Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com
On 2020/01/26 23:06, George Koehler wrote: > On Sun, 26 Jan 2020 20:43:16 -0600 > Amit Kulkarni wrote: > > > Got the same problem you describe now. Please go ahead George! > > > > thanks > > I have added tb's error check. I will commit it tommorrow. --George OK sthen@. Interestingly google present a different certificate for a TLS 1.3 connection than 1.2. subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=imap.gmail.com issuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1 vs subject=/OU=No SNI provided; please fix your client./CN=invalid2.invalid issuer=/OU=No SNI provided; please fix your client./CN=invalid2.invalid
Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com
On Sun, 26 Jan 2020 20:43:16 -0600 Amit Kulkarni wrote: > Got the same problem you describe now. Please go ahead George! > > thanks I have added tb's error check. I will commit it tommorrow. --George Index: Makefile === RCS file: /cvs/ports/mail/sylpheed/Makefile,v retrieving revision 1.125 diff -u -p -r1.125 Makefile --- Makefile12 Jul 2019 20:47:38 - 1.125 +++ Makefile27 Jan 2020 03:53:47 - @@ -3,7 +3,7 @@ COMMENT = lightweight and user-friendly e-mail client DISTNAME = sylpheed-3.7.0 -REVISION = 4 +REVISION = 5 SHARED_LIBS += sylph-0 4.1 # 4.0 SHARED_LIBS += sylpheed-plugin-0 4.0 # 4.0 Index: patches/patch-libsylph_ssl_c === RCS file: patches/patch-libsylph_ssl_c diff -N patches/patch-libsylph_ssl_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-libsylph_ssl_c27 Jan 2020 03:53:47 - @@ -0,0 +1,24 @@ +$OpenBSD$ + +Use SNI; fixes TLSv1.3 to imap.gmail.com. +Patch from Antonio Ospite, +https://sylpheed.sraoss.jp/redmine/issues/306#note-3 +but with the addition of an error check. + +Index: libsylph/ssl.c +--- libsylph/ssl.c.orig libsylph/ssl.c +@@ -258,6 +258,13 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinf + return FALSE; + } + ++#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME ++ if (!SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname)) { ++ g_warning("Error setting servername extension\n"); ++ return FALSE; ++ } ++#endif ++ + SSL_set_fd(sockinfo->ssl, sockinfo->sock); + while ((ret = SSL_connect(sockinfo->ssl)) != 1) { + err = SSL_get_error(sockinfo->ssl, ret);
Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com
On Mon, 27 Jan 2020 00:57:28 +0100 Klemens Nanni wrote: > On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote: > > I fixed it with this patch from Sylpheed's bug tracker, also in Debian: > > https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/ > That diff is from 2018 already, what is upstream's response? I didn't find a response in English. I don't understand Japanese. I have not contacted upstream. The bug tracker has - https://sylpheed.sraoss.jp/redmine/issues/306 from Aug/Sep 2018, where I got the patch - https://sylpheed.sraoss.jp/redmine/issues/309 from Nov 2018/Apr 2019, a duplicate report The English mailing list has a thread about GMail in June 2019, but it doesn't mention this SNI problem. https://www.sraoss.jp/pipermail/sylpheed/2019-June/thread.html#6759 I didn't look at the Japanese mailing list. --George
Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com
On Sun, Jan 26, 2020 at 7:10 PM Theo Buehler wrote: > > On Mon, Jan 27, 2020 at 12:05:47PM +1100, Theo Buehler wrote: > > On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote: > > > To OpenBSD ports list and MAINTAINER Amit Kulkarni, > > > > > > After I did sysupgrade today, Sylpheed can't connect to imap.gmail.com. > > > It uses TLSv1.3 (sylpheed --debug) and shows a dialog box with a > > > self-signed certificate for an invalid host. The cert tells me to > > > enable SNI in my client. I then reject the certificate. Recent changes > > > in OpenBSD seem to have enabled TLSv1.3 in libssl. > > > > > > I fixed it with this patch from Sylpheed's bug tracker, also in Debian: > > > https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/ > > > > > > Amit, I see that you have GMail; does your Sylpheed work? > > > > > > This isn't where I expected to make my first commit, > > > but is this OK to commit? Got the same problem you describe now. Please go ahead George! thanks
Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com
