Bug 22508

Summary: no ssl/tls support in alpine for cauldron / mga6
Product: Mageia Reporter: Nicolas Pomarède <npomarede>
Component: RPM PackagesAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: cjw
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: alpine-2.11-1.mga7 CVE:
Status comment:

Description Nicolas Pomarède 2018-02-02 15:56:37 CET 
Hi

while mga5 supported encryption with alpine-2.03-2.mga5

alpine -supported
Supported features in this Alpine

Encryption:
  TLS and SSL
  S/MIME

the version alpine-2.11-1.mga7 in mga6/cauldron doesn't support any encryption which prevents from using alpine with many pop / imap servers where ssl is now mandatory :

alpine -supported
Supported features in this Alpine

Encryption:
  None (no TLS or SSL)

Is there any reason for removing encryption support or is this just some flags that were forgotten during compilation ?


Also note that Fedora has alpine 2.21, maybe we could use it too.
Comment 1 Jani Välimaa 2018-02-02 16:58:14 CET 
Should be fixed in -2.mga7. Build pulled openssl 1.1.0, but only 1.0.0 is supported.
Comment 2 Nicolas Pomarède 2018-02-02 19:05:28 CET 
Thanks, I confirm -2.mga7 has working encryption.
Closing the bug.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 3 Christiaan Welvaart 2018-02-24 16:55:51 CET 
Alpine 2.11-3.mga7 is built with openssl 1.1. Could you check that encryption still works?

CC: (none) => cjw

Comment 4 Nicolas Pomarède 2018-02-25 12:14:00 CET 
Hi, I confirm encryption still works. Only change is that alpine seems to check the certificate by default now, but as indicated by a message in alpine when starting, this can be ignored by adding "/novalidate-cert" to mailbox path.
Comment 5 Christiaan Welvaart 2018-02-25 15:43:39 CET 
That is likely a bug in my patch. Is the error message you get "TLS/SSL failure: myserver: Server name does not match certificate" ? I'll take another look at this code.
Comment 6 Nicolas Pomarède 2018-02-25 15:46:51 CET 
Not sure it'a bug in your patch. the message I have is 
"Unable to locate common name in certificate (details)"

I think it's a problem with my mail provider at work using a self signed certificate.
Comment 7 Christiaan Welvaart 2018-02-25 17:12:07 CET 
The code that emits the error message may very well have been wrong after my changes. In alpine-2.11-4.mga7 this code is not used anymore, replaced by openssl's built-in hostname verification. So you could try to remove the /novalidate-cert option again.

"self-signed" does not really say much, the problem you're referring to is probably that the CA used to sign a certificate is not listed as trusted in the client. But this behaviour should not change between openssl 1.0 and openssl 1.1. So if it worked with alpine-2.11-2 it should still work with alpine 2.11-4.
Comment 8 Nicolas Pomarède 2018-02-25 19:40:23 CET 
With your latest 2.11-4, the flag /novalidate-cert is ot needed anymore, there's no more warning when opening an IMAP with TLS/SSL port.

So, all seems fixed from my point of view, similar as it was with 2.11-2