Ubuntu
uw-imap package

  1. Bug #1834340
  2. Comment #3

Comment 3 for bug 1834340

Revision history for this message
David Zuelke (dzuelke) wrote : Re: Possible regression on libssl upgrade when using TLSv1.3

For some clarification: this is due to the upgrade to openssl 1.1.1 in bionic-upgrades, which includes TLSv1.3 support. This leads to connections being negotiated als TLSv1.3, and Google's IMAP servers reject the connection (by returning an invalid certificate with a message) if the attempt is not using SNI.

Here is a simple way to reproduce this, without a PHP script or anything:

$ apt-get install uw-mailutils
$ mailutil check "{imap.googlemail.com:993/imap/ssl}INBOX"

This will work if the OpenSSL 1.1.0 library is installed, but fail if 1.1.1 is there:

root@e6e4f3531a65:/app# mailutil check "{imap.googlemail.com:993/imap/ssl}INBOX"Certificate failure for imap.googlemail.com: self signed certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
Certificate failure for imap.googlemail.com: self signed certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
root@e6e4f3531a65:/app# openssl version
OpenSSL 1.1.0g 2 Nov 2017 (Library: OpenSSL 1.1.1 11 Sep 2018)