Bug#416369: uw-imapd: SSL detection not working with IPv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Jul 31, 2008 at 05:32:58PM +0100, Nick Burch wrote: > On Thu, 31 Jul 2008, Jonas Smedegaard wrote: >> Oh, and another thing: If /etc/c-client.cf exist on your server host, >> please post the content of that file. > > [EMAIL PROTECTED]:~# cat /etc/c-client.cf > I accept the risk > set mail-subdirectory mail Thanks. I'll get back to you (in a loong while - and if not please ping me!) - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ - Enden er nær: http://www.shibumi.org/eoti.htm -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkiR96kACgkQn7DbMsAkQLg4ugCfa8AD//MqZFrQPiyjLw5KYaIU e/oAn2v9neWKKWnu5mHJYhuQ+ALkHI25 =4goW -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#416369: uw-imapd: SSL detection not working with IPv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Jul 31, 2008 at 04:18:35PM +0100, Nick Burch wrote: > On Thu, 31 Jul 2008, Jonas Smedegaard wrote: >> Could you please elaborate on your setup - also to allow others to >> repeat a similar scenario? > > Sure. The simplest setup would be two machines, with both ipv4 and ipv6. > uw-imapd running on one, ssl enabled and both ipv4 and ipv6 working. [snip] Thanks for the detailed test - even I should be able to replicate that :-D Oh, and another thing: If /etc/c-client.cf exist on your server host, please post the content of that file. I am quite busy with other work (packaging CipUX[1] for Debian as contract work for use in german schools) so can't/won't look into this currently. Please ping me if you feel I am gone for too long. Kind regards, and thanks for help with this! [1] http://wiki.debian.org/CipUX - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ - Enden er nær: http://www.shibumi.org/eoti.htm -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkiR6G8ACgkQn7DbMsAkQLhwNACfa4h3f5JtksQiE5HUOAcB+1YN U0gAn3nlUiOkkhzH9/WAxH+V0tas4zhd =O1l+ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#416369: uw-imapd: SSL detection not working with IPv6
On Thu, 31 Jul 2008, Jonas Smedegaard wrote: Oh, and another thing: If /etc/c-client.cf exist on your server host, please post the content of that file. [EMAIL PROTECTED]:~# cat /etc/c-client.cf I accept the risk set mail-subdirectory mail Nick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#416369: uw-imapd: SSL detection not working with IPv6
On Thu, 31 Jul 2008, Jonas Smedegaard wrote: No patch was applied, IIRC. Possibly stupid question: Are you certain you are not connecting through some tunneling, so that uw-imap sees your connection as coming from localhost? UW imap consider connections from localhost as unneeded to encrypt. In other words: Could you please elaborate on your setup - also to allow others to repeat a similar scenario? Sure. The simplest setup would be two machines, with both ipv4 and ipv6. uw-imapd running on one, ssl enabled and both ipv4 and ipv6 working. netstat will report something like: tcp0 0 0.0.0.0:143 0.0.0.0:* LISTEN tcp6 0 0 :::143 :::* LISTEN tcp0 0 0.0.0.0:993 0.0.0.0:* LISTEN tcp6 0 0 :::993 :::* LISTEN From machine two, telnet to machine one on port 993. The connection should be accepted, but nothing sent no matter which way you connect (ipv4 or ipv6). What you see is nothing sent on ipv4, and a clear text greeting on ipv6 [EMAIL PROTECTED] ~]$ telnet 2001:8b0:c5:1::20 993 Trying 2001:8b0:c5:1::20... Connected to fluffy.internal.torchbox.com (2001:8b0:c5:1::20). Escape character is '^]'. * OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS LOGINDISABLED] [NON-IPv4] IMAP4rev1 2007.398 at Thu, 31 Jul 2008 16:07:38 +0100 (BST) ^] telnet> quit Connection closed. [EMAIL PROTECTED] ~]$ telnet 192.168.1.20 993 Trying 192.168.1.20... Connected to fluffy.internal.torchbox.com (192.168.1.20). Escape character is '^]'. ^] telnet> quit Connection closed. Now try again with an ipv6 enabled version of openssl s_client: [EMAIL PROTECTED] ~]$ openssl s_client -host 2001:8b0:c5:1::20 -port 993 -quiet 28821:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567: [EMAIL PROTECTED] ~]$ openssl s_client -host 192.168.1.20 -port 993 -quiet depth=0 /C=UK/ST=Oxfordshire/L=Oxford/O=Torchbox/OU=Servers/CN=fluffy.internal.t orchbox.com/[EMAIL PROTECTED] verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=UK/ST=Oxfordshire/L=Oxford/O=Torchbox/OU=Servers/CN=fluffy.internal.t orchbox.com/[EMAIL PROTECTED] verify error:num=27:certificate not trusted verify return:1 depth=0 /C=UK/ST=Oxfordshire/L=Oxford/O=Torchbox/OU=Servers/CN=fluffy.internal.t orchbox.com/[EMAIL PROTECTED] verify error:num=21:unable to verify the first certificate verify return:1 * OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS AUTH=PLAIN AUTH=LOGIN] fluffy.internal.torchbox.com IMAP4rev1 2007.398 at Thu, 31 Jul 2008 16:15:09+0100 (BST) This shows that uw-imapd is responding in the clear for connections to port 993 over ipv6, but currently encrypted on port 993 over ipv4 Nick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#416369: uw-imapd: SSL detection not working with IPv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Jul 31, 2008 at 03:48:17PM +0100, Nick Burch wrote: > On Wed, 28 Mar 2007, Nick Burch wrote: >> On Tue, 27 Mar 2007, Jonas Smedegaard wrote: >>> Please try the package available here: >>> http://debian.jones.dk/auryn/pool-experimental/uw-imap/ >> >> OK, using 2006f.dfsg-1, the problem is fixed. (i.e. ipv6 ssl connections >> are properly treated as ssl, and not answered in the clear) > > Unfortunately, it looks like this bug is back again :( > > I'm on testing, so libc-client2007 7:2007~dfsg-1, and uw-imapd > 7:2007~dfsg-1. ipv4 connections to port 993 are still working as ssl, but > ipv6 ones are back to responding in the clear. > > Any chance the magic patch from the 2006 versions could be re-applied to > the new 2007 ones? :) No patch was applied, IIRC. Possibly stupid question: Are you certain you are not connecting through some tunneling, so that uw-imap sees your connection as coming from localhost? UW imap consider connections from localhost as unneeded to encrypt. In other words: Could you please elaborate on your setup - also to allow others to repeat a similar scenario? Kind regards, - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ - Enden er nær: http://www.shibumi.org/eoti.htm -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkiR08oACgkQn7DbMsAkQLj/bACeP34cP6HbXXHpPprm5qZB6Qpi fm0AoIhSKvrbGbfUG9NYMRWgFva0XRJF =dU3q -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#416369: uw-imapd: SSL detection not working with IPv6
On Wed, 28 Mar 2007, Nick Burch wrote: On Tue, 27 Mar 2007, Jonas Smedegaard wrote: Please try the package available here: http://debian.jones.dk/auryn/pool-experimental/uw-imap/ OK, using 2006f.dfsg-1, the problem is fixed. (i.e. ipv6 ssl connections are properly treated as ssl, and not answered in the clear) Unfortunately, it looks like this bug is back again :( I'm on testing, so libc-client2007 7:2007~dfsg-1, and uw-imapd 7:2007~dfsg-1. ipv4 connections to port 993 are still working as ssl, but ipv6 ones are back to responding in the clear. Any chance the magic patch from the 2006 versions could be re-applied to the new 2007 ones? :) Nick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#416369: uw-imapd: SSL detection not working with IPv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nick Burch wrote: > On Tue, 27 Mar 2007, Jonas Smedegaard wrote: >> Please try the package available here: >> http://debian.jones.dk/auryn/pool-experimental/uw-imap/ > > OK, using 2006f.dfsg-1, the problem is fixed. (i.e. ipv6 ssl connections > are properly treated as ssl, and not answered in the clear) > > Thanks Well, thank _you_ for patiently testing this :-) - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ - Enden er nær: http://www.shibumi.org/eoti.htm -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGCrydn7DbMsAkQLgRAi0fAJ98mtqmrmlXwKBtIJ1K2ckAQpEaiACeOAiZ dyPpdoFOzkSP8TCnSpeUd4s= =/Vh/ -END PGP SIGNATURE-
Bug#416369: uw-imapd: SSL detection not working with IPv6
On Tue, 27 Mar 2007, Jonas Smedegaard wrote: > Please try the package available here: > http://debian.jones.dk/auryn/pool-experimental/uw-imap/ OK, using 2006f.dfsg-1, the problem is fixed. (i.e. ipv6 ssl connections are properly treated as ssl, and not answered in the clear) Thanks Nick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#416369: uw-imapd: SSL detection not working with IPv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nick Burch wrote: > On Tue, 27 Mar 2007, Jonas Smedegaard wrote: >> Thanks for the detauiled report. >> >> Could I ask you to please test the package in experimental too? > > I've just tried re-building the experimental version. However, > libc-client2006b.dfsg-1 and libc-client2006b.dfsg-1-dev both seem to > have the same contents (buildinfo, copyright, NEWS.Debian and > changelog.Debian), neither has libc-client.so.2006d . So, without that, > I can't run the new uw-imapd to test :( Ah - sorry: I wrongly uploaded my latest build not to experimental but to unstable (from where it seemingly was silently rejected). Please try the package available here: http://debian.jones.dk/auryn/pool-experimental/uw-imap/ Kind regards, - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ - Enden er nær: http://www.shibumi.org/eoti.htm -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGCXSyn7DbMsAkQLgRAkkgAKCT9BfIR9YU3rJ6ID1qTbGPeEKRwwCcDNDY K+1KsWf28GTHWKjjzGWTYWw= =9Wep -END PGP SIGNATURE-
