Summary: | Socket error with POP3 using TLS client certificate | ||||||
---|---|---|---|---|---|---|---|
Product: | Claws Mail (GTK 2) | Reporter: | Thomas Orgis <thomas-forum> | ||||
Component: | POP3 | Assignee: | users | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | ||||||
Priority: | P3 | ||||||
Version: | 3.14.0 | ||||||
Hardware: | PC | ||||||
OS: | Linux | ||||||
Attachments: |
|
Description
Thomas Orgis
2016-09-02 09:49:47 UTC
Did you try it with gnutls-cli instead of openssl? Claws Mail uses GnuTLS and not OpenSSL. It also works with gnutls-cli: shell$ gnutls-cli -s -p 110 --insecure --x509keyfile=username.key --x509certfile=username.cert example.org Processed 0 CA certificate(s). Processed 1 client X.509 certificates... Resolving 'example.org'... Connecting to '123.123.123.123'... - Simple Client Mode: +OK Dovecot ready. stls +OK Begin TLS negotiation now. *** Starting TLS handshake - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: [...] - Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... - Successfully sent 1 certificate(s) to server. - Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM) - Session ID: [...] - Ephemeral EC Diffie-Hellman parameters - Using curve: SECP256R1 - Curve size: 256 bits - Version: TLS1.2 - Key Exchange: ECDHE-RSA - Server Signature: RSA-SHA256 - Client Signature: RSA-SHA512 - Cipher: AES-256-GCM - MAC: AEAD - Compression: NULL - Options: safe renegotiation, USER username +OK PASS blabla +OK Logged in. list +OK 148 messages: 1 2120 2 13332 3 1040 4 995 5 1280 6 29042 [...] . quit +OK Logging out. - Peer has closed the GnuTLS connection Did you use the 'Client certificates' options in the Account Preferences on the SSL page? Yes, that is where I put in the path to the file containing the key and cert (concatenated). The key is not protected by a passphrase, so the password field is empty. When I only put in the cert file, claws gives a parsing error and the failure is different. And: Blocking or non-blocking SSL does not make a difference. You're using the STARTTLS option in claws-mail? Perhaps if you provide all the necessary details in relation to the server someone can test. Yes, I am using STARTTLS in claws-mail, with port 110. I thought that is obvious from the openssl and gnutls tests als well as the debug log: [09:45:05] POP3> STLS [09:45:06] POP3< +OK Begin TLS negotiation now. What settings are missing? This is a dovecot server that accepts client certificates, I tried all variations of options in claws (STARTTLS, non-blocking) … I don't see any further settings to tweak. Perhaps somebody can provide logs from a working session with client certificates so that one can spot a difference (probably also the gnutls-cli test to see details about the encryption). So far I only have a report from another user trying claws-mail with that very same server and the same results. I do not have prior experience with client certificates for mail, nor other servers to test. People report success using mpop with this server. I hoped to be able to use claws to fetch from that account together with all the others. Sorry for bumping, but the sudden silence suprises me. Any reproduction of this issue yet? Created attachment 1683 [details]
3684-fix-v1
If you're running GnuTLS 3.0 or newer, and are able to compile Claws Mail for testing, please try this patch.
I got gnutls-3.4.14 (update to 3.4.15 pending) and with this patch, I can fetch the mail using the client certificate. Thanks! Thanks for testing, I cleaned up the patch a bit and committed it to our git. The fix will be included in the next release. Changes related to this bug have been committed. Please check latest Git and update the bug accordingly. You can also get the patch from: http://git.claws-mail.org/ ++ ChangeLog 2016-09-18 10:51:03.052559317 +0200 http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=6eea5b249c34d9abd73f43ad987df4a667c10882 Merge: 471adf7 a05eeae Author: Colin Leroy <colin@colino.net> Date: Sun Sep 18 10:51:02 2016 +0200 Merge branch 'master' of file:///home/git/claws http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=a05eeae0e79999d34dd02d733fc83e9d04082b03 Author: Andrej Kacian <ticho@claws-mail.org> Date: Sun Sep 18 10:46:58 2016 +0200 Fix using client TLS certificates for GnuTLS 3.0 and up. 3.0 introduced new API for setting client certificates, gnutls_certificate_set_retrieve_function2(). This fixes bug #3684. |