FS#60059 - [sylpheed] invalid imap.gmail.com certificate after update to openssl-1.1.1-1
Attached to Project:
Community Packages
Opened by marcin82 (marcin82) - Friday, 14 September 2018, 16:50 GMT
Last edited by Eli Schwartz (eschwartz) - Monday, 07 January 2019, 03:33 GMT
Opened by marcin82 (marcin82) - Friday, 14 September 2018, 16:50 GMT
Last edited by Eli Schwartz (eschwartz) - Monday, 07 January 2019, 03:33 GMT
|
Details
Description:
Update openssl to 1.1.1-1 breaks recognition of imap.gmail.com certificate. Error has occured with Sylpheed email client. Warning content (sylpheed-3.7.0-2): --------------------------------------------------------------------------------- The SSL certificate of imap.gmail.com cannot be verified by the following reason: self signed certificate Subject: /OU=No SNI provided; please fix your client./CN=invalid2.invalid Issuer: /OU=No SNI provided; please fix your client./CN=invalid2.invalid Issued date: Jan 1 00:00:00 2015 GMT Expire date: Jan 1 00:00:00 2030 GMT SHA1 fingerprint: 42:59:51:7C:D4:E4:8A:28:9D:33:2A:B3:F0:AB:52:A3:66:32:28:24 MD5 fingerprint: 90:4A:C8:D5:44:5A:D0:6A:8A:10:FF:CD:8B:11:BE:16 Do you accept this certificate? --------------------------------------------------------------------------------- |
This task depends upon
Closed by Eli Schwartz (eschwartz)
Monday, 07 January 2019, 03:33 GMT
Reason for closing: Fixed
Additional comments about closing: sylpheed 3.7.0-3
Monday, 07 January 2019, 03:33 GMT
Reason for closing: Fixed
Additional comments about closing: sylpheed 3.7.0-3
ERROR: Unknown SSL protocol connecting to host 'imap.gmail.com' for repository 'GMail-Remote'. OpenSSL responded:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)
openssl 1.1.0.i-1 works as expected.
Appears offlineimap uses https://docs.python.org/2/library/ssl.html#ssl.wrap_socket instead of https://docs.python.org/2/library/ssl.html#ssl.SSLContext.wrap_socket so does not support SNI either.
Although that does not explain what has changed with 1.1.1-1
Edit:
Possibly what has changed is TLS 1.3 being added as noted by https://bugs.archlinux.org/task/60038
There were a couple of issues I saw against offlineimap that indicated trying such a change (e.g. https://github.com/OfflineIMAP/offlineimap/issues/573)
" ssl.OP_NO_TLSv1_3¶
Prevents a TLSv1.3 connection. This option is only applicable in conjunction with PROTOCOL_TLS. It prevents the peers from choosing TLSv1.3 as the protocol version. TLS 1.3 is available with OpenSSL 1.1.1 or later. When Python has been compiled against an older version of OpenSSL, the flag defaults to 0."
and locally in python2:
>>> hasattr(ssl, 'OP_NO_TLSv1_3')
True
>>> ssl.OP_NO_TLSv1_3
0
Perhaps python2 packaging needs to be rebuilt against openssl 1.1.1? With all the caveats on the ssl page for python it's hard for me to digest/be certain.
What else are they supposed to do, if this is the case? How would they fix it, by forking imaplib2 and depending on that instead?
Especially given that it will cause mysterious fail states, on distros that actually do (we don't) remove the bundled copy as the offlineimap documentation suggests is an eminently reasonable approach. In fact, if you have a copy of imaplib2 on your PYTHONPATH, offlineimap will *unconditionally* use that instead. Because they do the right thing.
tl;dr bundled != forked, and down that road lies insanity so let's not go there.
FS#60078for offlineimap,FS#60077for isync