[Users] Oauth2 not working with Microsoft Exchange

Paul Rolland rol at witbe.net
Mon Oct 10 17:42:48 UTC 2022 

Hello,

Thanks Michael and David...
Only one reply to both mails, to compensate my initial double-post ;)

On Mon, 10 Oct 2022 15:25:30 +0000
"David Fletcher" <David at megapico.co.uk> wrote:

> This part is OK. Assuming you are using the latest git version of Claws
> then it will be listening for this connection on the local machine.

Hmmm..... 
I _think_ I'm up-to-date :
104 [18:46] rol at riri:~...src/Claws/claws-mail-git> git status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean

but considering that a strace running against claws never revealed the 
attempt to bind to 8888 or an attempt to connect to that port, I should
conclude that I'm not on the latest git, despite a "git pull" before 
a make clean and a rebuild...
 
> Background: There's code in prefs_account.c which listens for the
> connection made during the oauth2 authorisation process at Microsoft.
> Microsoft responds to part of that authorisation process by sending your
> browser an HTTP redirect request causing it to connect to the local
> machine, thereby passing the authorisation to Claws Mail. (Microsoft
> does not contact Claws directly from outside your machine). You'll
> notice the "redirect_uri=" part in one of the strings you posted:

I can see that code in my source tree... 

> As Michael said, the error seems to be the tls handshake when Claws
> attempts to contact Microsoft to obtain the Oauth2 tokens. Could you
> have compiled against a dud TLS library?

111 [18:51] rol at riri:~...src/Claws/claws-mail-git> ldd
~rol/usr/bin/claws-mail | grep tls libgnutls.so.30 =>
/lib64/libgnutls.so.30 (0x00007f13a8400000) and this is provided by :
gnutls.x86_64      3.7.7-1.fc35

So, I've decided to dig into prefs_account.c and I've made some progress ;)

1 - The 8888 listener is started when you click on Copy link.... but as I
    was clicking on Authorise from a freshly started Claws, I had no
    listener (confirmed by netstat and strace and the debug messages).
    Now, I click first on Copy link, and now I have the messages:

prefs_account.c:5185:Starting oauth2 listener task
prefs_account.c:6075:oauth2 listener task running
prefs_account.c:6086:oauth2 listener socket created
prefs_account.c:6102:oauth2 listener bind done
prefs_account.c:6107:oauth2 listener waiting for incoming connections...

    That looks Ok

2 - Now, it seems that this is also making TLS a little bit happier:

ssl.c:404:Setting GnuTLS priority to
NORMAL:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1, status = 0 ssl.c:423:Set
GnuTLS session server name indication to login.microsoftonline.com, status
= 0 ssl.c:451:setting certificate callback function ssl.c:311:waiting for
SSL_connect thread... ssl.c:329:SSL_connect thread returned 0
ssl_certificate.c:266:got 136 certs in crt_list! 0x7fff32f35408
ssl_certificate.c:445:got
/home/rol/.claws-mail/certs/login.microsoftonline.com.443.cert first try
ssl_certificate.c:266:got 1 certs in crt_list! 0x7fff32f35258
ssl_certificate.c:455:got cert 0x67bbda0

    but then I have a warning:

** (claws-mail:2812016): WARNING **: 19:11:28.613: size differ 2006 2005
ssl_certificate.c:182:writing 2006 bytes

    But that's a warning, and the operation continues:

file-utils.c:58:TIMING safe_fclose : 0s000ms
ssl_certificate.c:182:writing 2772 bytes
ssl_certificate.c:182:writing 1761 bytes
file-utils.c:58:TIMING safe_fclose : 0s000ms

3 - Back to oauth2.c, I now have a body client that is constructed and
    sent, and then I'm back with a TLS error:

socket.c:1278:Unexpected TLS read result -110
** Message: 19:11:28.760: OAuth2 access token not obtained

Any idea what could be that error -110 ? I've tried to have a look at
GNUTLS repo for release 3.7.7, but socket.c is not that long, so I don't
know who is creating the "Unexpected TLS" error.

Paul

-- 
Paul Rolland                                E-Mail : rol(at)witbe.net
CTO - Witbe.net SA                          Tel. +33 (0)1 47 67 77 77
18 Rue d'Arras, Bat. A11                    Fax. +33 (0)1 47 67 77 99
F-92000 Nanterre                            RIPE : PR12-RIPE

Please no HTML, I'm not a browser - Pas d'HTML, je ne suis pas un
navigateur "Some people dream of success... while others wake up and work
hard at it" 

"I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry that 10
or 15 years from now, she will come to me and say 'Daddy, where were you
when they took freedom of the press away from the Internet?'"
--Mike Godwin, Electronic Frontier Foundation 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20221010/1239ea41/attachment-0001.sig>

More information about the Users mailing list