On Mon, Jan 27, 2020 at 12:05:47PM +1100, Theo Buehler wrote: > On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote: > > To OpenBSD ports list and MAINTAINER Amit Kulkarni, > > > > After I did sysupgrade today, Sylpheed can't connect to imap.gmail.com. > > It uses TLSv1.3 (sylpheed --debug) and shows a dialog box with a > > self-signed certificate for an invalid host. The cert tells me to > > enable SNI in my client. I then reject the certificate. Recent changes > > in OpenBSD seem to have enabled TLSv1.3 in libssl. > > > > I fixed it with this patch from Sylpheed's bug tracker, also in Debian: > > https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/ > > > > Amit, I see that you have GMail; does your Sylpheed work? > > > > This isn't where I expected to make my first commit, > > but is this OK to commit? > > I'd prefer if you added an error check to this diff, something like: > > if (!SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname)) { > g_warning(_("Error setting servername extension\n")); Sorry, without the _() > return FALSE; > } > > With that it's ok tb > > PS: The feature guards seem a bit pointleess. SSL_CTRL_SET_TLSEXT_HOSTNAME > exists since the mid-2000s at least. Support for OPENSSL_NO_TLSEXT was > removed a long time ago both in LibreSSL and OpenSSL. >
Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com
On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote: > To OpenBSD ports list and MAINTAINER Amit Kulkarni, > > After I did sysupgrade today, Sylpheed can't connect to imap.gmail.com. > It uses TLSv1.3 (sylpheed --debug) and shows a dialog box with a > self-signed certificate for an invalid host. The cert tells me to > enable SNI in my client. I then reject the certificate. Recent changes > in OpenBSD seem to have enabled TLSv1.3 in libssl. > > I fixed it with this patch from Sylpheed's bug tracker, also in Debian: > https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/ > > Amit, I see that you have GMail; does your Sylpheed work? > > This isn't where I expected to make my first commit, > but is this OK to commit? I'd prefer if you added an error check to this diff, something like: if (!SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname)) { g_warning(_("Error setting servername extension\n")); return FALSE; } With that it's ok tb PS: The feature guards seem a bit pointleess. SSL_CTRL_SET_TLSEXT_HOSTNAME exists since the mid-2000s at least. Support for OPENSSL_NO_TLSEXT was removed a long time ago both in LibreSSL and OpenSSL.
Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com
On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote: > I fixed it with this patch from Sylpheed's bug tracker, also in Debian: > https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/ That diff is from 2018 already, what is upstream's response? > This isn't where I expected to make my first commit, > but is this OK to commit? Looks OK to me.
mail/sylpheed: fix TLSv1.3 to imap.gmail.com
To OpenBSD ports list and MAINTAINER Amit Kulkarni, After I did sysupgrade today, Sylpheed can't connect to imap.gmail.com. It uses TLSv1.3 (sylpheed --debug) and shows a dialog box with a self-signed certificate for an invalid host. The cert tells me to enable SNI in my client. I then reject the certificate. Recent changes in OpenBSD seem to have enabled TLSv1.3 in libssl. I fixed it with this patch from Sylpheed's bug tracker, also in Debian: https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/ Amit, I see that you have GMail; does your Sylpheed work? This isn't where I expected to make my first commit, but is this OK to commit? --George Koehler Index: Makefile === RCS file: /cvs/ports/mail/sylpheed/Makefile,v retrieving revision 1.125 diff -u -p -r1.125 Makefile --- Makefile12 Jul 2019 20:47:38 - 1.125 +++ Makefile26 Jan 2020 22:58:40 - @@ -3,7 +3,7 @@ COMMENT = lightweight and user-friendly e-mail client DISTNAME = sylpheed-3.7.0 -REVISION = 4 +REVISION = 5 SHARED_LIBS += sylph-0 4.1 # 4.0 SHARED_LIBS += sylpheed-plugin-0 4.0 # 4.0 Index: patches/patch-libsylph_ssl_c === RCS file: patches/patch-libsylph_ssl_c diff -N patches/patch-libsylph_ssl_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-libsylph_ssl_c26 Jan 2020 22:58:40 - @@ -0,0 +1,20 @@ +$OpenBSD$ + +Use SNI; fixes TLSv1.3 to imap.gmail.com. +Patch from Antonio Ospite, +https://sylpheed.sraoss.jp/redmine/issues/306#note-3 + +Index: libsylph/ssl.c +--- libsylph/ssl.c.orig libsylph/ssl.c +@@ -258,6 +258,10 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinf + return FALSE; + } + ++#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME ++ SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname); ++#endif ++ + SSL_set_fd(sockinfo->ssl, sockinfo->sock); + while ((ret = SSL_connect(sockinfo->ssl)) != 1) { + err = SSL_get_error(sockinfo->ssl, ret);