Hi Oswald, thank you for the explanation and for the hints about how to deal with the problem. I followed your propositions, the workaround you proposed seems to be working; this is what I found (just in case it is of any interest for you)
1) checked with ldd --> same libssl version (libssl.so.1.1 at the same location in the systems file structure) 2) straced mbsync and openssl s_client -connect --> it seems to me that both programs try to call the same local cert data without finding anything (the two certificate both programs look for in /etc/ssl/certs/ don't exist). Connection is established but mbsync does not continue with the certificate chain whereas openssl does. I can't quite figure out why due to lack of technical understanding on my side. Here's the full strace output from mbsync: http://dock.in-berlin.de/paste/mbsync.strace from openssl s_client -connect: http://dock.in-berlin.de/paste/openssl.strace and a diff from these two straces: http://dock.in-berlin.de/paste/diff.mbsync.openssl.strace 3a) fetched the certificate --> the get-cert-script has the port hard-coded but worked fine after I changed this (993 -> 996). 3b) put the certificate into the CertificateFile option to bypass the certificate chain --> It seems that the secure connection is now established. However, syncing fails because the server doesn't accept username/password. I think that this problem is probably not mbsync related, since I also cannot login directly via s_client (same error message). The error message reads: IMAP command 'AUTHENTICATE PLAIN <authdata>' returned an error: NO incorrect password or account name I am following up on this new problem with the server administration people. (If you can see what's going on from the error message, any hints will be appreciated greatly, though.) Thanks, Claus-Michael On Thu, Dec 08, 2016 at 10:24:14AM +0100, Oswald Buddenhagen wrote: > On Wed, Dec 07, 2016 at 12:11:35PM +0100, Claus-Michael Schlesinger wrote: > > SSL error connecting mbox.uni-stuttgart.de (129.69.1.9:996): unable to get > > local issuer certificate > > > > Connecting with openssl s_client still works fine. > > > this suggests that mbsync is for some reason using different defaults > than openssl. > are you sure that both link to the same libssl version? verify with ldd. > other than that, you can use ltrace/strace to find out where the > programs are looking for the CA certificate store. > > to work around the issue, you can use get-cert to fetch the proxy's > certificate and put it into the CertificateFile option. this bypasses > the certificate chain verification on mbsync's side. > > ------------------------------------------------------------------------------ > Developer Access Program for Intel Xeon Phi Processors > Access to Intel Xeon Phi processor-based developer platforms. > With one year of Intel Parallel Studio XE. > Training and support from Colfax. > Order your platform today.http://sdm.link/xeonphi > _______________________________________________ > isync-devel mailing list > isync-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/isync-devel ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi _______________________________________________ isync-devel mailing list isync-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/isync-devel
