Bug#907063: marked as done (fetchmail: sslcertck fails with GMAIL)

Tue, 05 Feb 2019 01:57:37 -0800 

Your message dated Tue, 5 Feb 2019 10:54:27 +0100
with message-id <[email protected]>
and subject line Re: Bug#907063: fetchmail: sslcertck fails with GMAIL
has caused the Debian Bug report #907063,
regarding fetchmail: sslcertck fails with GMAIL
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
907063: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907063
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: fetchmail
Version: 6.3.26-3
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

When using sslcertck with a GMAIL server, the check fails since GMAIL now
requires a Server Name Indication (SNI). This is fixed in Experimental
(6.4.0~beta4-1) but you may want to include it in Sid (6.3.26-3) due to the
wide impact.

The following worked for me as a temporary fix:

- --- a/socket.c
+++ b/socket.c
@@ -1041,6 +1041,8 @@
                SSL_use_RSAPrivateKey_file(_ssl_context[sock], mykey,
SSL_FILETYPE_PEM);
        }

+       SSL_set_tlsext_host_name(_ssl_context[sock],servercname);
+
        if (SSL_set_fd(_ssl_context[sock], sock) == 0
            || (ssle_connect = SSL_connect(_ssl_context[sock])) < 1) {
                int e = errno;



- -- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'stable-debug'), (500, 
'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.17.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fetchmail depends on:
ii  adduser           3.117
ii  debianutils       4.8.6
ii  libc6             2.27-5
ii  libcom-err2       1.44.4-1
ii  libgssapi-krb5-2  1.16-2
ii  libk5crypto3      1.16-2
ii  libkrb5-3         1.16-2
ii  libssl1.1         1.1.1~~pre9-1
ii  lsb-base          9.20170808

Versions of packages fetchmail recommends:
ii  ca-certificates  20180409

Versions of packages fetchmail suggests:
ii  exim4-daemon-heavy [mail-transport-agent]  4.91-6
pn  fetchmailconf                              <none>
ii  resolvconf                                 1.79

- -- Configuration Files:
/etc/logcheck/ignore.d.server/fetchmail [Errno 13] Permission denied: 
'/etc/logcheck/ignore.d.server/fetchmail'
/etc/logcheck/ignore.d.workstation/fetchmail [Errno 13] Permission denied: 
'/etc/logcheck/ignore.d.workstation/fetchmail'

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEOexxovf7Ie4VsjV8e6VjMYfM+fsFAlt+4jMTHHdocmF2ZW4y
QGdtYWlsLmNvbQAKCRB7pWMxh8z5+xqBEAC6LIv4IQGKVOFJxxFjzt++QrF6sU5j
WrFMobrN5Iv0lwAhHRki3JiLDb5m2I9Bzo1K1ECOakn3QBMCsxf3MTy+98qFgkJb
WSyA/TpOFP8a1hpXGlgLd6cKQFr5GzSFC6GylXqa5PVHcsHZpx5OjfbaTymoo6jf
v+iVbxp/cJyIJjxkUWy+yR1Dff6kWYIJ0AfI5k38uVEJggjITcoEbRSo7qWypBzp
DfS4IYxsoytWbR4165C/lDl6yU+O/zKYeRhY9g6KrMM7X4C4j+Mb5lApYAS31WWi
Vri4x6Y76VYuSPf7sN86xq7ylM/r3VS12ZQSdC06QAG9QbAiQMti/24GZ0CK9PMS
ZIZUVzCCnmxUUvtXpPbcJ57QttKypXjX7158qEV0aZzZ9pOg6f/J7j/i1iCgcKnJ
kEo5lpuWncUIIKVo1RaAS29UMmXlaSkYxPmx63UMm+ggizti5N1lC8NSZm7Lq6DO
1ytXgN69y14dEfLmSWbV3YnWJlOYOD50e4T/8fIGU5rkvBQuBgQ4pk2mH639t4iZ
AY4ABO4lrliW5FZpnyCCNuidINyCIm4fEQr5RyJhTtFfdDagfWam8qVg06LKsUeZ
igM8mpRL0fkfTN7E0/UZrhMZeOrpuR9PFcmfTCo4agwZT0mrNLxVNoO+VW4ehSzR
d+Tpg2eS/oggug==
=VJM7
-----END PGP SIGNATURE-----

--- a/socket.c
+++ b/socket.c
@@ -1041,6 +1041,8 @@
                SSL_use_RSAPrivateKey_file(_ssl_context[sock], mykey, 
SSL_FILETYPE_PEM);
        }
 
+       SSL_set_tlsext_host_name(_ssl_context[sock],servercname);
+
        if (SSL_set_fd(_ssl_context[sock], sock) == 0 
            || (ssle_connect = SSL_connect(_ssl_context[sock])) < 1) {
                int e = errno;

--- End Message ---
--- Begin Message --- 
Version: 6.4.0~beta4-1

* Rich Pinkall Pollei <[email protected]>, 2018-08-23, 11:35:
When using sslcertck with a GMAIL server, the check fails since GMAIL now requires a Server Name Indication (SNI). This is fixed in Experimental (6.4.0~beta4-1) 

6.4.0~beta4 has been uploaded to unstable.

--
Jakub Wilk

--- End Message ---

Reply via email to