[MacPorts] #38055: alpine openssl and gmail
MacPorts
noreply at macports.org
Wed Feb 13 16:03:38 PST 2013
#38055: alpine openssl and gmail
-----------------------------+--------------------------------
Reporter: jschnide@… | Owner: macports-tickets@…
Type: defect | Status: new
Priority: Normal | Milestone:
Component: ports | Version: 2.1.3
Resolution: | Keywords:
Port: alpine openssl |
-----------------------------+--------------------------------
Changes (by larryv@…):
* keywords: gmail alpine openssl =>
* cc: mww@…, cal@…, egall@…, larryv@… (added)
* port: alpine => alpine openssl
Old description:
> Hello,
>
> After a recent update of alpine and of openssl, alpine now comes
> back with the following on launch going to my inbox:
> There was an SSL/TLS failure for the server
> imap.gmail.com
> The reason for the failure was
> SSL negotiation failed
> This is just an informational message. With the current setup, SSL/TLS
> will not work. If
> this error re-occurs every time you run Alpine, your current setup is not
> compatible with
> the configuration of your mail server. You may want to add the option
> /notls
> to the name of the mail server you are attempting to access. In other
> words, wherever you
> see the characters
> imap.gmail.com
> in your configuration, replace those characters with
> imap.gmail.com/notls
> Type RETURN to continue.
>
> A co-worker suggested trying the following command:
> $ openssl s_client -connect imap.gmail.com:993
> CONNECTED(00000003)
> depth=1 C = US, O = Google Inc, CN = Google Internet Authority
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> 140735302390236:error:1006706B:elliptic curve
> routines:ec_GFp_simple_oct2point:point
> is not on curve:ecp_oct.c:421:
> 140735302390236:error:1408D132:SSL routines:SSL3_GET_KEY_EXCHANGE:bad
> ecpoint:s3_clnt.c:1679:
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
> i:/C=US/O=Google Inc/CN=Google Internet Authority
> 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> <snip>
> -----END CERTIFICATE-----
> subject=/C=US/ST=California/L=Mountain View/O=Google
> Inc/CN=imap.gmail.com
> issuer=/C=US/O=Google Inc/CN=Google Internet Authority
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1891 bytes and written 7 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1360709165
> Timeout : 300 (sec)
> Verify return code: 20 (unable to get local issuer certificate)
> ---
> After seeing this ouput, he remarked:
> I think alpine uses the same cert store as openssl. But the point
> not on curve error is more interesting. More likely, the new openssl
> supports ECC ciphers out of the box, and there's some incompatibility
> with Google's support for it. You might want to see if Alpine supports
> configuration of the acceptable ciphers (like the Apache SSLCiphers
> or SSH's Cipher option). Then set it to remove the ECC ciphers and
> see if it's happier.
> --
> I didn't see where to configure acceptable ciphers in alpine and not
> sure if that needs to be configured in openssl.
> I'd liek to continue to use alpine to access gmail but am not sure
> what the updates to alpine, openssl and/or dependencies may have
> done to cause these issues.
>
> Please let me know if I can provide further information.
>
> Thanks
> Joe
New description:
Hello,
After a recent update of alpine and of openssl, alpine now comes
back with the following on launch going to my inbox:
{{{
There was an SSL/TLS failure for the server
imap.gmail.com
The reason for the failure was
SSL negotiation failed
This is just an informational message. With the current setup, SSL/TLS
will not work. If
this error re-occurs every time you run Alpine, your current setup is not
compatible with
the configuration of your mail server. You may want to add the option
/notls
to the name of the mail server you are attempting to access. In other
words, wherever you
see the characters
imap.gmail.com
in your configuration, replace those characters with
imap.gmail.com/notls
Type RETURN to continue.
}}}
A co-worker suggested trying the following command:
{{{
$ openssl s_client -connect imap.gmail.com:993
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
140735302390236:error:1006706B:elliptic curve
routines:ec_GFp_simple_oct2point:point
is not on curve:ecp_oct.c:421:
140735302390236:error:1408D132:SSL routines:SSL3_GET_KEY_EXCHANGE:bad
ecpoint:s3_clnt.c:1679:
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1891 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1360709165
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
}}}
After seeing this ouput, he remarked:
I think alpine uses the same cert store as openssl. But the point
not on curve error is more interesting. More likely, the new openssl
supports ECC ciphers out of the box, and there's some incompatibility
with Google's support for it. You might want to see if Alpine
supports
configuration of the acceptable ciphers (like the Apache SSLCiphers
or SSH's Cipher option). Then set it to remove the ECC ciphers and
see if it's happier.
I didn't see where to configure acceptable ciphers in alpine and not
sure if that needs to be configured in openssl.
I'd liek to continue to use alpine to access gmail but am not sure
what the updates to alpine, openssl and/or dependencies may have
done to cause these issues.
Please let me know if I can provide further information.
Thanks
Joe
--
Comment:
Thanks for the ticket. In the future, please Cc relevant port maintainers
and use [[WikiFormatting]] to format your ticket description.
Have you upgraded to openssl @1.0.1d or @1.0.1e? There have been…
problems… with these versions. To say the least. (See #38015, among
others.)
If you happen to still have @1.0.1c around (`port installed openssl`),
could you try activating that version to see if it clears up your problem?
{{{
sudo port activate openssl @1.0.1c
}}}
--
Ticket URL: <https://trac.macports.org/ticket/38055#comment:1>
MacPorts <http://www.macports.org/>
Ports system for Mac OS
More information about the macports-tickets
mailing list