Ubuntu
sylpheed package

Sylpheed not (or no longer) using SNI for SSL connections

  1. Disco (19.04)
  2. Bug #1799345
Bug #1799345 reported by Moses Moore
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
sylpheed (Debian)
Fix Released
Unknown
sylpheed (Ubuntu)
Fix Released
Medium
Dan Streetman
Bionic
Fix Released
Medium
Dan Streetman
Disco
Fix Released
Medium
Dan Streetman
Eoan
Fix Released
Medium
Dan Streetman

Bug Description

[impact]

IMAP connection to imap.gmail.com over SSL returns self-signed certificate. Though you can still connect to imap.gmail.com using this certificate, it would be better to fix it to avoid this scary warning (self-signed certificate) and provide a smoother user experience.

[Test Case]
Create IMAP account for gmail.com in sylpheed. To do this, select "Create new account" from the "Configuration" in the main menu. "New account setup" window will appear. Select "IMAP4 (Gmail)" and follow instructions in that window. After setup is finished check for new email for newly created account. You should get a warning complaining about self-signed certificate.
With fixed package, try the same. This time you should not get the warning.

[regression potential]

low, as this only sets SNI, however any regression would likely result in SSL connection failures.

[other info]

for Bionic, this is almost certainly a regression caused by the openssl upgrade to 1.1.

for Disco and Eoan, this functionality likely has never worked, as we haven't synced this package from Debian since Bionic.

Debian does have this patch as noted in the Affects section.

---

Original Description
--------------------
Problem appeared after upgrading from Ubuntu 18.04 to 18.10.
When starting Sylpheed, connecting to imap.gmail.com over SSL, I get a warning embedded in the SSL certificate: "Subject: /OU=No SNI provided; please fix your client./CN=invalid2.invalid "

May be related to this bug report about 'fetchmail' in redhat enterprise when it was still using TLSv1.2 instead of TLSv1.3:
https://bugzilla.redhat.com/show_bug.cgi?id=1611815
https://gitlab.com/fetchmail/fetchmail/commit/9b8b634312f169fab872f3580c2febe5af031615

ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: sylpheed 3.5.1-1ubuntu3
ProcVersionSignature: Ubuntu 4.18.0-10.11-generic 4.18.12
Uname: Linux 4.18.0-10-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.10-0ubuntu13
Architecture: amd64
CurrentDesktop: XFCE
Date: Tue Oct 23 00:27:01 2018
InstallationDate: Installed on 2016-06-05 (869 days ago)
InstallationMedia: Xubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
SourcePackage: sylpheed
UpgradeStatus: Upgraded to cosmic on 2018-10-21 (1 days ago)
modified.conffile..etc.default.apport: [modified]
mtime.conffile..etc.default.apport: 2018-03-20T22:16:27.108498

See original description
Revision history for this message
Moses Moore (moses-ubuntu) wrote :
Revision history for this message
ԜаӀtеr Ⅼарсһуnѕkі (wxl) wrote :

There is an upstream bug report with a patch, though it's not released yet:
https://sylpheed.sraoss.jp/redmine/issues/306

Changed in sylpheed (Ubuntu):
status: New → Triaged
Revision history for this message
Adriano Petrosillo (ampetrosillo) wrote :

I'm on Lubuntu 18.04.2, and I'm having the same problem with Sylpheed and Gmail.

Revision history for this message
vofka (vofka) wrote :

This was fixed in Debian a year ago with a patch from #2 and is already in stable (buster).
This is a debdiff for Bionic applicable to 3.5.1-1ubuntu4. I built this in pbuilder and it builds successfully, and I installed it, the patch works as intended.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "1-3.5.1-1ubuntu5.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Thomas Ward (teward) wrote :

Hello.

This requires the SRU template and all requisite information including test cases to determine if this is SRUable.

Please refer to https://wiki.ubuntu.com/StableReleaseUpdates#Procedure for details. Once you apply the SRU template, if you still need a sponsor for this, please resubscribe ubuntu-sponsors to the bug.

Revision history for this message
vofka (vofka) wrote :

Need help with Regression Potential section. I have no idea about possible regressions.

According to https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging if you want to fix it in 18.04 you should patch latest version for 18.04 (3.5.1-1ubuntu3) so this is updated debdiff for Bionic applicable to 3.5.1-1ubuntu3. It builds successfully, the patch works as intended.

description: updated
tags: added: bionic
vofka (vofka)
description: updated
Dan Streetman (ddstreet)
no longer affects: sylpheed
description: updated
tags: added: regression-update
description: updated
Dan Streetman (ddstreet)
Changed in sylpheed (Ubuntu Eoan):
importance: Undecided → Medium
Changed in sylpheed (Ubuntu Disco):
importance: Undecided → Medium
Changed in sylpheed (Ubuntu Bionic):
importance: Undecided → Medium
Changed in sylpheed (Ubuntu Eoan):
status: Triaged → In Progress
Changed in sylpheed (Ubuntu Disco):
status: New → In Progress
Changed in sylpheed (Ubuntu Bionic):
status: New → In Progress
Changed in sylpheed (Ubuntu Eoan):
assignee: nobody → Dan Streetman (ddstreet)
Changed in sylpheed (Ubuntu Bionic):
assignee: nobody → Dan Streetman (ddstreet)
Changed in sylpheed (Ubuntu Disco):
assignee: nobody → Dan Streetman (ddstreet)
Robie Basak (racb)
tags: added: bionic-openssl-1.1
Revision history for this message
Dan Streetman (ddstreet) wrote :

thanks @vofka! I uploaded to Eoan, Disco, and Bionic so it's waiting for approval now.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sylpheed - 3.5.1-1ubuntu5

---------------
sylpheed (3.5.1-1ubuntu5) eoan; urgency=medium

  * d/p/0009-support-SNI-for-IMAP.patch: add SNI support (LP: #1799345)

 -- Dan Streetman <email address hidden> Tue, 08 Oct 2019 16:36:03 -0400

Changed in sylpheed (Ubuntu Eoan):
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in sylpheed (Debian):
status: Unknown → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Moses, or anyone else affected,

Accepted sylpheed into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sylpheed/3.5.1-1ubuntu3.19.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in sylpheed (Ubuntu Disco):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-disco
Changed in sylpheed (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Moses, or anyone else affected,

Accepted sylpheed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sylpheed/3.5.1-1ubuntu3.18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
vofka (vofka) wrote : Re: Sypheed not (or no longer) using SNI for SSL connections

I've tested 3.5.1-1ubuntu3.18.04.1. This package fixes the bug.

summary: - Sypheed not (or no longer) using SNI for SSL connections
+ Sylpheed not (or no longer) using SNI for SSL connections
vofka (vofka)
tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Dan Streetman (ddstreet) wrote :

ubuntu@lp1799345:~$ dpkg -l|grep sylpheed
ii sylpheed 3.5.1-1ubuntu3 amd64 Light weight e-mail client with GTK+
ii sylpheed-i18n 3.5.1-1ubuntu3 all Locale data for Sylpheed (i18n support)

installed and started sylpheed, configured with gmail address. Click 'get' to download emails, enter any password at prompt (login is not required to verify this bug) and see:
The SSL certificate of pop.gmail.com cannot be verified by the following reason:
  self signed certificate

Subject: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
Issuer: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
Issued date: Jan 1 00:00:00 2015 GMT
Expire date: Jan 1 00:00:00 2030 GMT

SHA1 fingerprint: 42:59:51:7C:D4:E4:8A:28:9D:33:2A:B3:F0:AB:52:A3:66:32:28:24
MD5 fingerprint: 90:4A:C8:D5:44:5A:D0:6A:8A:10:FF:CD:8B:11:BE:16

ubuntu@lp1799345:~$ dpkg -l|grep sylpheed
ii sylpheed 3.5.1-1ubuntu3.19.04.1 amd64 Light weight e-mail client with GTK+
ii sylpheed-i18n 3.5.1-1ubuntu3.19.04.1 all Locale data for Sylpheed (i18n support)

open sylpheed again, click 'get' again, enter any password, and authentication is attempted without the certificate SNI failure.

tags: added: verification-done verification-done-disco
removed: cosmic verification-needed verification-needed-disco
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sylpheed - 3.5.1-1ubuntu3.19.04.1

---------------
sylpheed (3.5.1-1ubuntu3.19.04.1) disco; urgency=medium

  * d/p/0009-support-SNI-for-IMAP.patch: add SNI support (LP: #1799345)

 -- Dan Streetman <email address hidden> Tue, 08 Oct 2019 16:38:23 -0400

Changed in sylpheed (Ubuntu Disco):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for sylpheed has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sylpheed - 3.5.1-1ubuntu3.18.04.1

---------------
sylpheed (3.5.1-1ubuntu3.18.04.1) bionic; urgency=medium

  * d/p/0009-support-SNI-for-IMAP.patch: add SNI support (LP: #1799345)

 -- Dan Streetman <email address hidden> Tue, 08 Oct 2019 16:45:28 -0400

Changed in sylpheed (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.