Created attachment 2062 [details] certificate error with gmail Hi, I set up my gmail account but I get the attached certificate error. I didn't accept it. My OS is Windows 7 and Claws mail 3.17.4 32-bit
I am also getting this same problem when connecting to my gmail using Claws mail 3.17.4 64-bit on Windows 7. The configuration I use is the recommended imap.gmail.com on SSL port 995.
On Linux and claws-mail from 3.17.4 to 3.17.8 exactly the same problem
(In reply to Serg from comment #2) Simply not true. Either you have use_tls_sni turned off in claws-mail, or you are using an old version gnuTLS.
``` rpm -qa | grep claws-mail claws-mail-3.17.8-1-rosa2016.1.x86_64 claws-mail-pgpcore-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-notification-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-managesieve-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-attachwarner-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-libravatar-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-att_remover-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-tnef_parse-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-pdfviewer-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-newmail-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-fetchinfo-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-dillo-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-gdata-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-archive-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-mailmbox-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-bogofilter-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-smime-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-address_keeper-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-kdeservicemenu-3.17.8-1-rosa2016.1.x86_64 claws-mail-tools-3.17.8-1-rosa2016.1.x86_64 claws-mail-pgpinline-plugin-3.17.8-1-rosa2016.1.x86_64 claws-mail-pgpmime-plugin-3.17.8-1-rosa2016.1.x86_64 ``` ``` rpm -qa | grep gnutls vlc-plugin-gnutls-3.0.8-3plf-plf2016.1.x86_64 lib64gnutls30-3.6.14-2-rosa2016.1.x86_64 gnutls-locales-3.6.14-2-rosa2016.1.noarch libgnutls30-3.6.14-2-rosa2016.1.i586 lib64gnutls-openssl27-3.6.14-2-rosa2016.1.x86_64 lib64gnutlsxx28-3.6.14-2-rosa2016.1.x86_64 lib64gnutls-dane0-3.6.14-2-rosa2016.1.x86_64 gnutls-3.6.14-2-rosa2016.1.x86_64 lib64gnutls-devel-3.6.14-2-rosa2016.1.x86_64 ``` ``` rpm -qa | grep etpan lib64etpan20-1.9.4-1-rosa2016.1.x86_64 ``` Where do I use old software versions?
Created attachment 2145 [details] invalid2.invalid imap.gmail.com
Created attachment 2146 [details] gmail cert I don't know what you local problem is.
I do not know what problems I have, but all other accounts work with tls normally, evolution works with imap.gmail.com, and only claws-mail does not work
use_tls_sni is on?
how to know about it?
Created attachment 2148 [details] claws-mail opportunities
``` gnutls-cli imap.gmail.com:993 Processed 161 CA certificate(s). Resolving 'imap.gmail.com:993'... Connecting to '108.177.127.109:993'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=imap.gmail.com,O=Google LLC,L=Mountain View,ST=California,C=US', issuer `CN=GTS CA 1O1,O=Google Trust Services,C=US', serial 0x31040620137bc4f3080000000062d86c, EC/ECDSA key 256 bits, signed using RSA-SHA256, activated `2020-11-03 07:37:52 UTC', expires `2021-01-26 07:37:52 UTC', pin-sha256="TKRMY2Ovhnu2BaHWrj5h6XMp56jRw2cgvY8L1cCux/k=" Public Key ID: sha1:75b94a5de029932cfabe6b4b2dc4e87d03bd7cd9 sha256:4ca44c6363af867bb605a1d6ae3e61e97329e7a8d1c36720bd8f0bd5c0aec7f9 Public Key PIN: pin-sha256:TKRMY2Ovhnu2BaHWrj5h6XMp56jRw2cgvY8L1cCux/k= - Certificate[1] info: - subject `CN=GTS CA 1O1,O=Google Trust Services,C=US', issuer `CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2', serial 0x01e3b49aa18d8aa981256950b8, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-06-15 00:00:42 UTC', expires `2021-12-15 00:00:42 UTC', pin-sha256="YZPgTZ+woNCCCIW3LH2CxQeLzB/1m42QcCTBSdgayjs=" - Status: The certificate is trusted. - Description: (TLS1.3-X.509)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM) - Options: - Handshake was completed - Simple Client Mode: ```
(In reply to Serg from comment #9) grep -rn use_tls_sni ~/.claws-mail/accountrc It should be set to 1 for each of your accounts, and your gmail account in particular.
