Opened 12 years ago

Closed 10 years ago

#38055 closed defect (duplicate)

alpine openssl and gmail

Reported by: schnide (Joe Schnide) Owned by: macports-tickets@…
Priority: Normal Milestone:
Component: ports Version: 2.1.3
Keywords: Cc: mww@…
Port: alpine openssl

Description (last modified by larryv (Lawrence Velázquez))

Hello,

After a recent update of alpine and of openssl, alpine now comes back with the following on launch going to my inbox:

There was an SSL/TLS failure for the server
                                     imap.gmail.com
The reason for the failure was
                                 SSL negotiation failed
This is just an informational message. With the current setup, SSL/TLS will not work. If
this error re-occurs every time you run Alpine, your current setup is not compatible with
the configuration of your mail server. You may want to add the option
                                         /notls
to the name of the mail server you are attempting to access. In other words, wherever you
see the characters
                                     imap.gmail.com
in your configuration, replace those characters with
                                  imap.gmail.com/notls
Type RETURN to continue.

A co-worker suggested trying the following command:

$ openssl s_client -connect imap.gmail.com:993
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
140735302390236:error:1006706B:elliptic curve routines:ec_GFp_simple_oct2point:point
is not on curve:ecp_oct.c:421:
140735302390236:error:1408D132:SSL routines:SSL3_GET_KEY_EXCHANGE:bad
ecpoint:s3_clnt.c:1679:
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1891 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1360709165
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

After seeing this ouput, he remarked:

I think alpine uses the same cert store as openssl. But the point not on curve error is more interesting. More likely, the new openssl supports ECC ciphers out of the box, and there's some incompatibility with Google's support for it. You might want to see if Alpine supports configuration of the acceptable ciphers (like the Apache SSLCiphers or SSH's Cipher option). Then set it to remove the ECC ciphers and see if it's happier.

I didn't see where to configure acceptable ciphers in alpine and not sure if that needs to be configured in openssl. I'd liek to continue to use alpine to access gmail but am not sure what the updates to alpine, openssl and/or dependencies may have done to cause these issues.

Please let me know if I can provide further information.

Thanks Joe

Change History (6)

comment:1 Changed 12 years ago by larryv (Lawrence Velázquez)

Cc: mww@… cal@… egall@… larryv@… added
Description: modified (diff)
Keywords: gmail alpine openssl removed
Port: openssl added

Thanks for the ticket. In the future, please Cc relevant port maintainers and use WikiFormatting to format your ticket description.

Have you upgraded to openssl @1.0.1d or @1.0.1e? There have been… problems… with these versions. To say the least. (See #38015, among others.)

If you happen to still have @1.0.1c around (port installed openssl), could you try activating that version to see if it clears up your problem?

sudo port activate openssl @1.0.1c

comment:2 Changed 12 years ago by larryv (Lawrence Velázquez)

Cc: cal@… egall@… larryv@… removed

Damn autofill.

comment:3 Changed 12 years ago by ryandesign (Ryan Carsten Schmidt)

Yes, "point is not on curve" sounds like #38015; rather than downgrading to 1.0.1c (which I suppose you can also try), please try the workaround mentioned in that ticket (re-build openssl without "no-asm").

comment:4 in reply to:  3 Changed 12 years ago by larryv (Lawrence Velázquez)

Replying to ryandesign@…:

rather than downgrading to 1.0.1c (which I suppose you can also try), please try the workaround mentioned in that ticket (re-build openssl without "no-asm").

Errr yeah, disregard what I said. Try this first.

comment:5 Changed 12 years ago by schnide (Joe Schnide)

This cleared up the issue. Resolved. Thank you.

comment:6 Changed 10 years ago by jmroot (Joshua Root)

Resolution: duplicate
Status: newclosed
Note: See TracTickets for help on using tickets.