3304 – SSL handshake failed. gnutls, claws, or openssl?

Bug 3304 - SSL handshake failed. gnutls, claws, or openssl?

Summary: SSL handshake failed. gnutls, claws, or openssl?

Status:	RESOLVED FIXED

Alias:	None

Product:	Claws Mail (GTK 2)
Classification:	Unclassified
Component:	POP3 (show other bugs)
Version:	3.10.1
Hardware:	All Linux

Importance:	P3 critical
Assignee:	users

URL:

Depends on:
Blocks:

Reported:	2014-10-21 03:17 UTC by HawKing
Modified:	2014-10-21 09:51 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description HawKing 2014-10-21 03:17:39 UTC

In both Fedora20 and Ubuntu14.10, upon checking mail, I am now getting "SSL handshake failed" on several pop3/smtp accounts, all of which worked continuously for years previously in Claws, with no local settings changes having been made.

claws-mail --debug produces the following error:
ssl.c:229:waiting for SSL_connect thread...
ssl.c:247:SSL_connect thread returned -12
** (claws-mail:3005): WARNING **: SSL connection failed (A TLS fatal alert has been received.)
** (claws-mail:3005): WARNING **: can't initialize SSL.
** (claws-mail:3005): WARNING **: [20:44:18] SSL handshake failed

Diagnostic evidence includes the following:

1) Accounts at different email servers broke at different times over the past week. I have around 15 email accounts. One pop3 account stopped working while SMTP still worked, and the other 14 still worked. Then another server (3 more acounts, pop and smtp) broke, and finally, days later, another server (2 more, pop and smtp) broke with the same error. Email was checked in between on all accounts, and all remaining worked in between.

2) Updates of gnutls, claws-mail, or my local openssl were not temporally correlated with breakage of any account, as all had occurred weeks before they broke, with daily email checking.

3) The same error replicates across operating systems, on Fedora20 and Ubuntu 14.10.

4) To further diagnose, I checked all of these accounts in Thunderbird, which still works fine for sending and receiving via pop/smtp and SSL/TLS.

5) In claws, STARTLS->SSL works for the accounts where SSL/TLS is broken in Claws. Two different email servers have both SSL/TLS options and a STARTLS option. The later STARTLS->SSL works fine still for servers where both should work, but SSL does not.

The progressive breakdown (email servers stopped working at different times), leads me to conclude a remote update shared across the three servers broke SSL handshaking. I would guess openssl on the servers?

I'm not sure how to track this bug in a more detailed way.

Any advice about where to go from here?

Also, as an aside, why is it that in the account summary, claws lists any STARTTLS->SSL account as (TLS) and any SSL/TLS as (SSL)? In my understanding, they don't differ in use of TLS versus SSL but use the same encryption, and STARTTLS just starts as plaintext first.

Comment 1 Paul 2014-10-21 09:47:13 UTC

It looks to me that all those servers are still using SSLv3 and probably should not be.

Comment 2 Paul 2014-10-21 09:51:08 UTC

Oh, a correction to what I wrote. I see now that you're using version 3.10.1 still. You need to upgrade to 3.11.0, this has been fixed.

Note You need to log in before you can comment on or make changes to this bug.