On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote:
> To OpenBSD ports list and MAINTAINER Amit Kulkarni,
>
> After I did sysupgrade today, Sylpheed can't connect to imap.gmail.com.
> It uses TLSv1.3 (sylpheed --debug) and shows a dialog box with a
> self-signed certificate for an invalid host. The cert tells me to
> enable SNI in my client. I then reject the certificate. Recent changes
> in OpenBSD seem to have enabled TLSv1.3 in libssl.
>
> I fixed it with this patch from Sylpheed's bug tracker, also in Debian:
> https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/
>
> Amit, I see that you have GMail; does your Sylpheed work?
>
> This isn't where I expected to make my first commit,
> but is this OK to commit?
I'd prefer if you added an error check to this diff, something like:
if (!SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname)) {
g_warning(_("Error setting servername extension\n"));
return FALSE;
}
With that it's ok tb
PS: The feature guards seem a bit pointleess. SSL_CTRL_SET_TLSEXT_HOSTNAME
exists since the mid-2000s at least. Support for OPENSSL_NO_TLSEXT was
removed a long time ago both in LibreSSL and OpenSSL.
