On Mon, Oct 19, 2020 at 06:20:22PM +0200, Landry Breuil wrote:
> On Mon, Oct 19, 2020 at 06:16:28PM +0200, Landry Breuil wrote:
> > Hi,
> >
> > upgraded openbsd vm at work to 6.8, this one runs (among many other things)
> > dovecot+sogo. No issues connecting to dovecot over tls from thunderbird, or
> > openssl s_client -starttls imap, be it with -tls1_2 or not.
> >
> > sogo though feels utterly broken when trying to view the 'mail' part in
> > the web interface, and that seems to point at TLS:
> >
> > Oct 19 18:11:32 sogod [54069]: 127.0.0.1 "POST
> > /SOGo/so/breuil/Mail/0/folderINBOX/view HTTP/1.1" 204 0/126 0.221 - - -
> > 2020-10-19 18:11:32.801 sogod[54069:3709806170120]
> > ERROR(-[NGActiveSSLSocket startTLS]): couldn't setup SSL connection on host
> > localhost (error:00000001:lib(0):func(0):reason(1))...
> > Oct 19 18:11:32 sogod [54069]: <0x0x3602ada0608[NGImap4Client]> Could not
> > start TLS.
> > Oct 19 18:11:32 sogod [54069]: <0x0x3602ada0608[NGImap4Client]>
> > ERROR(-[NGImap4Client _processUnknownCommandParserException:]): catched
> > non-IMAP4 parsing exception NGStreamWriteErrorException: stream error
> > occured, errno=9 error=Bad file descriptor
> > Oct 19 18:11:32 sogod [54069]: [ERROR]
> > <0x0x36034545268[NGImap4ConnectionManager]> IMAP4 login failed:
> > host=localhost, user=breuil, pwd=yes
> > url=imaps://breuil@localhost/?tls=YES&tlsVerifyMode=default
> > base=(null)
> > base-class=(null))
> > = <0x0x3602ada0608[NGImap4Client]: login=breuil(pwd)
> > socket=<NGActiveSocket[0x0x35ff627cf88]: mode=rw
> > address=<0x0x35f8ddf01c8[NGInternetSocketAddress]: host=localhost
> > port=3324> connectedTo=<0x0x35fbfff1a48[NGInternetSocketAddress]:
> > host=localhost port=143>>>
> > Oct 19 18:11:32 sogod [54069]: <0x35f82782708[SOGoMailAccount]:0> renewing
> > imap4 password
> > 2020-10-19 18:11:32.871 sogod[54069:3709806170120]
> > ERROR(-[NGActiveSSLSocket startTLS]): couldn't setup SSL connection on host
> > localhost (error:00000001:lib(0):func(0):reason(1))...
> > Oct 19 18:11:32 sogod [54069]: <0x0x35fc1199408[NGImap4Client]> Could not
> > start TLS.
> > Oct 19 18:11:32 sogod [54069]: <0x0x35fc1199408[NGImap4Client]>
> > ERROR(-[NGImap4Client _processUnknownCommandParserException:]): catched
> > non-IMAP4 parsing exception NGStreamWriteErrorException: stream error
> > occured, errno=9 error=Bad file descriptor
> > Oct 19 18:11:32 sogod [54069]: [ERROR]
> > <0x0x36034545268[NGImap4ConnectionManager]> IMAP4 login failed:
> > host=localhost, user=breuil, pwd=yes
> > url=imaps://breuil@localhost/?tls=YES&tlsVerifyMode=default
> > base=(null)
> > base-class=(null))
> > = <0x0x35fc1199408[NGImap4Client]: login=breuil(pwd)
> > socket=<NGActiveSocket[0x0x35f99769608]: mode=rw
> > address=<0x0x35fdaa83608[NGInternetSocketAddress]: host=localhost
> > port=37299> connectedTo=<0x0x35febbc6048[NGInternetSocketAddress]:
> > host=localhost port=143>>>
> >
> > so i dunno whether there's an issue in the objective-C client part or in
> > dovecot, but that's a pretty bad regression so far. Ofc, havent been able
> > to test that before....
>
> ofc, forgot part of the relevant info, here's what dovecot says in its
> log for each attempt:
>
> dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>,
> rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed:
> error:1404A416:SSL routines:ST_ACCEPT:sslv3 alert certificate unknown: SSL
> alert number 46
>
> Landry
This seems to point in the direction of the new validator. As a first
step to debugging this, let's check if forcing the use of the old
validator makes this work.
Could you try this diff?
Index: Makefile
===================================================================
RCS file: /var/cvs/ports/www/sope/Makefile,v
retrieving revision 1.86
diff -u -p -r1.86 Makefile
--- Makefile 2 Sep 2020 19:49:58 -0000 1.86
+++ Makefile 19 Oct 2020 18:06:16 -0000
@@ -9,6 +9,7 @@ DISTNAME = SOPE-${VERSION}
PKGNAME-main = sope-${VERSION}
PKGNAME-mysql = sope-mysql-${VERSION}
PKGNAME-postgres = sope-postgres-${VERSION}
+REVISION-main = 0
SO_MAJOR= 6
SO_MINOR= 0
Index: patches/patch-sope-core_NGStreams_NGActiveSSLSocket_m
===================================================================
RCS file: patches/patch-sope-core_NGStreams_NGActiveSSLSocket_m
diff -N patches/patch-sope-core_NGStreams_NGActiveSSLSocket_m
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-sope-core_NGStreams_NGActiveSSLSocket_m 19 Oct 2020
18:13:27 -0000
@@ -0,0 +1,21 @@
+$OpenBSD$
+
+Index: sope-core/NGStreams/NGActiveSSLSocket.m
+--- sope-core/NGStreams/NGActiveSSLSocket.m.orig
++++ sope-core/NGStreams/NGActiveSSLSocket.m
+@@ -577,6 +577,15 @@ static int cert_verify_callback(X509_STORE_CTX *x509_c
+ return nil;
+ }
+ #else
++#if defined(X509_V_FLAG_LEGACY_VERIFY)
++ X509_VERIFY_PARAM *param = SSL_get0_param(self->ssl);
++ if (param != NULL) {
++ int verify_flags;
++ verify_flags = X509_VERIFY_PARAM_get_flags(param);
++ verify_flags |= X509_V_FLAG_LEGACY_VERIFY;
++ X509_VERIFY_PARAM_set_flags(param, verify_flags);
++ }
++#endif
+ SSL_set1_host(self->ssl, [hostName UTF8String]);
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
