Bug reproduced:
root@bionic-fetchmail-sni:~# fetchmail -d0 -vk --sslcertck pop.gmail.com
fetchmail: WARNING: Running as root is discouraged.
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:27:44 2019: poll started
Trying to connect to 64.233.190.108/995...connected.
fetchmail: Server certificate:
fetchmail: Unknown Organization
fetchmail: Issuer CommonName: invalid2.invalid
fetchmail: Subject CommonName: invalid2.invalid
fetchmail: Server CommonName mismatch: invalid2.invalid != pop.gmail.com
fetchmail: pop.gmail.com key fingerprint: 90:4A:C8:D5:44:5A:D0:6A:8A:10:FF:CD:8B:11:BE:16
fetchmail: Server certificate verification error: self signed certificate
fetchmail: Missing trust anchor certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
fetchmail: OpenSSL reported: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from <email address hidden>@pop.gmail.com
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:27:44 2019: poll completed
fetchmail: Query status=2 (SOCKET)
fetchmail: normal termination, status 2
Now updating to this version:
root@bionic-fetchmail-sni:~# apt-cache policy fetchmail
fetchmail:
Installed: 6.3.26-3ubuntu0.1~18.04.1
Candidate: 6.3.26-3ubuntu0.1~18.04.1
Version table:
*** 6.3.26-3ubuntu0.1~18.04.1 500
500 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
This time, TLS1.3 is established, and we just get the authentication error as expected:
root@bionic-fetchmail-sni:~# fetchmail -d0 -vk --sslcertck pop.gmail.com
fetchmail: WARNING: Running as root is discouraged.
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:28:52 2019: poll started
Trying to connect to 64.233.186.108/995...connected.
fetchmail: Server certificate:
fetchmail: Issuer Organization: Google Trust Services
fetchmail: Issuer CommonName: Google Internet Authority G3
fetchmail: Subject CommonName: pop.gmail.com
fetchmail: Subject Alternative Name: pop.gmail.com
fetchmail: pop.gmail.com key fingerprint: BC:92:09:CC:42:0E:AA:91:CA:B6:64:C5:80:8B:08:74
fetchmail: SSL/TLS: using protocol TLSv1.3, cipher TLS_AES_256_GCM_SHA384, 256/256 secret/processed bits
fetchmail: POP3< +OK Gpop ready for requests from 177.16.188.25 z4mb74186347qtc
fetchmail: POP3> CAPA
fetchmail: POP3< +OK Capability list follows
fetchmail: POP3< USER
fetchmail: POP3< RESP-CODES
fetchmail: POP3< EXPIRE 0
fetchmail: POP3< LOGIN-DELAY 300
fetchmail: POP3< TOP
fetchmail: POP3< UIDL
fetchmail: POP3< X-GOOGLE-RICO
fetchmail: POP3< SASL PLAIN XOAUTH2 OAUTHBEARER
fetchmail: POP3< .
fetchmail: POP3> USER <email address hidden>
fetchmail: POP3< +OK send PASS
fetchmail: POP3> PASS *
fetchmail: POP3< -ERR [AUTH] Username and password not accepted.
fetchmail: [AUTH] Username and password not accepted.
fetchmail: Authorization failure on <email address hidden>@gmail-pop.l.google.com
fetchmail: For help, see http://www.fetchmail.info/fetchmail-FAQ.html#R15
fetchmail: POP3> QUIT
fetchmail: POP3< +OK Bye z4mb74186347qtc
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:28:53 2019: poll completed
fetchmail: Query status=3 (AUTHFAIL)
fetchmail: normal termination, status 3
Bionic verification
First, reproducing the bug, following the test steps:
Version used: archive. ubuntu. com/ubuntu bionic/main amd64 Packages
*** 6.3.26-3build1 500
500 http://
Bug reproduced: fetchmail- sni:~# fetchmail -d0 -vk --sslcertck pop.gmail.com 190.108/ 995...connected . D5:44:5A: D0:6A:8A: 10:FF:CD: 8B:11:BE: 16 /CN=invalid2. invalid tls_process_ server_ certificate: certificate verify failed @pop.gmail. com
root@bionic-
fetchmail: WARNING: Running as root is discouraged.
