Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1629151
Summary: | claws-mail: no SNI provided | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | rvcsaba | ||||
Component: | claws-mail | Assignee: | Andreas Bierfert <andreas.bierfert> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 29 | CC: | agk, andreas.bierfert, bitlord0xff, bugs.michael, nmavrogi, pcfe, safir | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | claws-mail-3.17.3-1.fc29 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-01-03 05:29:27 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
> I upgraded to Fedora 29, but can't get e-mails.
> On Fedora 28, this work.
That isn't true. claws-mail-3.16.0-3.fc29 does work with Google Mail, provided that you accept the certificate instead of rejecting it. The base package hasn't changed compared with F28.
Whether 3.17.1 would fix the "invalid" details shown for the Google Mail cert, remains to be seen. An early upgrade to 3.17.0 would have been a mistake because of a crash condition. 3.17.x will also require some packaging work due to merged patches, return of dillo plugin, and possibly more.
What is invalid2.invalid self signed cert? Did you see the attachement? I've explicitly commented on that in the previous comment. I've upgraded Rawhide to Claws Mail 3.17.1 and libetpan 1.9.1, but if building those packages for F29, they don't change the symptoms. Both F28 and F29 include libetpan 1.8 and Claws Mail 3.16.0 based on the same package. Something else in F29 must have changed. $ strings ~/.claws-mail/certs/imap.gmail.com.993.cert 0N110/ (No SNI provided; please fix your client.1 invalid2.invalid0 150101000000Z 300101000000Z0N110/ (No SNI provided; please fix your client.1 invalid2.invalid0 } \Y w[M ]0[0 0*`d #vBc ?I_n Hi Michael, Initially I didn't add myself to CC, but I was just checking this bug from time to time, now I'm CC. Is there a reason why this is now private bug, this makes it harder for people who are affected to find it. When I hit some issue first thing I do is go to bugz.fedoraproject.org/<package> to list all open bugs, and since this is now private, it's not visible there. Btw. issue similar to this reported against different client, see bug #1611815 I've made the ticket (and some others) private, because the user in comments 5 and 7 spams bugzilla with links to unrelated websites. > Btw. issue similar to this reported against different client, see bug #1611815
What is the full story though? On F28 the same software and package work. What in F29 has changed?
(In reply to Michael Schwendt from comment #11) > > Btw. issue similar to this reported against different client, see bug #1611815 > > What is the full story though? On F28 the same software and package work. > What in F29 has changed? I have no idea, just guessing (I'm far from someone who understands cryptography, and utilities or libraries related to it), what changes in F29 is TLS 1.3 is enabled by default[1](this is only feature for GNUTLS). In that bug I linked TLS 1.3 is mentioned as well (but fetchmail uses openssl, not gnutls). [1] https://fedoraproject.org/wiki/Changes/GnuTLS-TLS1.3 Asked in gnutls tls 1.3 feature trakcker, bug #1611810#c5 if anyone wants to take a look and comment. Fedora's gnutls package only seems to be the same for F28 and F29. Actually, it is built differently based on conditionals: %if (0%{?fedora} <= 28) --enable-ssl3-support \ %else --enable-tls13-support \ %endif The issue is reproducible with: gnutls-cli --disable-sni imap.gmail.com:993 There's an SNI support feature request in the libetpan tracker already: https://github.com/dinhviethoa/libetpan/issues/258 It seems to me that is where the certificate retrieval and checking is done. Claws Mail initializes and uses gnutls separately, however, too. If I understand well the issue, from the descriptions provided the change is on the server behavior. When the server sees TLS1.3 it requires SNI to be seen, and if not it will return back a bogus certificate. Under TLS1.2 the server when doesn't see SNI it behaves by sending the right certificate. So indeed, the trigger is the TLS1.3 enablement, but the issue is not due to TLS1.3, but rather due to the server awkward behavior. The simplest solution is to set SNI on the client: https://gnutls.org/manual/gnutls.html#index-gnutls_005fserver_005fname_005fset > The simplest solution Pointing at the API is not a solution. https://github.com/dinhviethoa/libetpan/issues/258#issuecomment-423823453 (In reply to Michael Schwendt from comment #4) > but if > building those packages for F29, they don't change the symptoms. > Really. I build and upgrade claws-mail-3.17.1 to fc29 and same problem remained. *** Bug 1638486 has been marked as a duplicate of this bug. *** For tracking pleasures: https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4103 Here's 3.17.1 with the experimental patch and the new commits to libetpan: https://copr.fedorainfracloud.org/coprs/mschwendt/claws-mail-testing/ Work it, thanks! :) confirmed working, thank you Michael. claws-mail-3.17.1-1.fc29.t1.x86_64 libetpan-1.9.1-1.fc29.t1.x86_64 Successfully logged fine into imap.gmail.com and opened a message that was received in imap.gmail.com after my upgrade to F29 (meaning claws-mail could not have cached it yet) here's the log entries (minus my username) [14:33:20] * message: Account 'Red Hat GMail': Connecting to IMAP server: imap.gmail.com:993... [14:33:20] IMAP< * OK Gimap ready for requests from 91.65.12.199 c6-v6mb602559424wrv [14:33:20] * message: IMAP connection is un-authenticated [14:33:20] IMAP> 1 CAPABILITY [14:33:21] IMAP< * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH=XOAUTH [14:33:21] IMAP< 1 OK Thats all she wrote! c6-v6mb602559424wrv [14:33:21] IMAP> Logging [CENSORED]@redhat.com to imap.gmail.com using PLAIN [14:33:22] IMAP< [CENSORED]@redhat.com authenticated (Success) [14:33:22] IMAP< Login to imap.gmail.com successful [14:33:22] IMAP> 3 LIST "" "" [14:33:22] IMAP< * LIST (\Noselect) "/" "/" [14:33:22] IMAP< 3 OK Success … Should I get unexpected failures in the next few work days, then I'll add a comment to this bug. claws-mail-3.17.3-1.fc29 clawsker-1.3.0-2.fc29 libetpan-1.9.2-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4305a08deb claws-mail-3.17.3-1.fc29, clawsker-1.3.0-2.fc29, libetpan-1.9.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4305a08deb claws-mail-3.17.3-1.fc29, clawsker-1.3.0-2.fc29, libetpan-1.9.2-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1483398 [details] Error message window Description of problem: I upgraded to Fedora 29, but can't get e-mails. On Fedora 28, this work. ----------------- (My feature request: Please build latest, 3.17.1 release.) Version-Release number of selected component (if applicable): claws-mail-3.16.0-3.fc29.x86_64 How reproducible: I connect to Gmail. Actual results: See an attachment.