use_tls_sni=1 on gmail account
Created attachment 2149 [details] claws-mail ssl/tls
This message from claws-mail in debug ** Message: 13:21:34.605: Учётная запись 'gmail': Подключение к IMAP серверу: imap.gmail.com:993... imap-thread.c:457:found imap 0x35a4300 imap-thread.c:683:deleting old imap 0x35a4300 imap-thread.c:574:threaded delete imap posted imap-thread.c:457:found imap 0x41ccef0 [2020-12-07 13:21:34] IMAP< * OK Gimap ready for requests from 45.80.47.98 g21mb4662125ljn imap-thread.c:473:generic_cb imap-thread.c:457:found imap 0x41ccef0 ssl_certificate.c:270:got 161 certs in crt_list! 0x7fff1ce32708 ssl_certificate.c:439:didn't get /home/admin/.claws-mail/certs/imap.gmail.com.993.cert alertpanel.c:253:Creating alert panel dialog... alertpanel.c:211:called inc_lock (lock count 2)
fix problem rebuild claws-mail whith libetpan 1.9.4
thank you
I'm having the same issue on a Linux system, Fedora 34 and 35. ~/.claws-mail/accountrc:use_tls_sni=1 claws-mail-4.0.0-2.fc35.x86_64 libetpan-1.9.4-6.fc35.x86_64 openssl-1.1.1l-2.fc35.x86_64 gnutls-3.7.2-2.fc35.x86_64 Building from git (HEAD 621550bd6414) I see the same issue. oauth2.c:195:Auth response: <redacted authorization code> oauth2.c:237:Auth token: <redacted authorization code> ssl.c:404:Setting GnuTLS priority to NORMAL:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1, status = 0 ssl.c:451:setting certificate callback function ssl.c:311:waiting for SSL_connect thread... ssl.c:329:SSL_connect thread returned 0 ssl_certificate.c:266:got 128 certs in crt_list! 0x7ffec1bd0278 ssl_certificate.c:435:didn't get /home/alwillia/.claws-mail/certs/accounts.google.com.443.cert alertpanel.c:250:Creating alert panel dialog... autogen reported: claws-mail 3.18.0git273 Using Address Book : Original stable interface JPilot : yes LDAP : yes gnuTLS : yes iconv : yes compface : yes IPv6 : yes enchant : yes IMAP4 : yes NNTP : yes Crash dialog : no LibSM : yes DBUS : yes NetworkManager : yes Manual : yes Generic UMPC code : no SVG support : yes Config dir : .claws-mail Password crypto : gnutls Unit tests : no Plugins Built: - acpi_notifier - address_keeper - archive - att_remover - attachwarner - bogofilter - bsfilter - clamd - dillo - fetchinfo - gdata - libravatar - litehtml_viewer - mailmbox - managesieve - newmail - notification Features: banner command hotkeys lcdproc libnotify libcanberra-gtk popup trayicon Disabled due to missing dependencies: unity/messaging-menu - pdf_viewer - perl - pgpcore - pgpmime - pgpinline - rssyl - spamassassin - smime - spam_report - tnef_parse - vcalendar Disabled: - demo Disabled due to missing dependencies: - fancy - python I'm trying to set SMTP authentication to OAUTH2, user ID & password blank, receiving is via IMAP to local dovecot. In the OAUTH2 dialog I set Google/Gmail and create a client ID and secret in my google cloud console, obtain an authorization code in my browser, but when I try to complete authorization I get an invalid self-signed certificate for invalid2.invalid rather than a valid certificate for accounts.google.com. Help -> About -> Features shows libetpan enabled. The scenario is the same if I build from the 4.0.0 tarball releases.
(In reply to Alex from comment #18) Got the same issue: it is because tls sni is not enabled for the token connexions. The fix is easy, I am attaching a patch.
Created attachment 2272 [details] Use tls sni with oauth2 Fix the invalid2.invalid error when activating oauth2.
Alphonse, thanks for trackign down the problem and for the patch. It's now pushed to git.