22508 – no ssl/tls support in alpine for cauldron / mga6

Bug 22508 - no ssl/tls support in alpine for cauldron / mga6

Summary: no ssl/tls support in alpine for cauldron / mga6

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Mageia Bug Squad
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-02-02 15:56 CET by Nicolas Pomarède
Modified:	2018-02-25 19:40 CET (History)
CC List:	1 user (show)

See Also:
Source RPM:	alpine-2.11-1.mga7
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Pomarède 2018-02-02 15:56:37 CET

Hi

while mga5 supported encryption with alpine-2.03-2.mga5

alpine -supported
Supported features in this Alpine

Encryption:
  TLS and SSL
  S/MIME

the version alpine-2.11-1.mga7 in mga6/cauldron doesn't support any encryption which prevents from using alpine with many pop / imap servers where ssl is now mandatory :

alpine -supported
Supported features in this Alpine

Encryption:
  None (no TLS or SSL)

Is there any reason for removing encryption support or is this just some flags that were forgotten during compilation ?


Also note that Fedora has alpine 2.21, maybe we could use it too.

Comment 1 Jani Välimaa 2018-02-02 16:58:14 CET

Should be fixed in -2.mga7. Build pulled openssl 1.1.0, but only 1.0.0 is supported.

Comment 2 Nicolas Pomarède 2018-02-02 19:05:28 CET

Thanks, I confirm -2.mga7 has working encryption.
Closing the bug.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 3 Christiaan Welvaart 2018-02-24 16:55:51 CET

Alpine 2.11-3.mga7 is built with openssl 1.1. Could you check that encryption still works?

CC: (none) => cjw

Comment 4 Nicolas Pomarède 2018-02-25 12:14:00 CET

Hi, I confirm encryption still works. Only change is that alpine seems to check the certificate by default now, but as indicated by a message in alpine when starting, this can be ignored by adding "/novalidate-cert" to mailbox path.

Comment 5 Christiaan Welvaart 2018-02-25 15:43:39 CET

That is likely a bug in my patch. Is the error message you get "TLS/SSL failure: myserver: Server name does not match certificate" ? I'll take another look at this code.

Comment 6 Nicolas Pomarède 2018-02-25 15:46:51 CET

Not sure it'a bug in your patch. the message I have is 
"Unable to locate common name in certificate (details)"

I think it's a problem with my mail provider at work using a self signed certificate.

Comment 7 Christiaan Welvaart 2018-02-25 17:12:07 CET

The code that emits the error message may very well have been wrong after my changes. In alpine-2.11-4.mga7 this code is not used anymore, replaced by openssl's built-in hostname verification. So you could try to remove the /novalidate-cert option again.

"self-signed" does not really say much, the problem you're referring to is probably that the CA used to sign a certificate is not listed as trusted in the client. But this behaviour should not change between openssl 1.0 and openssl 1.1. So if it worked with alpine-2.11-2 it should still work with alpine 2.11-4.

Comment 8 Nicolas Pomarède 2018-02-25 19:40:23 CET

With your latest 2.11-4, the flag /novalidate-cert is ot needed anymore, there's no more warning when opening an IMAP with TLS/SSL port.

So, all seems fixed from my point of view, similar as it was with 2.11-2

Note You need to log in before you can comment on or make changes to this bug.