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:27:44 2019: poll started
Trying to connect to 64.233.
fetchmail: Server certificate:
fetchmail: Unknown Organization
fetchmail: Issuer CommonName: invalid2.invalid
fetchmail: Subject CommonName: invalid2.invalid
fetchmail: Server CommonName mismatch: invalid2.invalid != pop.gmail.com
fetchmail: pop.gmail.com key fingerprint: 90:4A:C8:
fetchmail: Server certificate verification error: self signed certificate
fetchmail: Missing trust anchor certificate: /OU=No SNI provided; please fix your client.
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
fetchmail: OpenSSL reported: error:1416F086:SSL routines:
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from <email address hidden>
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:27:44 2019: poll completed
fetchmail: Query status=2 (SOCKET)
fetchmail: normal termination, status 2
Now updating to this version: fetchmail- sni:~# apt-cache policy fetchmail 3ubuntu0. 1~18.04. 1 3ubuntu0. 1~18.04. 1 3ubuntu0. 1~18.04. 1 500 archive. ubuntu. com/ubuntu bionic- proposed/ main amd64 Packages
root@bionic-
fetchmail:
Installed: 6.3.26-
Candidate: 6.3.26-
Version table:
*** 6.3.26-
500 http://
This time, TLS1.3 is established, and we just get the authentication error as expected: fetchmail- sni:~# fetchmail -d0 -vk --sslcertck pop.gmail.com 186.108/ 995...connected . CC:42:0E: AA:91:CA: B6:64:C5: 80:8B:08: 74 256_GCM_ SHA384, 256/256 secret/processed bits @gmail- pop.l.google. com www.fetchmail. info/fetchmail- FAQ.html# R15
root@bionic-
fetchmail: WARNING: Running as root is discouraged.
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:28:52 2019: poll started
Trying to connect to 64.233.
fetchmail: Server certificate:
fetchmail: Issuer Organization: Google Trust Services
fetchmail: Issuer CommonName: Google Internet Authority G3
fetchmail: Subject CommonName: pop.gmail.com
fetchmail: Subject Alternative Name: pop.gmail.com
fetchmail: pop.gmail.com key fingerprint: BC:92:09:
fetchmail: SSL/TLS: using protocol TLSv1.3, cipher TLS_AES_
fetchmail: POP3< +OK Gpop ready for requests from 177.16.188.25 z4mb74186347qtc
fetchmail: POP3> CAPA
fetchmail: POP3< +OK Capability list follows
fetchmail: POP3< USER
fetchmail: POP3< RESP-CODES
fetchmail: POP3< EXPIRE 0
fetchmail: POP3< LOGIN-DELAY 300
fetchmail: POP3< TOP
fetchmail: POP3< UIDL
fetchmail: POP3< X-GOOGLE-RICO
fetchmail: POP3< SASL PLAIN XOAUTH2 OAUTHBEARER
fetchmail: POP3< .
fetchmail: POP3> USER <email address hidden>
fetchmail: POP3< +OK send PASS
fetchmail: POP3> PASS *
fetchmail: POP3< -ERR [AUTH] Username and password not accepted.
fetchmail: [AUTH] Username and password not accepted.
fetchmail: Authorization failure on <email address hidden>
fetchmail: For help, see http://
fetchmail: POP3> QUIT
fetchmail: POP3< +OK Bye z4mb74186347qtc
fetchmail: 6.3.26 querying pop.gmail.com (protocol POP3) at Wed Jun 12 15:28:53 2019: poll completed
fetchmail: Query status=3 (AUTHFAIL)
fetchmail: normal termination, status 3
Bionic verification succeeded.