** Description changed: [Impact] * OpenSSL 1.1.1 performs SNI hostname verification, therefore hostname SSL context option must be set when establishing the connection, otherwise, validation of SNI certificates fail and thus resulting in lack of connectivity. [Test Case] * use isync to connect to an SNI tls protected host, e.g. imap.gmail.com [Regression Potential] * change is compatible with openssl versions shipped in bionic/cosmic-release * change is from upstream / tested in debian & disco * change improves security, and is compatible with deployed servers out there * hosts with certificates not matching their actual hostname will remain invalid/untrusted + [Additional info] + To install python & openssl 1.1.1 on Bionic you may enable and use the below silo, which will then exhibit the enforcement of SNI hostname verification. + + sudo add-apt-repository ppa:ci-train-ppa-service/3473 + sudo apt-get update + [Other Info] * original bug report Hi, I just upgraded to cosmic and have hit the issue described in debian bug #9065955 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906955 - mbsync won't connect to e.g. gmail because of SSL errors. I downloaded 1.3.0-2 from Debian and it works. Would it be possible to backport the fix to Cosmic please? Bionic is unaffected. Regards, Daniel
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1812667 Title: Can't verify some ssl certificates (e.g. imap.gmail.com) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isync/+bug/1812667/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs