On Mon, Jan 27, 2020 at 12:05:47PM +1100, Theo Buehler wrote: > On Sun, Jan 26, 2020 at 06:38:59PM -0500, George Koehler wrote: > > To OpenBSD ports list and MAINTAINER Amit Kulkarni, > > > > After I did sysupgrade today, Sylpheed can't connect to imap.gmail.com. > > It uses TLSv1.3 (sylpheed --debug) and shows a dialog box with a > > self-signed certificate for an invalid host. The cert tells me to > > enable SNI in my client. I then reject the certificate. Recent changes > > in OpenBSD seem to have enabled TLSv1.3 in libssl. > > > > I fixed it with this patch from Sylpheed's bug tracker, also in Debian: > > https://sources.debian.org/patches/sylpheed/3.7.0-5/0009-support-SNI-for-IMAP.patch/ > > > > Amit, I see that you have GMail; does your Sylpheed work? > > > > This isn't where I expected to make my first commit, > > but is this OK to commit? > > I'd prefer if you added an error check to this diff, something like: > > if (!SSL_set_tlsext_host_name(sockinfo->ssl, sockinfo->hostname)) { > g_warning(_("Error setting servername extension\n"));
Sorry, without the _() > return FALSE; > } > > With that it's ok tb > > PS: The feature guards seem a bit pointleess. SSL_CTRL_SET_TLSEXT_HOSTNAME > exists since the mid-2000s at least. Support for OPENSSL_NO_TLSEXT was > removed a long time ago both in LibreSSL and OpenSSL. >
