[Users] [Bug 3684] New: Socket error with POP3 using TLS client certificate

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Fri Sep 2 09:49:47 CEST 2016 

http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3684

            Bug ID: 3684
           Summary: Socket error with POP3 using TLS client certificate
    Classification: Unclassified
           Product: Claws Mail
           Version: 3.14.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P3
         Component: POP3
          Assignee: users at lists.claws-mail.org
          Reporter: thomas-forum at orgis.org

I am trying to access a POP3 account using a client certificate. The following
works:

shell$ openssl s_client -starttls pop3 -connect example.org:110 -key
username.key -cert username.cert
[...]
Requested Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2939 bytes and written 1856 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: [...]
    Session-ID-ctx: 
    Master-Key: [...]
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket: [...]

    Compression: 1 (zlib compression)
    Start Time: 1472801489
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
+OK Dovecot ready.
USER username
+OK
PASS blabla
+OK Logged in.
LIST
+OK 128 messages:
1 2120
2 13332
3 1040
[...]
.
QUIT
DONE

I tried using the client certificate in claws and failed so far. I figured out
that I apparently need to concatenate the key and cert into one file, otherwise
claws gives a parsing error. Now it seems to be happy with the key, but the
connection fails with this debug output:

** Message: Account 'XXXXXXXX': Connecting to POP3 server: example.org:110...

session.c:202:session (0x2b71d60): connected
[09:45:05] POP3< +OK Dovecot ready.
[09:45:05] POP3> STLS
[09:45:06] POP3< +OK Begin TLS negotiation now.
ssl.c:237:waiting for SSL_connect thread...
passwordstore.c:184:Getting password 'recv_cert' from block (1/35)
passwordstore.c:196:Password 'recv_cert' in block (1/35) not found.
ssl_certificate.c:258:got 1 certs in crt_list! 0xXXXXXXXX
ssl_certificate.c:315:got key! 0xXXXXXXX
ssl.c:255:SSL_connect thread returned -50

** (claws-mail:32617): WARNING **: SSL connection failed (The request is
invalid.)

** (claws-mail:32617): WARNING **: couldn't start TLS session.
session.c:376:session (0x2b71d60): closed


Did I still do something wrong? Other people successfully fetch their mail from
that server using mpop.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Users mailing list