Ubuntu
fetchmail package

Merge ~kstenerud/ubuntu/+source/fetchmail:disco-fetchmail-gmailssl-1798786 into ubuntu/+source/fetchmail:ubuntu/disco-devel

  1. Git
  2. lp:~kstenerud/ubuntu/+source/fetchmail
  3. disco-fetchmail-gmailssl-1798786
  4. Merge into ubuntu/disco-devel
Proposed by Karl Stenerud
Status: Merged
Approved by: Andreas Hasenack
Approved revision: b1c6372c806e7a7c94a663469bed0a8597183ff5
Merge reported by: Andreas Hasenack
Merged at revision: b1c6372c806e7a7c94a663469bed0a8597183ff5
Proposed branch: ~kstenerud/ubuntu/+source/fetchmail:disco-fetchmail-gmailssl-1798786
Merge into: ubuntu/+source/fetchmail:ubuntu/disco-devel
Diff against target: 61 lines (+40/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/sni-support.patch (+32/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+358699@code.launchpad.net

Description of the change

Disco version of https://code.launchpad.net/~kstenerud/ubuntu/+source/fetchmail/+git/fetchmail/+merge/357802

Applied upstream patch to set hostname for SNI when using TLS. Without this, fetchmail fails to verify the SSL certificate using TLS 1.2.

Upstream patch: https://gitlab.com/fetchmail/fetchmail/commit/9b8b634312f169fab872f3580c2febe5af031615

PPA: ppa:kstenerud/cosmic-fetchmail-gmailssl-1798786

Steps to test:

# lxc launch ubuntu-daily:disco tester
# lxc exec tester bash
# apt update
# apt dist-upgrade -y
# apt install -y fetchmail
# echo "set postmaster \"root\"
poll pop.gmail.com with proto POP3
   user '<email address hidden>' there with password 'any-password' is root here options ssl
" > ~/.fetchmailrc
# chmod 700 ~/.fetchmailrc
# fetchmail -d0 -vk --sslcertck pop.gmail.com
...
fetchmail: Server certificate:
fetchmail: Unknown Organization
fetchmail: Issuer CommonName: invalid2.invalid
fetchmail: Subject CommonName: invalid2.invalid
fetchmail: Server CommonName mismatch: invalid2.invalid != pop.gmail.com
fetchmail: Server certificate verification error: self signed certificate
...

# add-apt-repository -y ppa:kstenerud/cosmic-fetchmail-gmailssl-1798786
# apt update
# apt dist-upgrade -y
# fetchmail -d0 -vk --sslcertck pop.gmail.com
...
fetchmail: Server certificate:
fetchmail: Issuer Organization: Google Trust Services
fetchmail: Issuer CommonName: Google Internet Authority G3
fetchmail: Subject CommonName: pop.gmail.com
fetchmail: Subject Alternative Name: pop.gmail.com
...

Package Tests:

There are no package tests in fetchmail.

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Note: I wondered if we should bug report to Debian as well.
But since the fix is upstream for a year already and Debian has 6.4 beta already they will get it once upstream finalizes 6.4

Only in case we would be afraid that this would take quite a while we'd need to ping them.
If we see this on the next cycles merge still not being droppable lets make sure to open a bug/PR with Debian.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

LGTM as well.

@Andreas - did you check if disco is open now so you could upload this along the SRU version of it that you acked?
I still only saw the IRC chan say "open" but no mail - also as usual images missing still.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

A test build in disco would be nice since you never know what has changed.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

It's open, uploads are going through, but I also haven't seen an announcement email.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Can you please squash the two changelog commits into one?

Revision history for this message
Karl Stenerud (kstenerud) wrote :

Done. PPA upload is https://launchpad.net/~kstenerud/+archive/ubuntu/disco-fetchmail-gmailssl-1798786

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, +1

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tagged and uploaded

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index ab94753..10ac2ff 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+fetchmail (6.3.26-3ubuntu1) disco; urgency=medium
7+
8+ * d/p/sni-support.patch: TLS: set hostname for SNI. Thanks to Matthias
9+ Andree <matthias.andree@gmx.de> (LP: #1798786)
10+
11+ -- Karl Stenerud <karl.stenerud@canonical.com> Wed, 24 Oct 2018 05:12:24 -0700
12+
13 fetchmail (6.3.26-3build1) bionic; urgency=high
14
15 * No change rebuild against openssl1.1.
16diff --git a/debian/patches/series b/debian/patches/series
17index 6739ab6..4df8704 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -1,2 +1,3 @@
21 01_fetchmailconf.patch
22 02_remove_SSLv3.patch
23+sni-support.patch
24diff --git a/debian/patches/sni-support.patch b/debian/patches/sni-support.patch
25new file mode 100644
26index 0000000..b170947
27--- /dev/null
28+++ b/debian/patches/sni-support.patch
29@@ -0,0 +1,32 @@
30+Description: TLS: set hostname for SNI.
31+Author: Matthias Andree <matthias.andree@gmx.de>
32+Origin: upstream, https://gitlab.com/fetchmail/fetchmail/commit/9b8b634312f169fab872f3580c2febe5af031615
33+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fetchmail/+bug/1798786
34+Last-Update: 2018-10-24
35+---
36+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
37+diff --git a/socket.c b/socket.c
38+index 58a8e15..6aef911 100644
39+--- a/socket.c
40++++ b/socket.c
41+@@ -986,6 +986,20 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
42+ _verify_ok = 1;
43+ _prev_err = -1;
44+
45++ /*
46++ * Support SNI, some servers (googlemail) appear to require it.
47++ */
48++ {
49++ long r;
50++ r = SSL_set_tlsext_host_name(_ssl_context[sock], servercname);
51++
52++ if (0 == r) {
53++ /* handle error */
54++ report(stderr, GT_("Warning: SSL_set_tlsext_host_name(%p, \"%s\") failed (code %#lx), trying to continue.\n"), _ssl_context[sock], servercname, r);
55++ ERR_print_errors_fp(stderr);
56++ }
57++ }
58++
59+ if( mycert || mykey ) {
60+
61+ /* Ok... He has a certificate file defined, so lets declare it. If

Subscribers

People subscribed via source and target branches