is this OK to commit?
>
> I'd prefer if you added an error check to this diff, something like:
>
> if (!SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname)) {
> g_warning(_("Error setting servername extension\n"));
Sorry, without the _()
> return FALSE;
> }
>
> With that it's ok tb
>
> PS: The feature guards seem a bit pointleess. SSL_CTRL_SET_TLSEXT_HOSTNAME
> exists since the mid-2000s at least. Support for OPENSSL_NO_TLSEXT was
> removed a long time ago both in LibreSSL and OpenSSL.
>
Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com
On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote:
> To OpenBSD ports list and MAINTAINER Amit Kulkarni,
>
> After I did sysupgrade today, Sylpheed can't connect to imap.gmail.com.
> It uses TLSv1.3 (sylpheed --debug) and shows a dialog box with a
> self-signed certificate for an invalid host. The cert tells me to
> enable SNI in my client. I then reject the certificate. Recent changes
> in OpenBSD seem to have enabled TLSv1.3 in libssl.
>
> I fixed it with this patch from Sylpheed's bug tracker, also in Debian:
> https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/
>
> Amit, I see that you have GMail; does your Sylpheed work?
>
> This isn't where I expected to make my first commit,
> but is this OK to commit?
I'd prefer if you added an error check to this diff, something like:
if (!SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname)) {
g_warning(_("Error setting servername extension\n"));
return FALSE;
}
With that it's ok tb
PS: The feature guards seem a bit pointleess. SSL_CTRL_SET_TLSEXT_HOSTNAME
exists since the mid-2000s at least. Support for OPENSSL_NO_TLSEXT was
removed a long time ago both in LibreSSL and OpenSSL.
Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com
On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote: > I fixed it with this patch from Sylpheed's bug tracker, also in Debian: > https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/ That diff is from 2018 already, what is upstream's response? > This isn't where I expected to make my first commit, > but is this OK to commit? Looks OK to me.
mail/sylpheed: fix TLSv1.3 to imap.gmail.com
To OpenBSD ports list and MAINTAINER Amit Kulkarni,
After I did sysupgrade today, Sylpheed can't connect to imap.gmail.com.
It uses TLSv1.3 (sylpheed --debug) and shows a dialog box with a
self-signed certificate for an invalid host. The cert tells me to
enable SNI in my client. I then reject the certificate. Recent changes
in OpenBSD seem to have enabled TLSv1.3 in libssl.
I fixed it with this patch from Sylpheed's bug tracker, also in Debian:
https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/
Amit, I see that you have GMail; does your Sylpheed work?
This isn't where I expected to make my first commit,
but is this OK to commit?
--George Koehler
Index: Makefile
===
RCS file: /cvs/ports/mail/sylpheed/Makefile,v
retrieving revision 1.125
diff -u -p -r1.125 Makefile
--- Makefile12 Jul 2019 20:47:38 - 1.125
+++ Makefile26 Jan 2020 22:58:40 -
@@ -3,7 +3,7 @@
COMMENT = lightweight and user-friendly e-mail client
DISTNAME = sylpheed-3.7.0
-REVISION = 4
+REVISION = 5
SHARED_LIBS += sylph-0 4.1 # 4.0
SHARED_LIBS += sylpheed-plugin-0 4.0 # 4.0
Index: patches/patch-libsylph_ssl_c
===
RCS file: patches/patch-libsylph_ssl_c
diff -N patches/patch-libsylph_ssl_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-libsylph_ssl_c26 Jan 2020 22:58:40 -
@@ -0,0 +1,20 @@
+$OpenBSD$
+
+Use SNI; fixes TLSv1.3 to imap.gmail.com.
+Patch from Antonio Ospite,
+https://sylpheed.sraoss.jp/redmine/issues/306#note-3
+
+Index: libsylph/ssl.c
+--- libsylph/ssl.c.orig
libsylph/ssl.c
+@@ -258,6 +258,10 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinf
+ return FALSE;
+ }
+
++#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
++ SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname);
++#endif
++
+ SSL_set_fd(sockinfo->ssl, sockinfo->sock);
+ while ((ret = SSL_connect(sockinfo->ssl)) != 1) {
+ err = SSL_get_error(sockinfo->ssl, ret);
