Opened 11 years ago
Closed 9 years ago
#38055 closed defect (duplicate)
alpine openssl and gmail
| Reported by: | schnide (Joe Schnide) | Owned by: | macports-tickets@… |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | 2.1.3 |
| Keywords: | Cc: | mww@… | |
| Port: | alpine openssl |
Description (last modified by larryv (Lawrence Velázquez))
Hello,
After a recent update of alpine and of openssl, alpine now comes back with the following on launch going to my inbox:
There was an SSL/TLS failure for the server
imap.gmail.com
The reason for the failure was
SSL negotiation failed
This is just an informational message. With the current setup, SSL/TLS will not work. If
this error re-occurs every time you run Alpine, your current setup is not compatible with
the configuration of your mail server. You may want to add the option
/notls
to the name of the mail server you are attempting to access. In other words, wherever you
see the characters
imap.gmail.com
in your configuration, replace those characters with
imap.gmail.com/notls
Type RETURN to continue.
A co-worker suggested trying the following command:
$ openssl s_client -connect imap.gmail.com:993
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
140735302390236:error:1006706B:elliptic curve routines:ec_GFp_simple_oct2point:point
is not on curve:ecp_oct.c:421:
140735302390236:error:1408D132:SSL routines:SSL3_GET_KEY_EXCHANGE:bad
ecpoint:s3_clnt.c:1679:
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1891 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1360709165
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
After seeing this ouput, he remarked:
I think alpine uses the same cert store as openssl. But the point not on curve error is more interesting. More likely, the new openssl supports ECC ciphers out of the box, and there's some incompatibility with Google's support for it. You might want to see if Alpine supports configuration of the acceptable ciphers (like the Apache SSLCiphers or SSH's Cipher option). Then set it to remove the ECC ciphers and see if it's happier.
I didn't see where to configure acceptable ciphers in alpine and not sure if that needs to be configured in openssl. I'd liek to continue to use alpine to access gmail but am not sure what the updates to alpine, openssl and/or dependencies may have done to cause these issues.
Please let me know if I can provide further information.
Thanks Joe
Change History (6)
comment:1 Changed 11 years ago by larryv (Lawrence Velázquez)
| Cc: | mww@… cal@… egall@… larryv@… added |
|---|---|
| Description: | modified (diff) |
| Keywords: | gmail alpine openssl removed |
| Port: | openssl added |
comment:2 Changed 11 years ago by larryv (Lawrence Velázquez)
| Cc: | cal@… egall@… larryv@… removed |
|---|
Damn autofill.
comment:3 follow-up: 4 Changed 11 years ago by ryandesign (Ryan Carsten Schmidt)
Yes, "point is not on curve" sounds like #38015; rather than downgrading to 1.0.1c (which I suppose you can also try), please try the workaround mentioned in that ticket (re-build openssl without "no-asm").
comment:4 Changed 11 years ago by larryv (Lawrence Velázquez)
Replying to ryandesign@…:
rather than downgrading to 1.0.1c (which I suppose you can also try), please try the workaround mentioned in that ticket (re-build openssl without "no-asm").
Errr yeah, disregard what I said. Try this first.
comment:5 Changed 11 years ago by schnide (Joe Schnide)
This cleared up the issue. Resolved. Thank you.
comment:6 Changed 9 years ago by jmroot (Joshua Root)
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
Thanks for the ticket. In the future, please Cc relevant port maintainers and use WikiFormatting to format your ticket description.
Have you upgraded to openssl @1.0.1d or @1.0.1e? There have been… problems… with these versions. To say the least. (See #38015, among others.)
If you happen to still have @1.0.1c around (
port installed openssl), could you try activating that version to see if it clears up your problem?