Package: fetchmail Version: 6.3.26-3 Severity: important Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
When using sslcertck with a GMAIL server, the check fails since GMAIL now requires a Server Name Indication (SNI). This is fixed in Experimental (6.4.0~beta4-1) but you may want to include it in Sid (6.3.26-3) due to the wide impact. The following worked for me as a temporary fix: - --- a/socket.c +++ b/socket.c @@ -1041,6 +1041,8 @@ SSL_use_RSAPrivateKey_file(_ssl_context[sock], mykey, SSL_FILETYPE_PEM); } + SSL_set_tlsext_host_name(_ssl_context[sock],servercname); + if (SSL_set_fd(_ssl_context[sock], sock) == 0 || (ssle_connect = SSL_connect(_ssl_context[sock])) < 1) { int e = errno; - -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'stable-debug'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.17.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages fetchmail depends on: ii adduser 3.117 ii debianutils 4.8.6 ii libc6 2.27-5 ii libcom-err2 1.44.4-1 ii libgssapi-krb5-2 1.16-2 ii libk5crypto3 1.16-2 ii libkrb5-3 1.16-2 ii libssl1.1 1.1.1~~pre9-1 ii lsb-base 9.20170808 Versions of packages fetchmail recommends: ii ca-certificates 20180409 Versions of packages fetchmail suggests: ii exim4-daemon-heavy [mail-transport-agent] 4.91-6 pn fetchmailconf <none> ii resolvconf 1.79 - -- Configuration Files: /etc/logcheck/ignore.d.server/fetchmail [Errno 13] Permission denied: '/etc/logcheck/ignore.d.server/fetchmail' /etc/logcheck/ignore.d.workstation/fetchmail [Errno 13] Permission denied: '/etc/logcheck/ignore.d.workstation/fetchmail' - -- no debconf information -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEOexxovf7Ie4VsjV8e6VjMYfM+fsFAlt+4jMTHHdocmF2ZW4y QGdtYWlsLmNvbQAKCRB7pWMxh8z5+xqBEAC6LIv4IQGKVOFJxxFjzt++QrF6sU5j WrFMobrN5Iv0lwAhHRki3JiLDb5m2I9Bzo1K1ECOakn3QBMCsxf3MTy+98qFgkJb WSyA/TpOFP8a1hpXGlgLd6cKQFr5GzSFC6GylXqa5PVHcsHZpx5OjfbaTymoo6jf v+iVbxp/cJyIJjxkUWy+yR1Dff6kWYIJ0AfI5k38uVEJggjITcoEbRSo7qWypBzp DfS4IYxsoytWbR4165C/lDl6yU+O/zKYeRhY9g6KrMM7X4C4j+Mb5lApYAS31WWi Vri4x6Y76VYuSPf7sN86xq7ylM/r3VS12ZQSdC06QAG9QbAiQMti/24GZ0CK9PMS ZIZUVzCCnmxUUvtXpPbcJ57QttKypXjX7158qEV0aZzZ9pOg6f/J7j/i1iCgcKnJ kEo5lpuWncUIIKVo1RaAS29UMmXlaSkYxPmx63UMm+ggizti5N1lC8NSZm7Lq6DO 1ytXgN69y14dEfLmSWbV3YnWJlOYOD50e4T/8fIGU5rkvBQuBgQ4pk2mH639t4iZ AY4ABO4lrliW5FZpnyCCNuidINyCIm4fEQr5RyJhTtFfdDagfWam8qVg06LKsUeZ igM8mpRL0fkfTN7E0/UZrhMZeOrpuR9PFcmfTCo4agwZT0mrNLxVNoO+VW4ehSzR d+Tpg2eS/oggug== =VJM7 -----END PGP SIGNATURE-----
--- a/socket.c +++ b/socket.c @@ -1041,6 +1041,8 @@ SSL_use_RSAPrivateKey_file(_ssl_context[sock], mykey, SSL_FILETYPE_PEM); } + SSL_set_tlsext_host_name(_ssl_context[sock],servercname); + if (SSL_set_fd(_ssl_context[sock], sock) == 0 || (ssle_connect = SSL_connect(_ssl_context[sock])) < 1) { int e = errno;