Bug#416369: uw-imapd: SSL detection not working with IPv6
On Tue, 27 Mar 2007, Jonas Smedegaard wrote: Thanks for the detauiled report. Could I ask you to please test the package in experimental too? I've just tried re-building the experimental version. However, libc-client2006b.dfsg-1 and libc-client2006b.dfsg-1-dev both seem to have the same contents (buildinfo, copyright, NEWS.Debian and changelog.Debian), neither has libc-client.so.2006d . So, without that, I can't run the new uw-imapd to test :( Nick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#416369: uw-imapd: SSL detection not working with IPv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 nick wrote: > With uw imapd (and ipop3d), you don't need to do anything special for > SSL support. You just have to have inetd listen on the SSL ports, and > start imapd in the usual manner. > > With ipv4, this works just fine: > However, if you enabled ipv6 in inetd (eg proto tcp46), then it doesn't > detect that the ipv6 connect was SSL: Thanks for the detauiled report. Could I ask you to please test the package in experimental too? Kind regards, - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ - Enden er nær: http://www.shibumi.org/eoti.htm -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGCR3An7DbMsAkQLgRAnyJAJ0X+qmmn8TRhKQnrE69oXQoY4NgJQCeMSNl RTSRzirr708SlVNo5jDtsuU= =uL/8 -END PGP SIGNATURE-
Bug#416369: uw-imapd: SSL detection not working with IPv6
Package: uw-imapd Version: 7:2002edebian1-13.1 Severity: important With uw imapd (and ipop3d), you don't need to do anything special for SSL support. You just have to have inetd listen on the SSL ports, and start imapd in the usual manner. With ipv4, this works just fine: # telnet -4 fluffy 143 Trying 192.168.1.20... Connected to fluffy.internal.torchbox.com. Escape character is '^]'. * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS LOGINDISABLED] * fluffy.internal.torchbox.com IMAP4rev1 2003.339 at Tue, 27 Mar 2007 * 11:01:59 +0100 (BST) # telnet -4 fluffy 993 Trying 192.168.1.20... Connected to fluffy.internal.torchbox.com. Escape character is '^]'. (Don't expect any response, is SSL) However, if you enabled ipv6 in inetd (eg proto tcp46), then it doesn't detect that the ipv6 connect was SSL: # telnet -6 fluffy 143 Trying 2001:8b0:c5:1::20... Connected to fluffy.torchbox.com. Escape character is '^]'. * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS LOGINDISABLED] * fluffy.internal.torchbox.com IMAP4rev1 2003.339 at Tue, 27 Mar 2007 * 11:07:10 +0100 (BST) # telnet -6 fluffy 993 Trying 2001:8b0:c5:1::20... Connected to fluffy.torchbox.com. Escape character is '^]'. * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS LOGINDISABLED] * fluffy.internal.torchbox.com IMAP4rev1 2003.339 at Tue, 27 Mar 2007 * 11:01:59 +0100 (BST) (Notice how when connecting to port 993 over ipv6 it responds with the clear text IMAP welcome, rather than waiting for SSL negotiation, as it does with ipv4) I've tried with the version from stable, and from unstable (rebuilt), and both show the same bug. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.17-2-686 Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Versions of packages uw-imapd depends on: ii debconf [debconf 1.4.30.13 Debian configuration management sy ii libc-client2002e 7:2002edebian1-11sarge1 UW c-client library for mail proto ii libc62.3.2.ds1-22sarge5 GNU C Library: Shared libraries an ii libcomerr2 1.37-2sarge1common error description library ii libkrb53 1.3.6-2sarge3 MIT Kerberos runtime libraries ii libpam-runtime 0.76-22 Runtime support for the PAM librar ii libpam0g 0.76-22 Pluggable Authentication Modules l ii libssl0.9.7 0.9.7e-3sarge4 SSL shared libraries ii netbase 4.21Basic TCP/IP networking system ii openssl 0.9.7e-3sarge4 Secure Socket Layer (SSL) binary a -- debconf information: * uw-imapd/force_debconf_choice: false * uw-imapd/protocol: imap2, imaps -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]