Opened 12 years ago

Last modified 10 years ago

#38055 closed defect

alpine openssl and gmail — at Initial Version

Reported by: schnide (Joe Schnide) Owned by: macports-tickets@…
Priority: Normal Milestone:
Component: ports Version: 2.1.3
Keywords: Cc:
Port: alpine openssl

Description

Hello,

After a recent update of alpine and of openssl, alpine now comes back with the following on launch going to my inbox: There was an SSL/TLS failure for the server

imap.gmail.com

The reason for the failure was

SSL negotiation failed

This is just an informational message. With the current setup, SSL/TLS will not work. If this error re-occurs every time you run Alpine, your current setup is not compatible with the configuration of your mail server. You may want to add the option

/notls

to the name of the mail server you are attempting to access. In other words, wherever you see the characters

imap.gmail.com

in your configuration, replace those characters with

imap.gmail.com/notls

Type RETURN to continue.

A co-worker suggested trying the following command: $ openssl s_client -connect imap.gmail.com:993 CONNECTED(00000003) depth=1 C = US, O = Google Inc, CN = Google Internet Authority verify error:num=20:unable to get local issuer certificate verify return:0 140735302390236:error:1006706B:elliptic curve routines:ec_GFp_simple_oct2point:point is not on curve:ecp_oct.c:421: 140735302390236:error:1408D132:SSL routines:SSL3_GET_KEY_EXCHANGE:bad ecpoint:s3_clnt.c:1679: --- Certificate chain

0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com

i:/C=US/O=Google Inc/CN=Google Internet Authority

1 s:/C=US/O=Google Inc/CN=Google Internet Authority

i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

--- Server certificate


<snip>


subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority --- No client certificate CA names sent --- SSL handshake has read 1891 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session:

Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1360709165 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)

--- After seeing this ouput, he remarked: I think alpine uses the same cert store as openssl. But the point not on curve error is more interesting. More likely, the new openssl supports ECC ciphers out of the box, and there's some incompatibility with Google's support for it. You might want to see if Alpine supports configuration of the acceptable ciphers (like the Apache SSLCiphers or SSH's Cipher option). Then set it to remove the ECC ciphers and see if it's happier. -- I didn't see where to configure acceptable ciphers in alpine and not sure if that needs to be configured in openssl. I'd liek to continue to use alpine to access gmail but am not sure what the updates to alpine, openssl and/or dependencies may have done to cause these issues.

Please let me know if I can provide further information.

Thanks Joe

Change History (0)

Note: See TracTickets for help on using tickets.