mail/sylpheed: fix TLSv1.3 to imap.gmail.com

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

mail/sylpheed: fix TLSv1.3 to imap.gmail.com

George Koehler-2
To OpenBSD ports list and MAINTAINER Amit Kulkarni,

After I did sysupgrade today, Sylpheed can't connect to imap.gmail.com.
It uses TLSv1.3 (sylpheed --debug) and shows a dialog box with a
self-signed certificate for an invalid host.  The cert tells me to
enable SNI in my client.  I then reject the certificate.  Recent changes
in OpenBSD seem to have enabled TLSv1.3 in libssl.

I fixed it with this patch from Sylpheed's bug tracker, also in Debian:
https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/

Amit, I see that you have GMail; does your Sylpheed work?

This isn't where I expected to make my first commit,
but is this OK to commit?

--George Koehler

Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/sylpheed/Makefile,v
retrieving revision 1.125
diff -u -p -r1.125 Makefile
--- Makefile 12 Jul 2019 20:47:38 -0000 1.125
+++ Makefile 26 Jan 2020 22:58:40 -0000
@@ -3,7 +3,7 @@
 COMMENT = lightweight and user-friendly e-mail client
 
 DISTNAME = sylpheed-3.7.0
-REVISION = 4
+REVISION = 5
 
 SHARED_LIBS += sylph-0                   4.1 # 4.0
 SHARED_LIBS += sylpheed-plugin-0         4.0 # 4.0
Index: patches/patch-libsylph_ssl_c
===================================================================
RCS file: patches/patch-libsylph_ssl_c
diff -N patches/patch-libsylph_ssl_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-libsylph_ssl_c 26 Jan 2020 22:58:40 -0000
@@ -0,0 +1,20 @@
+$OpenBSD$
+
+Use SNI; fixes TLSv1.3 to imap.gmail.com.
+Patch from Antonio Ospite,
+https://sylpheed.sraoss.jp/redmine/issues/306#note-3
+
+Index: libsylph/ssl.c
+--- libsylph/ssl.c.orig
++++ libsylph/ssl.c
+@@ -258,6 +258,10 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinf
+ return FALSE;
+ }
+
++#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
++ SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname);
++#endif
++
+ SSL_set_fd(sockinfo->ssl, sockinfo->sock);
+ while ((ret = SSL_connect(sockinfo->ssl)) != 1) {
+ err = SSL_get_error(sockinfo->ssl, ret);

Reply | Threaded
Open this post in threaded view
|

Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com

Klemens Nanni-2
On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote:
> I fixed it with this patch from Sylpheed's bug tracker, also in Debian:
> https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/
That diff is from 2018 already, what is upstream's response?

> This isn't where I expected to make my first commit,
> but is this OK to commit?
Looks OK to me.

Reply | Threaded
Open this post in threaded view
|

Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com

Theo Buehler-3
In reply to this post by George Koehler-2
On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote:

> To OpenBSD ports list and MAINTAINER Amit Kulkarni,
>
> After I did sysupgrade today, Sylpheed can't connect to imap.gmail.com.
> It uses TLSv1.3 (sylpheed --debug) and shows a dialog box with a
> self-signed certificate for an invalid host.  The cert tells me to
> enable SNI in my client.  I then reject the certificate.  Recent changes
> in OpenBSD seem to have enabled TLSv1.3 in libssl.
>
> I fixed it with this patch from Sylpheed's bug tracker, also in Debian:
> https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/
>
> Amit, I see that you have GMail; does your Sylpheed work?
>
> This isn't where I expected to make my first commit,
> but is this OK to commit?

I'd prefer if you added an error check to this diff, something like:

        if (!SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname)) {
                g_warning(_("Error setting servername extension\n"));
                return FALSE;
        }

With that it's ok tb

PS: The feature guards seem a bit pointleess.  SSL_CTRL_SET_TLSEXT_HOSTNAME
exists since the mid-2000s at least. Support for OPENSSL_NO_TLSEXT was
removed a long time ago both in LibreSSL and OpenSSL.

Reply | Threaded
Open this post in threaded view
|

Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com

Theo Buehler-3
On Mon, Jan 27, 2020 at 12:05:47PM +1100, Theo Buehler wrote:

> On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote:
> > To OpenBSD ports list and MAINTAINER Amit Kulkarni,
> >
> > After I did sysupgrade today, Sylpheed can't connect to imap.gmail.com.
> > It uses TLSv1.3 (sylpheed --debug) and shows a dialog box with a
> > self-signed certificate for an invalid host.  The cert tells me to
> > enable SNI in my client.  I then reject the certificate.  Recent changes
> > in OpenBSD seem to have enabled TLSv1.3 in libssl.
> >
> > I fixed it with this patch from Sylpheed's bug tracker, also in Debian:
> > https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/
> >
> > Amit, I see that you have GMail; does your Sylpheed work?
> >
> > This isn't where I expected to make my first commit,
> > but is this OK to commit?
>
> I'd prefer if you added an error check to this diff, something like:
>
> if (!SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname)) {
> g_warning(_("Error setting servername extension\n"));

Sorry, without the _()

> return FALSE;
> }
>
> With that it's ok tb
>
> PS: The feature guards seem a bit pointleess.  SSL_CTRL_SET_TLSEXT_HOSTNAME
> exists since the mid-2000s at least. Support for OPENSSL_NO_TLSEXT was
> removed a long time ago both in LibreSSL and OpenSSL.
>

Reply | Threaded
Open this post in threaded view
|

Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com

Amit Kulkarni
On Sun, Jan 26, 2020 at 7:10 PM Theo Buehler <[hidden email]> wrote:

>
> On Mon, Jan 27, 2020 at 12:05:47PM +1100, Theo Buehler wrote:
> > On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote:
> > > To OpenBSD ports list and MAINTAINER Amit Kulkarni,
> > >
> > > After I did sysupgrade today, Sylpheed can't connect to imap.gmail.com.
> > > It uses TLSv1.3 (sylpheed --debug) and shows a dialog box with a
> > > self-signed certificate for an invalid host.  The cert tells me to
> > > enable SNI in my client.  I then reject the certificate.  Recent changes
> > > in OpenBSD seem to have enabled TLSv1.3 in libssl.
> > >
> > > I fixed it with this patch from Sylpheed's bug tracker, also in Debian:
> > > https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/
> > >
> > > Amit, I see that you have GMail; does your Sylpheed work?
> > >
> > > This isn't where I expected to make my first commit,
> > > but is this OK to commit?

Got the same problem you describe now. Please go ahead George!

thanks

Reply | Threaded
Open this post in threaded view
|

Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com

George Koehler-2
In reply to this post by Klemens Nanni-2
On Mon, 27 Jan 2020 00:57:28 +0100
Klemens Nanni <[hidden email]> wrote:

> On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote:
> > I fixed it with this patch from Sylpheed's bug tracker, also in Debian:
> > https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/
> That diff is from 2018 already, what is upstream's response?

I didn't find a response in English.  I don't understand Japanese.
I have not contacted upstream.

The bug tracker has
- https://sylpheed.sraoss.jp/redmine/issues/306 from Aug/Sep 2018,
  where I got the patch
- https://sylpheed.sraoss.jp/redmine/issues/309 from Nov 2018/Apr 2019,
  a duplicate report

The English mailing list has a thread about GMail in June 2019, but it
doesn't mention this SNI problem.
https://www.sraoss.jp/pipermail/sylpheed/2019-June/thread.html#6759

I didn't look at the Japanese mailing list.  --George

Reply | Threaded
Open this post in threaded view
|

Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com

George Koehler-2
In reply to this post by Amit Kulkarni
On Sun, 26 Jan 2020 20:43:16 -0600
Amit Kulkarni <[hidden email]> wrote:

> Got the same problem you describe now. Please go ahead George!
>
> thanks

I have added tb's error check.  I will commit it tommorrow.  --George

Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/sylpheed/Makefile,v
retrieving revision 1.125
diff -u -p -r1.125 Makefile
--- Makefile 12 Jul 2019 20:47:38 -0000 1.125
+++ Makefile 27 Jan 2020 03:53:47 -0000
@@ -3,7 +3,7 @@
 COMMENT = lightweight and user-friendly e-mail client
 
 DISTNAME = sylpheed-3.7.0
-REVISION = 4
+REVISION = 5
 
 SHARED_LIBS += sylph-0                   4.1 # 4.0
 SHARED_LIBS += sylpheed-plugin-0         4.0 # 4.0
Index: patches/patch-libsylph_ssl_c
===================================================================
RCS file: patches/patch-libsylph_ssl_c
diff -N patches/patch-libsylph_ssl_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-libsylph_ssl_c 27 Jan 2020 03:53:47 -0000
@@ -0,0 +1,24 @@
+$OpenBSD$
+
+Use SNI; fixes TLSv1.3 to imap.gmail.com.
+Patch from Antonio Ospite,
+https://sylpheed.sraoss.jp/redmine/issues/306#note-3
+but with the addition of an error check.
+
+Index: libsylph/ssl.c
+--- libsylph/ssl.c.orig
++++ libsylph/ssl.c
+@@ -258,6 +258,13 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinf
+ return FALSE;
+ }
+
++#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
++ if (!SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname)) {
++ g_warning("Error setting servername extension\n");
++ return FALSE;
++ }
++#endif
++
+ SSL_set_fd(sockinfo->ssl, sockinfo->sock);
+ while ((ret = SSL_connect(sockinfo->ssl)) != 1) {
+ err = SSL_get_error(sockinfo->ssl, ret);

Reply | Threaded
Open this post in threaded view
|

Re: mail/sylpheed: fix TLSv1.3 to imap.gmail.com

Stuart Henderson
On 2020/01/26 23:06, George Koehler wrote:
> On Sun, 26 Jan 2020 20:43:16 -0600
> Amit Kulkarni <[hidden email]> wrote:
>
> > Got the same problem you describe now. Please go ahead George!
> >
> > thanks
>
> I have added tb's error check.  I will commit it tommorrow.  --George

OK sthen@.

Interestingly google present a different certificate for a TLS 1.3
connection than 1.2.

subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=imap.gmail.com
issuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1

vs

subject=/OU=No SNI provided; please fix your client./CN=invalid2.invalid
issuer=/OU=No SNI provided; please fix your client./CN=invalid2.invalid