can't retrieve gmail emails. fetchmail: OU=No SNI provided; please fix your client./CN=invalid2.invalid
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fetchmail (Debian) |
Fix Released
|
Unknown
|
|||
fetchmail (Ubuntu) |
Fix Released
|
High
|
Karl Stenerud | ||
Bionic |
Fix Released
|
High
|
Andreas Hasenack | ||
Cosmic |
Fix Released
|
High
|
Karl Stenerud |
Bug Description
[Impact]
Fetchmail doesn't set hostname for SNI when using TLS. Without this, fetchmail fails to verify the SSL certificate using TLS 1.2 for places such as pop.gmail.com.
[Test Case]
# lxc launch ubuntu:cosmic tester
# lxc exec tester bash
# apt update
# apt dist-upgrade -y
# apt install -y fetchmail
# echo "set postmaster \"root\"
poll pop.gmail.com with proto POP3
user '<email address hidden>' there with password 'any-password' is root here options ssl
" > ~/.fetchmailrc
# chmod 700 ~/.fetchmailrc
# fetchmail -d0 -vk --sslcertck pop.gmail.com
...
fetchmail: Server certificate:
fetchmail: Unknown Organization
fetchmail: Issuer CommonName: invalid2.invalid
fetchmail: Subject CommonName: invalid2.invalid
fetchmail: Server CommonName mismatch: invalid2.invalid != pop.gmail.com
fetchmail: Server certificate verification error: self signed certificate
...
[Regression Potential]
This change affects how TLS connections are handled. The change adds a server name indication, which will either be ignored or not by the host. The only regression potential would be with possibly already broken SNI code that is now being activated.
[Original Description]
https:/
https:/
ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: fetchmail 6.3.26-3build1
ProcVersionSign
Uname: Linux 4.18.0-10-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.10-0ubuntu13
Architecture: amd64
CurrentDesktop: GNOME
Date: Fri Oct 19 11:08:36 2018
InstallationDate: Installed on 2018-01-01 (290 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Alpha amd64 (20171221)
SourcePackage: fetchmail
UpgradeStatus: Upgraded to cosmic on 2018-10-18 (0 days ago)
modified.
mtime.conffile.
Related branches
- Christian Ehrhardt (community): Approve
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 290 lines (+219/-1)9 files modifieddebian/changelog (+29/-0)
debian/control (+2/-1)
debian/patches/clang-robustness.patch (+59/-0)
debian/patches/series (+4/-0)
debian/patches/set-umask-for-fetchids.patch (+49/-0)
debian/patches/sni-support.patch (+32/-0)
debian/tests/control (+8/-0)
debian/tests/installation (+23/-0)
debian/tests/service (+13/-0)
- Robie Basak: Approve (~ubuntu-sru)
- Christian Ehrhardt (community): Approve
-
Diff: 61 lines (+40/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/sni-support.patch (+32/-0)
- Andreas Hasenack: Approve
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 61 lines (+40/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/sni-support.patch (+32/-0)
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
-
Diff: 61 lines (+40/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/sni-support.patch (+32/-0)
Changed in fetchmail (Ubuntu): | |
assignee: | nobody → Karl Stenerud (kstenerud) |
status: | Triaged → Confirmed |
description: | updated |
Changed in fetchmail (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in fetchmail (Ubuntu Cosmic): | |
status: | Fix Committed → In Progress |
Changed in fetchmail (Ubuntu Bionic): | |
status: | New → Confirmed |
assignee: | nobody → Karl Stenerud (kstenerud) |
importance: | Undecided → High |
Changed in fetchmail (Debian): | |
status: | Unknown → New |
Changed in fetchmail (Debian): | |
status: | New → Fix Released |
tags: | added: regression-update |
Changed in fetchmail (Ubuntu Bionic): | |
status: | New → In Progress |
assignee: | nobody → Andreas Hasenack (ahasenack) |
tags: | added: bionic-openssl-1.1 |
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Fri Oct 19 11:58:36 2018: poll started 119.109/ 995...connected . D5:44:5A: D0:6A:8A: 10:FF:CD: 8B:11:BE: 16 /CN=invalid2. invalid CHACHA20- POLY1305, 256/256 secret/processed bits
fetchmail: Trying to connect to 108.177.
fetchmail: Server certificate:
fetchmail: Unknown Organization
fetchmail: Issuer CommonName: invalid2.invalid
fetchmail: Subject CommonName: invalid2.invalid
fetchmail: Server CommonName mismatch: invalid2.invalid != pop.gmail.com
fetchmail: pop.gmail.com key fingerprint: 90:4A:C8:
fetchmail: Server certificate verification error: self signed certificate
fetchmail: Missing trust anchor certificate: /OU=No SNI provided; please fix your client.
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
fetchmail: Server certificate:
fetchmail: Unknown Organization
fetchmail: Issuer CommonName: invalid2.invalid
fetchmail: Subject CommonName: invalid2.invalid
fetchmail: Server CommonName mismatch: invalid2.invalid != pop.gmail.com
fetchmail: SSL/TLS: using protocol TLSv1.2, cipher ECDHE-RSA-
fetchmail: Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)