For some clarification: this is due to the upgrade to openssl 1.1.1 in
bionic-upgrades, which includes TLSv1.3 support. This leads to
connections being negotiated als TLSv1.3, and Google's IMAP servers
reject the connection (by returning an invalid certificate with a
message) if the attempt is not using SNI.
Here is a simple way to reproduce this, without a PHP script or
anything:
$ apt-get install uw-mailutils
$ mailutil check "{imap.googlemail.com:993/imap/ssl}INBOX"
This will work if the OpenSSL 1.1.0 library is installed, but fail if
1.1.1 is there:
root@e6e4f3531a65:/app# mailutil check
"{imap.googlemail.com:993/imap/ssl}INBOX"Certificate failure for
imap.googlemail.com: self signed certificate: /OU=No SNI provided; please fix
your client./CN=invalid2.invalid
Certificate failure for imap.googlemail.com: self signed certificate: /OU=No
SNI provided; please fix your client./CN=invalid2.invalid
root@e6e4f3531a65:/app# openssl version
OpenSSL 1.1.0g 2 Nov 2017 (Library: OpenSSL 1.1.1 11 Sep 2018)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1834340
Title:
Possible regression on libssl upgrade when using TLSv1.3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php-imap/+bug/1834340/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
