FS#33914 - [openssl] 1.0.1.e-3 breaks imap connections

Attached to Project: Arch Linux
Opened by Daniel Martin (bartsch) - Monday, 18 February 2013, 09:49 GMT
Last edited by Pierre Schmitz (Pierre) - Saturday, 02 November 2013, 21:06 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture x86_64
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

(Might be a clone of https://bugs.archlinux.org/task/33899 )

With openssl 1.0.1.e-3 I'm unable to connect to the imap server with mutt and imapfilter. Downgrading to 1.0.1.d-1 (don't have another d or e version to test) fixed the issue.

imapfilter gives this error message:

imapfilter: reading data through SSL; error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Saturday, 02 November 2013, 21:06 GMT
Reason for closing:  Upstream
Comment by Pierre Schmitz (Pierre) - Monday, 18 February 2013, 09:53 GMT
What kind of imap server? Unfortunately I had to disable certain workarounds for broken servers as this was causing even more problems. It's probably a good idea to update or fix the server.
Comment by Daniel Martin (bartsch) - Monday, 18 February 2013, 09:57 GMT
Well, the administrators at the company I work for like it the hard way ...
Microsoft Exchange Server 2003 IMAP4rev1-Server, Version 6.5.7638.1

Updating it is out of my hands.
Comment by Pierre Schmitz (Pierre) - Monday, 18 February 2013, 10:05 GMT
You could try the workaround mentioned here: https://projects.archlinux.de/openssl.git/tree/CHANGES#n548

But note that enabling option #2 breaks other servers like gmail and if you add #3 sites like Amazon's cloudfront will no longer work.

Edit: Clients that don't use openssl like Thunderbird might still work.
Comment by Daniel Martin (bartsch) - Tuesday, 26 February 2013, 07:16 GMT
Sorry, I haven't had the time to look at it. But, patching openssl in that way doesn't sound good to me. Am I right, that the openssl people did something worse than changing the API? They kept the API and changed the behaviour? Well, it seems obvious, but again I didn't had the time to verify it and I don't want to blame someone (for false reasons).
If that's the case - the behaviour changed, maybe in a more correct way - than this task can be closed and the affected applications should be fix.
Comment by Pierre Schmitz (Pierre) - Tuesday, 26 February 2013, 10:21 GMT
Afaik this was not an API change but openssl now supports more ciphers. Some servers seem to fail over that longer list now.
Comment by David Rosenstrauch (darose) - Thursday, 02 May 2013, 23:34 GMT
I'm not sure this helps anyone other than me, but FYI for my use case (using fetchmail with SSL to pull down my mail from my ISP), I found that if I added "sslproto SSL3" into my fetchmailrc, it worked around the issue and allowed me to use v1.0.1.e. HTH.

Loading...