[Users] [Bug 4227] ClawsMail IMAP to Verizon email imap.aol.com started failing with *** SSL/TLS handshake failed

Sun Jul 14 20:39:52 CEST 2019

https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4227

--- Comment #10 from joesalmeri at verizon.net ---
(In reply to comment #9)
> Since you are experiencing the problems on Windows and since the claws-mail
> build uses its own package version of gnutls/openssl it could be a problem
> with the packaged version of the SSL libraries.
> 
> Doing: openssl s_client -connect imap.aol.com:993
> displays a valid certificate which is verified ok here:
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID:
> 5D2B6C9A905659A34F1E039C76B2BA51FDF01D957A82017CB8B8E3700E6DFB55
>     Session-ID-ctx: 
>     Master-Key:
> 5E58A2710A0AE5E42209E64545514D9F83DD173DBAFD083DD3BD6CB453F7245B9D08C1D60CC5D
> A2E99D6DB528C613E27
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1563126938
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>     Extended master secret: no
> 
> I lean towards an incompatibility with the supplied SSL libraries with
> claws-mail but since I don't have windows here I cannot verify.
> 
> imap.aol.com offers these signature algorithms:
> Requested Signature Algorithms:
> ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-
> PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:
> RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1
> 
> So if the supplied SSL libraries on Windows does not support those then it
> will fail to make a connection.

Thanks for providing that debug step.

In order to debug further and not muck with my real desktop I will continue
debugging in a Win10 VM where the problem also occurs.

I installed openssl in the VM and ran tried the openssl connection.

Here are the results:

openssl s_client -connect imap.aol.com:993

CONNECTED(00000180)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2
High Assurance Server CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Sunnyvale, O = Oath Inc, CN =
*.imap.mail.aol.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Sunnyvale, O = Oath Inc, CN =
*.imap.mail.aol.com
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High
Assurance Server CA
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High
Assurance Server CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High
Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIH6jCCBtKgAwIBAgIQDllS2OQaxuxHWusAiIIoiDANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xOTA0MjYwMDAwMDBaFw0xOTEwMjMxMjAwMDBa
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlT
dW5ueXZhbGUxETAPBgNVBAoTCE9hdGggSW5jMRwwGgYDVQQDDBMqLmltYXAubWFp
bC5hb2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs8Ou/gU8
pb3JJHgD403Rc2UPZQnRcFBO4gfq6IAV8uC11U3fLRld3opnE6mz3GGLiLFDRJ3W
veKxBVYqVrg96rjviT0FW6CodH1EeB0pDl+LcDKaJkKVrJ8x00XBGP7Aev92aHlA
keMn+RauoIaVTOD0nJ/ERD7dMrFOIIw5YFb4ahx1C3oFGTokIr1wjCaNjt1cOglb
UQVO0eC03eBs2tlYoMTJ4GbqmuDYM/nGHztCXtN3OKEBTAL9yESjPSSd61p+f0Jx
vDXkNSQGMOjUYXp9//vk5MU5L6Ee/j6sXyTZhPIY6ocgFz6qdWEAaJgrM0IWv/qm
nZC1k6OXYFqVawIDAQABo4IEhzCCBIMwHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNll
ZGKiErhZcjswHQYDVR0OBBYEFBCUuo84NZebhc4qevAAHUh03TZfMIIBsAYDVR0R
BIIBpzCCAaOCEyouaW1hcC5tYWlsLmFvbC5jb22CDGltYXAuYW9sLmNvbYIMaW1h
cC5haW0uY29tggtpbWFwLmNzLmNvbYITY2xpZW50LmltYXAuYW9sLmNvbYIPaW1h
cC5hdS5hb2wuY29tgg9pbWFwLmFyLmFvbC5jb22CD2ltYXAuYnIuYW9sLmNvbYIP
aW1hcC5jYS5hb2wuY29tgg9pbWFwLmNsLmFvbC5jb22CD2ltYXAuZGUuYW9sLmNv
bYIPaW1hcC5mci5hb2wuY29tgg9pbWFwLmluLmFvbC5jb22CD2ltYXAuanAuYW9s
LmNvbYIPaW1hcC5teC5hb2wuY29tgg9pbWFwLnVrLmFvbC5jb22CDWltYXAubWNv
bS5jb22CDmltYXAuZ29vd3kuY29tgg9pbWFwLnR1bm9tZS5jb22CFGVhc3QudXMu
aW1hcC5hb2wuY29tghRpbWFwLmFuZ2VsaWFtYWlsLmNvbYIMaW1hcC5jc2kuY29t
ghRwYXJ0bmVyLmltYXAuYW9sLmNvbYITZXhwb3J0LmltYXAuYW9sLmNvbTAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1Ud
HwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNl
cnZlci1nNi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEy
LWhhLXNlcnZlci1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggr
BgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIw
gYMGCCsGAQUFBwEBBHcwdTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNl
cnQuY29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20v
RGlnaUNlcnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNVHRMBAf8E
AjAAMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAu9nfvB+KcbWTlCOXqpJ7RzhX
lQqrUugakJZkNo4e0YUAAAFqWoXcPgAABAMARzBFAiAXSSda8tVGfjLYzfB45u+b
XSbsZOOpAaJcVuehWT4XDwIhAPF+pDeA8zX0kplGIv8mEKuoLKmApV7/j+MXBE7+
pkbzAHUAh3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFqWoXdZAAA
BAMARjBEAiAq5Z5HTTZ72q7+5P9musKwIrC2/PhpbF+tzwwZm7e4IAIgMGJEegWi
oTDi0bxUTQwQsugxA0M4czegAueq/6QYLjcwDQYJKoZIhvcNAQELBQADggEBAI/p
3LMJIOuOKMXpI3Gip8279IRBszAa4l83mQwbcSDP6MUy5ApQ4zomCfBp+jRu+tSv
jTrUwx0fe8f/NrkK6hg1Ok0bIxVnEJl48sywAkBXdo6L6WRrNKdFWXNyGVAFL1+5
PoNuKKJHBgEWxu8koqHVWvtu78sDcnFAVl1LqgwRCCoanjkp65zSXE+XJvlFavI0
c3ljmVxderUbHHPFY35E7BYqgKQEy1VV59IkuETmEY03j4uak0XphsH77Q+1Yva3
wgRaIvrnwJ3b/oD4+YciftBoDn/zt6exmn8REVVO5yNtnWl1mozmEE4mK7ddErTq
ScaLJHR59+36l9m54+0=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Sunnyvale, O = Oath Inc, CN =
*.imap.mail.aol.com

issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High
Assurance Server CA

---
No client certificate CA names sent
Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4072 bytes and written 876 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID:
6ABD95BB3884364E2FDCD83CEAE91CD0B69840DA8DC29996ADACABC56FF8B21F
    Session-ID-ctx:
    Resumption PSK:
DB2EDF24D8D9721D680AE6A6467E9D0A898A1631DB3B991D8ED7434840E27DE3010BBB3B8A12DA14F0EEE5A73193F39C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 60 (seconds)
    TLS session ticket:
    0000 - 29 4f f2 44 17 21 a4 11-2b e9 d9 6a 23 95 a3 52   )O.D.!..+..j#..R
    0010 - 10 f3 fe 6b 01 b3 3a c6-d5 7c 58 8d 2f ef a5 ee   ...k..:..|X./...

    Start Time: 1563128446
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR AUTH=XOAUTH2 AUTH=PLAIN CHILDREN ID LITERAL+
NAMESPACE UIDPLUS MOVE] IMAP4rev1 Hello

Looking through those results the error seems to be here:

verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Sunnyvale, O = Oath Inc, CN =
*.imap.mail.aol.com
verify return:1

SSL handshake has read 4072 bytes and written 876 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---

Comparing the "Requested Signature Algorithms" in what you posted to what is in
the results matches but "ECDSA+SHA1:RSA+SHA1" is missing from the "Shared
Requested Signature Algorithms".

I see that the SSL handshake is using TLS v 1.3 could that be the issue?

I appears that your analysis is correct and that Clawsmail would need to update
the supplied SSL libraries on Windows.

Is this the proper channel to get that handled or do I need to report this
elsewhere?

THANKS!

-- 
You are receiving this mail because:
You are the assignee for the bug.