Ubuntu
fetchmail package

Bug #1798786
Comment #26

Comment 26 for bug 1798786

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-06-12:

#26

Bionic verification

First, reproducing the bug, following the test steps:

Version used:
*** 6.3.26-3build1 500
500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

Bug reproduced:
root@bionic-fetchmail-sni:~# fetchmail -d0 -vk --sslcertck pop.gmail.com
fetchmail: WARNING: Running as root is discouraged.
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:27:44 2019: poll started
Trying to connect to 64.233.190.108/995...connected.
fetchmail: Server certificate:
fetchmail: Unknown Organization
fetchmail: Issuer CommonName: invalid2.invalid
fetchmail: Subject CommonName: invalid2.invalid
fetchmail: Server CommonName mismatch: invalid2.invalid != pop.gmail.com
fetchmail: pop.gmail.com key fingerprint: 90:4A:C8:D5:44:5A:D0:6A:8A:10:FF:CD:8B:11:BE:16
fetchmail: Server certificate verification error: self signed certificate
fetchmail: Missing trust anchor certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
fetchmail: OpenSSL reported: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from <email address hidden>@pop.gmail.com
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:27:44 2019: poll completed
fetchmail: Query status=2 (SOCKET)
fetchmail: normal termination, status 2

Now updating to this version:
root@bionic-fetchmail-sni:~# apt-cache policy fetchmail
fetchmail:
  Installed: 6.3.26-3ubuntu0.1~18.04.1
  Candidate: 6.3.26-3ubuntu0.1~18.04.1
  Version table:
*** 6.3.26-3ubuntu0.1~18.04.1 500
        500 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages

This time, TLS1.3 is established, and we just get the authentication error as expected:
root@bionic-fetchmail-sni:~# fetchmail -d0 -vk --sslcertck pop.gmail.com
fetchmail: WARNING: Running as root is discouraged.
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:28:52 2019: poll started
Trying to connect to 64.233.186.108/995...connected.
fetchmail: Server certificate:
fetchmail: Issuer Organization: Google Trust Services
fetchmail: Issuer CommonName: Google Internet Authority G3
fetchmail: Subject CommonName: pop.gmail.com
fetchmail: Subject Alternative Name: pop.gmail.com
fetchmail: pop.gmail.com key fingerprint: BC:92:09:CC:42:0E:AA:91:CA:B6:64:C5:80:8B:08:74
fetchmail: SSL/TLS: using protocol TLSv1.3, cipher TLS_AES_256_GCM_SHA384, 256/256 secret/processed bits
fetchmail: POP3< +OK Gpop ready for requests from 177.16.188.25 z4mb74186347qtc
fetchmail: POP3> CAPA
fetchmail: POP3< +OK Capability list follows
fetchmail: POP3< USER
fetchmail: POP3< RESP-CODES
fetchmail: POP3< EXPIRE 0
fetchmail: POP3< LOGIN-DELAY 300
fetchmail: POP3< TOP
fetchmail: POP3< UIDL
fetchmail: POP3< X-GOOGLE-RICO
fetchmail: POP3< SASL PLAIN XOAUTH2 OAUTHBEARER
fetchmail: POP3< .
fetchmail: POP3> USER <email address hidden>
fetchmail: POP3< +OK send PASS
fetchmail: POP3> PASS *
fetchmail: POP3< -ERR [AUTH] Username and password not accepted.
fetchmail: [AUTH] Username and password not accepted.
fetchmail: Authorization failure on <email address hidden>@gmail-pop.l.google.com
fetchmail: For help, see http://www.fetchmail.info/fetchmail-FAQ.html#R15
fetchmail: POP3> QUIT
fetchmail: POP3< +OK Bye z4mb74186347qtc
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:28:53 2019: poll completed
fetchmail: Query status=3 (AUTHFAIL)
fetchmail: normal termination, status 3

Bionic verification succeeded.

