FS#60974 - [fetchmail] problem with self-signed certificates on pop.gmail.com

Attached to Project: Arch Linux
Opened by Peter Feigl (ecraven) - Wednesday, 05 December 2018, 14:21 GMT
Last edited by Eli Schwartz (eschwartz) - Wednesday, 05 December 2018, 14:35 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


fetchmail raises the following warning for pop.gmail.com:

fetchmail: Server certificate verification error: self signed certificate
fetchmail: Missing trust anchor certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the
certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
fetchmail: Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)

This seems to be connected to the openssl version, ubuntu and redhat have fixed this:

Could this patch be used on the arch fetchmail too?

Steps to reproduce:
run fetchmail against pop.gmail.com
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Wednesday, 05 December 2018, 14:35 GMT
Reason for closing:  Duplicate
Additional comments about closing:   FS#60038 
Comment by Eli Schwartz (eschwartz) - Wednesday, 05 December 2018, 14:35 GMT
That Fedora bug report is a case study in why Arch Linux policy is DO NOT DO DOWNSTREAM PATCHES.

See  FS#60038  (which this is a duplicate of) for more details. Note that after the reporter of  FS#60038  asked for clarification from the upstream fetchmail developer, said developer took the time to visit both bugtrackers and demand that that patch not be used (and inform Fedora to back out the patch in their package).

There was a real fix in upstream git master for like a year before that, too.