clone 907049 -1 reassign -1 offlineimap severity -1 serious retitle -1 offlineimap: Not using SNI thanks
On Thu, Aug 23, 2018 at 02:54:36PM +0200, Antonin Kral wrote: > Package: openssl > Version: 1.1.1~~pre9-1 > Severity: critical > Justification: renders other packages unusable > > Hi, > > I have got openssl 1.1.1~~pre9-1 as it is landed in sid. After upgrading > certain applications are not able to establish connection. > > Example of offlineimap: > > ERROR: Unknown SSL protocol connecting to host 'imap.gmail.com' for > repository 'showmax-remote'. OpenSSL responded: > [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726) This is most likely caused by offlineimap not using SNI and google sending an invalid in case you use TLS 1.3 without SNI. I'm cloning this bug issue for that. > Thu Aug 23 14:46:07 2018 OpenSSL: error:1425F18C:SSL > routines:ssl_choose_client_version:version too low > Thu Aug 23 14:46:07 2018 TLS_ERROR: BIO read tls_read_plaintext error > Thu Aug 23 14:46:07 2018 TLS Error: TLS object -> incoming plaintext read > error > Thu Aug 23 14:46:07 2018 TLS Error: TLS handshake failed > > I went through changelogs, but was not seen anything what would help me > in debugging the issue. Interestingly s_client and curl is able to > establish a connection even with new version. Maybe that can be related > to different default cipher_set? This is most likely caused by this in /etc/ssl/openssl.cnf: [system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2 Does openvpn use DTLS? I'm guessing that setting any TLS setting there is causing problems for anything using DTLS. Can you try with: MinProtocol = TLSv1 And with: #MinProtocol = TLSv1.2 I assume the first will still fail, and the later one will work. And I'm currently unsure what to do about that, but there are multiple options. Kurt