[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [imapsync] Upon certificate issues STARTTLS is ignored and the password sent in plaintext (#15)


From Gilles LAMIRAL <gilles dot lamiral at laposte dot net>
Subject Re: [imapsync] Upon certificate issues STARTTLS is ignored and the password sent in plaintext (#15)
Date Wed, 22 Jan 2014 00:18:36 +0100

Dear Dennis,

The problem seems to be that imapsync cannot verify the server certificate (own CA). After STARTTLS fails locally,
it tries to send CAPABILITY, which likely fails because the server expects the client to finish the STARTTLS sequence instead.

Ok. Bad imapsync.


Afterwards imapsync just reconnects, ignores the LOGINDISABLED capability and tries to LOGIN over a plaintext connection.
The major problems I see in this:

 1. The user is never notified of the certificate issue.
 2. imapsync ignores the --tls switch and sends my authentication plaintext. This should never ever happen.

Yes, you are twice right. Shame on me, imapsync does not check the return code of the function starttls() it uses, so it does not print the error either. It used to do it but let's forget history. Plus, the automatic reconnect behavior is not a good idea in this scenario and then add exposure.

I'll fix that soon.

Now did you find why you get "SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"?

Can you try with option --ssl1_SSL_version fixing the ssl version, for example

imapsync ... --ssl1 --ssl1_SSL_version "SSLv3"

Possibilities:
 "SSLv3"
 "SSLv2"
 "SSLv23"
 "SSLv23:!SSLv2"

|Host1 connection
Connecting with IO::Socket::INET PeerAddr $HOST1 PeerPort $PORT1 Proto tcp Timeout 120 Debug 1
Connected to $HOST1
Read:   * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
Host1: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
Sending: 1 STARTTLS
Sent 12 bytes
Read:   1 OK Begin TLS negotiation now.
ERROR: Unable to start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at /usr/lib64/perl5/vendor_perl/5.18.1/Mail/IMAPClient.pm line 455.
[...]
Sending: 2 CAPABILITY
Sent 14 bytes
ERROR: socket closed while reading data from server at /usr/lib64/perl5/vendor_perl/5.18.1/Mail/IMAPClient.pm line 1629.
[...]
reconnecting to $HOST1, last error: socket closed while reading data from server

-- Au revoir, 09 51 84 42 42 Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06