clone 907049 -1
reassign -1 offlineimap
severity -1 serious
retitle -1 offlineimap: Not using SNI

On Thu, Aug 23, 2018 at 02:54:36PM +0200, Antonin Kral wrote:
> Package: openssl
> Version: 1.1.1~~pre9-1
> Severity: critical
> Justification: renders other packages unusable
> Hi,
> I have got openssl 1.1.1~~pre9-1 as it is landed in sid. After upgrading 
> certain applications are not able to establish connection. 
> Example of offlineimap:
> ERROR: Unknown SSL protocol connecting to host '' for 
> repository 'showmax-remote'. OpenSSL responded:
> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)

This is most likely caused by offlineimap not using SNI and
google sending an invalid in case you use TLS 1.3 without SNI. I'm
cloning this bug issue for that.

> Thu Aug 23 14:46:07 2018 OpenSSL: error:1425F18C:SSL 
> routines:ssl_choose_client_version:version too low
> Thu Aug 23 14:46:07 2018 TLS_ERROR: BIO read tls_read_plaintext error
> Thu Aug 23 14:46:07 2018 TLS Error: TLS object -> incoming plaintext read 
> error
> Thu Aug 23 14:46:07 2018 TLS Error: TLS handshake failed
> I went through changelogs, but was not seen anything what would help me 
> in debugging the issue. Interestingly s_client and curl is able to 
> establish a connection even with new version. Maybe that can be related 
> to different default cipher_set?

This is most likely caused by this in /etc/ssl/openssl.cnf:
MinProtocol = TLSv1.2

Does openvpn use DTLS? I'm guessing that setting any TLS setting
there is causing problems for anything using DTLS.

Can you try with:
MinProtocol = TLSv1

And with:
#MinProtocol = TLSv1.2

I assume the first will still fail, and the later one will work.
And I'm currently unsure what to do about that, but there are
multiple options.


Reply via email to