[MacPorts] #38055: alpine openssl and gmail
MacPorts
noreply at macports.org
Wed Feb 13 15:04:26 PST 2013
#38055: alpine openssl and gmail
----------------------------------+--------------------------------
Reporter: jschnide@… | Owner: macports-tickets@…
Type: defect | Status: new
Priority: Normal | Milestone:
Component: ports | Version: 2.1.3
Keywords: gmail alpine openssl | Port: alpine
----------------------------------+--------------------------------
Hello,
After a recent update of alpine and of openssl, alpine now comes
back with the following on launch going to my inbox:
There was an SSL/TLS failure for the server
imap.gmail.com
The reason for the failure was
SSL negotiation failed
This is just an informational message. With the current setup, SSL/TLS
will not work. If
this error re-occurs every time you run Alpine, your current setup is not
compatible with
the configuration of your mail server. You may want to add the option
/notls
to the name of the mail server you are attempting to access. In other
words, wherever you
see the characters
imap.gmail.com
in your configuration, replace those characters with
imap.gmail.com/notls
Type RETURN to continue.
A co-worker suggested trying the following command:
$ openssl s_client -connect imap.gmail.com:993
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
140735302390236:error:1006706B:elliptic curve
routines:ec_GFp_simple_oct2point:point
is not on curve:ecp_oct.c:421:
140735302390236:error:1408D132:SSL routines:SSL3_GET_KEY_EXCHANGE:bad
ecpoint:s3_clnt.c:1679:
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1891 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1360709165
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
After seeing this ouput, he remarked:
I think alpine uses the same cert store as openssl. But the point
not on curve error is more interesting. More likely, the new openssl
supports ECC ciphers out of the box, and there's some incompatibility
with Google's support for it. You might want to see if Alpine supports
configuration of the acceptable ciphers (like the Apache SSLCiphers
or SSH's Cipher option). Then set it to remove the ECC ciphers and
see if it's happier.
--
I didn't see where to configure acceptable ciphers in alpine and not
sure if that needs to be configured in openssl.
I'd liek to continue to use alpine to access gmail but am not sure
what the updates to alpine, openssl and/or dependencies may have
done to cause these issues.
Please let me know if I can provide further information.
Thanks
Joe
--
Ticket URL: <https://trac.macports.org/ticket/38055>
MacPorts <http://www.macports.org/>
Ports system for Mac OS
More information about the macports-tickets
mailing list