1629151 – claws-mail: no SNI provided

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1629151 - claws-mail: no SNI provided

Summary: claws-mail: no SNI provided

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	claws-mail
Sub Component:
Version:	29
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Andreas Bierfert
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1638486 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-09-14 21:15 UTC by rvcsaba
Modified:	2019-01-26 16:18 UTC (History)
CC List:	7 users (show)
Fixed In Version:	claws-mail-3.17.3-1.fc29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-01-03 05:29:27 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Error message window (74.82 KB, image/png) 2018-09-14 21:15 UTC, rvcsaba	no flags	Details
View All

Description rvcsaba 2018-09-14 21:15:52 UTC

Created attachment 1483398 [details]
Error message window

Description of problem:

I upgraded to Fedora 29, but can't get e-mails. On Fedora 28, this work.

-----------------

(My feature request: Please build latest, 3.17.1 release.)


Version-Release number of selected component (if applicable):

claws-mail-3.16.0-3.fc29.x86_64


How reproducible:

I connect to Gmail.


Actual results:

See an attachment.

Comment 1 Michael Schwendt 2018-09-15 11:25:24 UTC

> I upgraded to Fedora 29, but can't get e-mails.
> On Fedora 28, this work.

That isn't true. claws-mail-3.16.0-3.fc29 does work with Google Mail, provided that you accept the certificate instead of rejecting it. The base package hasn't changed compared with F28.

Whether 3.17.1 would fix the "invalid" details shown for the Google Mail cert, remains to be seen. An early upgrade to 3.17.0 would have been a mistake because of a crash condition. 3.17.x will also require some packaging work due to merged patches, return of dillo plugin, and possibly more.

Comment 2 rvcsaba 2018-09-16 19:20:53 UTC

What is invalid2.invalid self signed cert? Did you see the attachement?

Comment 3 Michael Schwendt 2018-09-16 19:41:16 UTC

I've explicitly commented on that in the previous comment.

Comment 4 Michael Schwendt 2018-09-16 23:33:47 UTC

I've upgraded Rawhide to Claws Mail 3.17.1 and libetpan 1.9.1, but if building those packages for F29, they don't change the symptoms.

Both F28 and F29 include libetpan 1.8 and Claws Mail 3.16.0 based on the same package. Something else in F29 must have changed.

$ strings ~/.claws-mail/certs/imap.gmail.com.993.cert
0N110/
(No SNI provided; please fix your client.1
invalid2.invalid0
150101000000Z
300101000000Z0N110/
(No SNI provided; please fix your client.1
invalid2.invalid0
}	\Y
	w[M
]0[0
0*`d
#vBc
?I_n

Comment 8 Branko Grubić 2018-09-22 07:56:07 UTC

Hi Michael,

Initially I didn't add myself to CC, but I was just checking this bug from time to time, now I'm CC. Is there a reason why this is now private bug, this makes it harder for people who are affected to find it. When I hit some issue first thing I do is go to bugz.fedoraproject.org/<package> to list all open bugs, and since this is now private, it's not visible there.

Comment 9 Branko Grubić 2018-09-22 08:38:51 UTC

Btw. issue similar to this reported against different client, see bug #1611815

Comment 10 Michael Schwendt 2018-09-22 13:22:41 UTC

I've made the ticket (and some others) private, because the user in comments 5 and 7 spams bugzilla with links to unrelated websites.

Comment 11 Michael Schwendt 2018-09-22 13:26:33 UTC

> Btw. issue similar to this reported against different client, see bug #1611815

What is the full story though? On F28 the same software and package work. What in F29 has changed?

Comment 12 Branko Grubić 2018-09-22 13:52:52 UTC

(In reply to Michael Schwendt from comment #11)
> > Btw. issue similar to this reported against different client, see bug #1611815
> 
> What is the full story though? On F28 the same software and package work.
> What in F29 has changed?

I have no idea, just guessing (I'm far from someone who understands cryptography, and utilities or libraries related to it), what changes in F29 is TLS 1.3 is enabled by default[1](this is only feature for GNUTLS). In that bug I linked TLS 1.3 is mentioned as well (but fetchmail uses openssl, not gnutls).



[1] https://fedoraproject.org/wiki/Changes/GnuTLS-TLS1.3

Comment 13 Branko Grubić 2018-09-22 13:58:10 UTC

Asked in gnutls tls 1.3 feature trakcker, bug #1611810#c5 if anyone wants to take a look and comment.

Comment 14 Michael Schwendt 2018-09-22 20:28:08 UTC

Fedora's gnutls package only seems to be the same for F28 and F29. Actually, it is built differently based on conditionals:

%if (0%{?fedora} <= 28)                                                         
           --enable-ssl3-support \                                              
%else                                                                           
           --enable-tls13-support \                                             
%endif                                                                          


The issue is reproducible with:
  gnutls-cli --disable-sni imap.gmail.com:993

Comment 15 Michael Schwendt 2018-09-23 13:13:32 UTC

There's an SNI support feature request in the libetpan tracker already:
https://github.com/dinhviethoa/libetpan/issues/258
It seems to me that is where the certificate retrieval and checking is done.

Claws Mail initializes and uses gnutls separately, however, too.

Comment 16 Nikos Mavrogiannopoulos 2018-09-24 07:27:22 UTC

If I understand well the issue, from the descriptions provided the change is on the server behavior. When the server sees TLS1.3 it requires SNI to be seen, and if not it will return back a bogus certificate. Under TLS1.2 the server when doesn't see SNI it behaves by sending the right certificate.

So indeed, the trigger is the TLS1.3 enablement, but the issue is not due to TLS1.3, but rather due to the server awkward behavior. The simplest solution is to set SNI on the client:

https://gnutls.org/manual/gnutls.html#index-gnutls_005fserver_005fname_005fset

Comment 17 Michael Schwendt 2018-09-24 11:29:24 UTC

> The simplest solution

Pointing at the API is not a solution.

https://github.com/dinhviethoa/libetpan/issues/258#issuecomment-423823453

Comment 18 rvcsaba 2018-10-07 09:24:21 UTC

(In reply to Michael Schwendt from comment #4)

> but if
> building those packages for F29, they don't change the symptoms.
> 

Really. I build and upgrade claws-mail-3.17.1 to fc29 and same problem remained.

Comment 19 Michael Schwendt 2018-10-11 18:35:43 UTC

*** Bug 1638486 has been marked as a duplicate of this bug. ***

Comment 20 Michael Schwendt 2018-10-22 21:52:21 UTC

For tracking pleasures:
https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4103

Comment 21 Michael Schwendt 2018-11-04 21:24:34 UTC

Here's 3.17.1 with the experimental patch and the new commits to libetpan:
https://copr.fedorainfracloud.org/coprs/mschwendt/claws-mail-testing/

Comment 22 rvcsaba 2018-11-05 21:14:33 UTC

Work it, thanks! :)

Comment 23 Patrick C. F. Ernzer 2018-11-10 13:42:05 UTC

confirmed working, thank you Michael.

claws-mail-3.17.1-1.fc29.t1.x86_64
libetpan-1.9.1-1.fc29.t1.x86_64

Successfully logged fine into imap.gmail.com and opened a message that was received in imap.gmail.com after my upgrade to F29 (meaning claws-mail could not have cached it yet)

here's the log entries (minus my username)

[14:33:20] * message: Account 'Red Hat GMail': Connecting to IMAP server: imap.gmail.com:993...
[14:33:20] IMAP< * OK Gimap ready for requests from 91.65.12.199 c6-v6mb602559424wrv 
[14:33:20] * message: IMAP connection is un-authenticated
[14:33:20] IMAP> 1 CAPABILITY 
[14:33:21] IMAP< * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH=XOAUTH 
[14:33:21] IMAP< 1 OK Thats all she wrote! c6-v6mb602559424wrv 
[14:33:21] IMAP> Logging [CENSORED]@redhat.com to imap.gmail.com using PLAIN
[14:33:22] IMAP< [CENSORED]@redhat.com authenticated (Success)
[14:33:22] IMAP< Login to imap.gmail.com successful
[14:33:22] IMAP> 3 LIST "" "" 
[14:33:22] IMAP< * LIST (\Noselect) "/" "/" 
[14:33:22] IMAP< 3 OK Success 
…

Should I get unexpected failures in the next few work days, then I'll add a comment to this bug.

Comment 24 Fedora Update System 2018-12-25 15:51:44 UTC

claws-mail-3.17.3-1.fc29 clawsker-1.3.0-2.fc29 libetpan-1.9.2-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4305a08deb

Comment 25 Fedora Update System 2018-12-26 03:58:02 UTC

claws-mail-3.17.3-1.fc29, clawsker-1.3.0-2.fc29, libetpan-1.9.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4305a08deb

Comment 26 Fedora Update System 2019-01-03 05:29:27 UTC

claws-mail-3.17.3-1.fc29, clawsker-1.3.0-2.fc29, libetpan-1.9.2-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.