Bionic verification

First, reproducing the bug, following the test steps:

Version used:
 *** 6.3.26-3build1 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

Bug reproduced:
root@bionic-fetchmail-sni:~# fetchmail -d0 -vk --sslcertck pop.gmail.com
fetchmail: WARNING: Running as root is discouraged.
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:27:44 2019: poll started
Trying to connect to 64.233.190.108/995...connected.
fetchmail: Server certificate:
fetchmail: Unknown Organization
fetchmail: Issuer CommonName: invalid2.invalid
fetchmail: Subject CommonName: invalid2.invalid
fetchmail: Server CommonName mismatch: invalid2.invalid != pop.gmail.com
fetchmail: pop.gmail.com key fingerprint: 90:4A:C8:D5:44:5A:D0:6A:8A:10:FF:CD:8B:11:BE:16
fetchmail: Server certificate verification error: self signed certificate
fetchmail: Missing trust anchor certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
fetchmail: OpenSSL reported: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from any-email-valid-or-not@gmail.com@pop.gmail.com
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:27:44 2019: poll completed
fetchmail: Query status=2 (SOCKET)
fetchmail: normal termination, status 2

Now updating to this version:
root@bionic-fetchmail-sni:~# apt-cache policy fetchmail
fetchmail:
  Installed: 6.3.26-3ubuntu0.1~18.04.1
  Candidate: 6.3.26-3ubuntu0.1~18.04.1
  Version table:
 *** 6.3.26-3ubuntu0.1~18.04.1 500
        500 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages

This time, TLS1.3 is established, and we just get the authentication error as expected:
root@bionic-fetchmail-sni:~# fetchmail -d0 -vk --sslcertck pop.gmail.com
fetchmail: WARNING: Running as root is discouraged.
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:28:52 2019: poll started
Trying to connect to 64.233.186.108/995...connected.
fetchmail: Server certificate:
fetchmail: Issuer Organization: Google Trust Services
fetchmail: Issuer CommonName: Google Internet Authority G3
fetchmail: Subject CommonName: pop.gmail.com
fetchmail: Subject Alternative Name: pop.gmail.com
fetchmail: pop.gmail.com key fingerprint: BC:92:09:CC:42:0E:AA:91:CA:B6:64:C5:80:8B:08:74
fetchmail: SSL/TLS: using protocol TLSv1.3, cipher TLS_AES_256_GCM_SHA384, 256/256 secret/processed bits
fetchmail: POP3< +OK Gpop ready for requests from 177.16.188.25 z4mb74186347qtc
fetchmail: POP3> CAPA
fetchmail: POP3< +OK Capability list follows
fetchmail: POP3< USER
fetchmail: POP3< RESP-CODES
fetchmail: POP3< EXPIRE 0
fetchmail: POP3< LOGIN-DELAY 300
fetchmail: POP3< TOP
fetchmail: POP3< UIDL
fetchmail: POP3< X-GOOGLE-RICO
fetchmail: POP3< SASL PLAIN XOAUTH2 OAUTHBEARER
fetchmail: POP3< .
fetchmail: POP3> USER any-email-valid-or-not@gmail.com
fetchmail: POP3< +OK send PASS
fetchmail: POP3> PASS *
fetchmail: POP3< -ERR [AUTH] Username and password not accepted.
fetchmail: [AUTH] Username and password not accepted.
fetchmail: Authorization failure on any-email-valid-or-not@gmail.com@gmail-pop.l.google.com
fetchmail: For help, see http://www.fetchmail.info/fetchmail-FAQ.html#R15
fetchmail: POP3> QUIT
fetchmail: POP3< +OK Bye z4mb74186347qtc
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:28:53 2019: poll completed
fetchmail: Query status=3 (AUTHFAIL)
fetchmail: normal termination, status 3

Bionic verification succeeded.

Ubuntufetchmail package

Comment 26 for bug 1798786

Ubuntu
fetchmail package