isync does not provide SNI when using SSL

Bug #1796779 reported by Eduardo Bustamante on 2018-10-09
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
isync (Ubuntu)
Undecided
Unassigned

Bug Description

imap.gmail.com returns an invalid certificate (OU = "No SNI provided; please fix your client.", CN = invalid2.invalid) when no SNI is provided.

This was patched in the 1.3 upstream branch (https://sourceforge.net/p/isync/isync/merge-requests/2/, https://sourceforge.net/p/isync/isync/ci/17babc1695e82ca80d032b79e920fcb86ede2347/) and is also present in Debian's build of isync (1.3.0-2), https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906955

Eduardo Bustamante (dualbus) wrote :
Download full text (4.5 KiB)

This is the certificate returned by gmail:

dualbus@ubuntu:~$ openssl x509 -in invalid.der -inform DER -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            90:76:89:18:e9:33:93:a0
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: OU = "No SNI provided; please fix your client.", CN = invalid2.invalid
        Validity
            Not Before: Jan 1 00:00:00 2015 GMT
            Not After : Jan 1 00:00:00 2030 GMT
        Subject: OU = "No SNI provided; please fix your client.", CN = invalid2.invalid
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:cd:62:4f:e5:c3:13:84:98:0c:05:e4:ef:44:a2:
                    a5:ec:de:99:71:90:1b:28:35:40:b4:d0:4d:9d:18:
                    48:81:28:ad:5f:10:b3:2a:db:7d:ae:9d:91:1e:42:
                    e7:ef:aa:19:8d:d3:4e:db:91:0f:a7:e4:20:32:25:
                    94:fe:b9:24:07:4d:18:d7:c3:9a:87:0e:5f:8b:cb:
                    3e:2b:d7:51:bf:a8:be:81:23:a2:bf:68:e5:21:e5:
                    bf:4b:48:4e:b3:05:14:0c:7d:09:5c:59:04:3c:a2:
                    0b:ce:99:79:30:be:f0:76:9e:64:b7:dd:ef:1f:16:
                    bb:1e:cc:0e:b4:0c:44:cf:65:ad:c4:c7:5e:ce:6f:
                    f7:0a:03:b7:b2:5b:36:d3:09:77:5b:4d:e2:23:e9:
                    02:b7:b1:f2:be:11:b2:d9:a4:4f:2e:12:5f:78:00:
                    69:42:bd:14:92:ed:ea:ea:6b:68:9b:2d:9c:80:56:
                    b0:7a:43:7f:5f:f6:87:f0:a9:27:5f:bf:7d:30:f7:
                    2e:5a:eb:4c:da:af:3c:9a:d5:04:06:cb:99:9b:2d:
                    a7:b2:32:bd:27:bf:f2:86:10:91:0f:33:95:ff:26:
                    3c:73:9f:a5:fe:ef:eb:5a:ec:30:91:9d:a5:83:31:
                    a9:e3:10:41:7e:15:dd:af:af:a6:f6:49:b0:58:25:
                    26:f5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                BB:0F:38:96:6F:3E:BE:4F:2B:46:D0:41:6A:D4:AC:B5
    Signature Algorithm: sha256WithRSAEncryption
         b9:d9:e2:54:5c:f5:61:ed:69:f3:b8:63:ed:03:5a:9e:2a:81:
         27:5a:1b:28:33:4b:fc:2d:71:13:fe:4b:65:7e:1c:53:82:79:
         80:e6:79:9f:6a:b3:45:a9:36:5a:ed:c9:e0:4a:cc:11:fc:84:
         eb:7d:cb:c6:94:6d:90:70:d8:cd:45:d8:c8:b6:dd:0f:9d:84:
         01:14:7d:00:8e:29:b2:13:b6:e9:c1:b9:57:c3:4d:36:c0:1d:
         4b:8d:97:f7:b2:af:bf:2f:f0:48:22:d7:7d:f3:ef:35:60:c9:
         d5:46:d4:a0:34:00:e4:82:07:e0:7a:e6:09:5b:a7:1f:b1:30:
         2a:60:64:bb:b1:f5:31:f2:77:08:37:b4:fa:3f:2d:f6:1b:44:
         2a:1f:f8:c6:fc:23:76:42:63:d3:ba:15:f6:46:8e:ec:49:9f:
         ed:2e:c7:74:83:a2:b6:b7:35:7f:c5:98:9f:a2:91:30:93:b0:
         cb:48:15:68:47:de:1a:32:60:06:a6:38:eb:88:4e:93:d9:1c:
         3e:f2:3f:49:5f:6e:e9:dc:18:31:2a:01:0b:b6:61:66:d8:c5:
         18:b1:7e:ad:95:4b:18:2f:81:66:c5:72:69:20:04...

Read more...

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in isync (Ubuntu):
status: New → Confirmed
Nick Anderson (nick-anders0n) wrote :

This looks to have been patched upstream: https://sourceforge.net/p/isync/isync/merge-requests/2/

Nick Anderson (nick-anders0n) wrote :

As a workaround, I just grabbed and installed the 1.3.0-2 package from sid https://packages.debian.org/sid/amd64/isync/download

and it works for me.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers