Ubuntu
ruby-defaults package

Ruby crashes on login to imap.gmail.com (ssl)

Bug #1809500 reported by Geir Isene on 2018-12-21

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	ruby-defaults (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

I do this:

ruby -r net/imap -e 'p Net::IMAP.new("imap.gmail.com", 993, ssl: true)'

...and get this:

Traceback (most recent call last):
5: from -e:1:in `<main>'
4: from -e:1:in `new'
3: from /usr/lib/ruby/2.5.0/net/imap.rb:1092:in `initialize'
2: from /usr/lib/ruby/2.5.0/net/imap.rb:1531:in `start_tls_session'
1: from /usr/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
/usr/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate) (OpenSSL::SSL::SSLError)

But this is not a certificate error, because when I do this:

openssl s_client -showcerts -connect imap.gmail.com -port 993

... certs verifies as fine

And when I do this in Python:

import imaplib
imap = imaplib.IMAP4_SSL('imap.gmail.com')
imap.login("myusername", "mypassword")

...it works just fine (reports success on login).

With Ruby I don't even get to login as the connection to imap.gmail.com fails.

I have been using a script to fetch my gmail to local imap server, and this script (https://github.com/isene/mailfetch/blob/master/mail_fetch.rb) has been running every minute since 10 years ago (more than 5 million times) across many Ubuntu releases without a hitch. It stopped working when I upgraded from 18.04 to 18.10 yesterday.

apt-cache policy ruby

ruby:
  Installed: 1:2.5.1
  Candidate: 1:2.5.1
  Version table:
*** 1:2.5.1 500
        500 http://no.archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
        100 /var/lib/dpkg/status

I first thought this was a certificate issue and tried updating ca-certificates, symlinking certs manually, etc. I have had help in debugging this over at irc/freenode/#ruby and one person running Suse could not reproduce it. But another running Ubuntu 18.10 was able to reproduce this.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-12-21:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ruby-defaults (Ubuntu):
status:	New → Confirmed

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2018-12-21:

Download full text (5.3 KiB)

GMail crashes:

ruby -r net/imap -e 'p Net::IMAP.new("imap.gmail.com", 993, ssl: true)'
Traceback (most recent call last):
5: from -e:1:in `<main>'
4: from -e:1:in `new'
3: from /usr/lib/ruby/2.5.0/net/imap.rb:1092:in `initialize'
2: from /usr/lib/ruby/2.5.0/net/imap.rb:1531:in `start_tls_session'
1: from /usr/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
/usr/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate) (OpenSSL::SSL::SSLError)

Canonical's imap server seems to work okay:
# ruby -r net/imap -e 'p Net::IMAP.new("mail.canonical.com", 993, ssl: true)'
#<Net::IMAP:0x000055fc83a42600 @mon_owner=nil, @mon_count=0, [...]

openssl itself to gmail seems fine:

# openssl s_client -verify 3 -CApath /etc/ssl/certs -connect imap.gmail.com:993
verify depth is 3
CONNECTED(00000006)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = imap.gmail.com
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = imap.gmail.com
i:C = US, O = Google Trust Services, CN = Google Internet Authority G3
1 s:C = US, O = Google Trust Services, CN = Google Internet Authority G3
i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgjCCA2qgAwIBAgIIZBW8UvGAR7IwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODEyMDQwOTMzMDBaFw0x
OTAyMjYwOTMzMDBaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRcw
FQYDVQQDDA5pbWFwLmdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANqp0f0L3OezTKrQM+F+HnIz9Y+qKh4/EujuB8LyKX9gDTk89cZEI+qj
mTFk/xKikUKuOEQp25gXrF87f9rdaMQHP1hYeCGsfbbE0zkuuavi30gzxHLChUUt
RzZUNzlFWh7sc8xYN48DEJRs6UrQ8oHMpNtZL6fCpmglmUDLKGmRqE8Kc3U1Raav
IN3jhGJi2aHOv7h1CJHjl5kLrl1k761IoZZGLPp9AuAj0jMTtRP7hcoUFQN4SYun
MA0Z4Lrh+pqzFKC+UsjAlsGtp4J+muaycdEIEDohexfPhwGuCpSRIcnXwO2dGy+F
wVZ2LA22CHahEvWJn7WnUPsL2vXU2RUCAwEAAaOCAUIwggE+MBMGA1UdJQQMMAoG
CCsGAQUFBwMBMBkGA1UdEQQSMBCCDmltYXAuZ21haWwuY29tMGgGCCsGAQUFBwEB
BFwwWjAtBggrBgEFBQcwAoYhaHR0cDovL3BraS5nb29nL2dzcjIvR1RTR0lBRzMu
Y3J0MCkGCCsGAQUFBzABhh1odHRwOi8vb2NzcC5wa2kuZ29vZy9HVFNHSUFHMzAd
BgNVHQ4EFgQUYTZ9bBKSaGfTadxQm9o+dBrShs4wDAYDVR0TAQH/BAIwADAfBgNV
HSMEGDAWgBR3wrhQmmd2drEtwobQg6B+pn66SzAhBgNVHSAEGjAYMAwGCisGAQQB
1nkCBQMwCAYGZ4EMAQICMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwucGtp
Lmdvb2cvR1RTR0lBRzMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCC9GrDJDR2Uy/a
QYNFFwl9RLnXTEdRvAzQcVuWWCrgjIgCYG9n9ItLTXd1/LOfE2P9jfIh2P+ZDjna
P8hn96fd2oByZyJU4uMT/gNHXbtEuXeLXo2NXfTn7bNNf8Q3dKuVPZYHt/95UFkz
8RYEFtGZ0I2YqahOmr9M5dTbnMTt/X+u4TVI+MBbBJTlzuH8yvfich5Shp38VMAQ
iYAOubVPnQKONnkzclAb98er5yJQt6H0J83GP/tLoAH1KC1WvQb3j2mJzDoSd9Mi
UryEnqJA7x/jLu/sdQow6FI+EqO1BfjyVvpdAF5CkBRSGoKRjPCFXF3PNzeUJBMn
8Dq0tFrV
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Mounta...

GMail crashes:

ruby -r net/imap -e 'p Net::IMAP.new("imap.gmail.com", 993, ssl: true)'
Traceback (most recent call last):
	5: from -e:1:in `<main>'
	4: from -e:1:in `new'
	3: from /usr/lib/ruby/2.5.0/net/imap.rb:1092:in `initialize'
	2: from /usr/lib/ruby/2.5.0/net/imap.rb:1531:in `start_tls_session'
	1: from /usr/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
/usr/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate) (OpenSSL::SSL::SSLError)

Canonical's imap server seems to work okay:
# ruby -r net/imap -e 'p Net::IMAP.new("mail.canonical.com", 993, ssl: true)'
#<Net::IMAP:0x000055fc83a42600 @mon_owner=nil, @mon_count=0, [...]

openssl itself to gmail seems fine:

# openssl s_client -verify 3 -CApath /etc/ssl/certs -connect imap.gmail.com:993
verify depth is 3
CONNECTED(00000006)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = imap.gmail.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = imap.gmail.com
   i:C = US, O = Google Trust Services, CN = Google Internet Authority G3
 1 s:C = US, O = Google Trust Services, CN = Google Internet Authority G3
   i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgjCCA2qgAwIBAgIIZBW8UvGAR7IwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODEyMDQwOTMzMDBaFw0x
OTAyMjYwOTMzMDBaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRcw
FQYDVQQDDA5pbWFwLmdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANqp0f0L3OezTKrQM+F+HnIz9Y+qKh4/EujuB8LyKX9gDTk89cZEI+qj
mTFk/xKikUKuOEQp25gXrF87f9rdaMQHP1hYeCGsfbbE0zkuuavi30gzxHLChUUt
RzZUNzlFWh7sc8xYN48DEJRs6UrQ8oHMpNtZL6fCpmglmUDLKGmRqE8Kc3U1Raav
IN3jhGJi2aHOv7h1CJHjl5kLrl1k761IoZZGLPp9AuAj0jMTtRP7hcoUFQN4SYun
MA0Z4Lrh+pqzFKC+UsjAlsGtp4J+muaycdEIEDohexfPhwGuCpSRIcnXwO2dGy+F
wVZ2LA22CHahEvWJn7WnUPsL2vXU2RUCAwEAAaOCAUIwggE+MBMGA1UdJQQMMAoG
CCsGAQUFBwMBMBkGA1UdEQQSMBCCDmltYXAuZ21haWwuY29tMGgGCCsGAQUFBwEB
BFwwWjAtBggrBgEFBQcwAoYhaHR0cDovL3BraS5nb29nL2dzcjIvR1RTR0lBRzMu
Y3J0MCkGCCsGAQUFBzABhh1odHRwOi8vb2NzcC5wa2kuZ29vZy9HVFNHSUFHMzAd
BgNVHQ4EFgQUYTZ9bBKSaGfTadxQm9o+dBrShs4wDAYDVR0TAQH/BAIwADAfBgNV
HSMEGDAWgBR3wrhQmmd2drEtwobQg6B+pn66SzAhBgNVHSAEGjAYMAwGCisGAQQB
1nkCBQMwCAYGZ4EMAQICMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwucGtp
Lmdvb2cvR1RTR0lBRzMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCC9GrDJDR2Uy/a
QYNFFwl9RLnXTEdRvAzQcVuWWCrgjIgCYG9n9ItLTXd1/LOfE2P9jfIh2P+ZDjna
P8hn96fd2oByZyJU4uMT/gNHXbtEuXeLXo2NXfTn7bNNf8Q3dKuVPZYHt/95UFkz
8RYEFtGZ0I2YqahOmr9M5dTbnMTt/X+u4TVI+MBbBJTlzuH8yvfich5Shp38VMAQ
iYAOubVPnQKONnkzclAb98er5yJQt6H0J83GP/tLoAH1KC1WvQb3j2mJzDoSd9Mi
UryEnqJA7x/jLu/sdQow6FI+EqO1BfjyVvpdAF5CkBRSGoKRjPCFXF3PNzeUJBMn
8Dq0tFrV
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = imap.gmail.com

issuer=C = US, O = Google Trust Services, CN = Google Internet Authority G3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2954 bytes and written 401 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: D6976DE28566AC25ECB00243764949F6C8A0683513D94E52AC4064EE84EB1F3A
    Session-ID-ctx: 
    Master-Key: EAA832FA5CF7ACCEF650135BA9A60F0A1C32C5C0E7AA25EAE359CACFE3F6611387217F02767169862037C0971B5A7405
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 c8 62 ba f3 f4 e5 e9-06 0f 2e 57 a4 8b 55 8d   ..b........W..U.
    0010 - 3b c8 2f 3e 63 33 27 e4-27 3f 89 f1 a7 9b 92 0e   ;./>c3'.'?......
    0020 - b1 ef 71 58 b1 69 93 a0-1d 8d 1a ed 69 61 f2 31   ..qX.i......ia.1
    0030 - f2 c2 96 af d5 d4 7b 80-65 68 37 29 7a 96 3e af   ......{.eh7)z.>.
    0040 - 71 e6 b7 fb 8c 65 a9 24-af 46 51 e8 32 db ee d0   q....e.$.FQ.2...
    0050 - 29 97 a9 cc 51 bc e6 93-91 b8 3d 1e 72 12 6c e1   )...Q.....=.r.l.
    0060 - c8 c1 b4 f2 2c bf ae 07-27 34 17 b2 b7 85 e3 d7   ....,...'4......
    0070 - 19 8c 21 66 b2 d4 84 d2-81 b4 fe 96 48 5c 0b 76   ..!f........H\.v
    0080 - 2c 74 b2 dd 12 8f 42 5b-7d a2 14 1b 36 67 3d 50   ,t....B[}...6g=P
    0090 - b0 71 a8 5a c3 e4 e3 e4-e2 f1 cc f5 89 83 2a 7e   .q.Z..........*~
    00a0 - 88 d8 c1 1d 9a 0a 45 c6-f5 57 11 55 d1 c8 57 2c   ......E..W.U..W,
    00b0 - 38 bd eb 61 5e 1b 30 25-b6 ae 7e 60 0a 38 9c ce   8..a^.0%..~`.8..
    00c0 - ff 74 16 42 0c cd e9 a2-7f b2 f2 8b 16 a7 b5 13   .t.B............
    00d0 - 3d cd a0 c9 16 56 a3 87-bb 36                     =....V...6

Start Time: 1545427402
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
* OK Gimap ready for requests from 71.34.111.116 v142mb720826995oif
DONE

Thanks

Revision history for this message

Geir Isene (qc-e-9h) wrote on 2018-12-22:

After further research, this seems to actually not be Ruby version specific - because I purged my Ruby 2.5.1 that comes with Ubuntu 18.10 and installed 2.5.3 and 2.4.5 via ([ruby-install](https://github.com/postmodern/ruby-install) and tried both versions - and they both show up with the bug. So, my conclusion must be that there is something else wrong in 18.10, perhaps not Ruby specific at all (but still very odd that it works with Python and openssl directly).

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubunturuby-defaults package

Ruby crashes on login to imap.gmail.com (ssl)

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
ruby-defaults package