GNU bug report logs - #13406
24.2.92; gnus fails imap connection with TLS

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 13406 in the body.
You can then email your comments to 13406 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Rainer Orth <ro <at> CeBiTec.Uni-Bielefeld.DE>
To: bug-gnu-emacs <at> gnu.org
Subject: 24.2.92; gnus fails imap connection with TLS
Date: Thu, 10 Jan 2013 17:34:08 +0100

On Solaris 11.1/x86, I cannot connect to our imap server with TLS
anymore: 

.emacs has 

(setq gnus-secondary-select-methods
      '((nnimap "cebitec"
		(nnimap-address "<imap server elided>")
		(nnimap-stream ssl))))

In *Messages*, I find

Opening nnimap server on cebitec...
Opening connection to <imap server elided> via tls...
gnutls.c: [0] (Emacs) fatal error: Decryption has failed.
gnutls.el: (err=[-24] Decryption has failed.) boot: (:priority NORMAL :hostname <imap server elided> :loglevel 0 :min-prime-bits 256 :trustfiles nil :crlfiles nil :keylist nil :verify-flags nil :verify-error nil :verify-hostname-error nil :callbacks nil)
Unable to open server nnimap+cebitec due to: GnuTLS error: #<process *nnimap*>, -24
Opening nnimap server on cebitec...done
No new newsgroups
Checking new news...
Reading active file via nnnil...done
Reading active file from cebitec via nnimap...done
Reading active file via nndraft...done
Checking new news...done
Warning: Unable to open server nnimap+cebitec due to: GnuTLS error: #<process *nnimap*>, -24
gnutls.c: [0] (Emacs) fatal error: The specified session has been invalidated for some reason. [2 times]

libgnutls.so.26 from gnutls 2.8.6 is bundled with the OS.


In GNU Emacs 24.2.92.1 (i386-pc-solaris2.11, GTK+ Version 2.20.1)
 of 2013-01-10 on fuego
Windowing system distributor `Oracle Corporation, based on X.Org Foundation sources', version 11.0.11202000
Configured using:
 `configure '--prefix=/vol/gnu' '--without-gif''

Important settings:
  value of $LC_ALL: 
  value of $LC_COLLATE: 
  value of $LC_CTYPE: iso_8859_1
  value of $LC_MESSAGES: 
  value of $LC_MONETARY: 
  value of $LC_NUMERIC: 
  value of $LC_TIME: 
  value of $LANG: C
  locale-coding-system: iso-latin-1-unix
  default enable-multibyte-characters: t

Major mode: Fundamental

Minor modes in effect:
  desktop-save-mode: t
  tooltip-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Recent input:
C-v C-v <escape> < C-x b * c <backspace> s c <tab> 
<return> <escape> x g n u s <return> C-x b * <tab> 
M <tab> <return> <escape> x r e p o <tab> r <tab> <return> 
g n u s SPC f a C-g C-x C-f ~ / . e m <tab> <return> 
C-n C-n C-n C-n C-n C-n C-n C-n C-n C-n C-n C-n C-n 
C-n C-n C-n C-n C-n C-n C-n C-n C-n C-n C-n C-n C-n 
C-n C-n C-n C-x k <return> C-x 5 2 <switch-frame> <escape> 
x r e p o r <tab> <return>

Recent messages:
Opening nnimap server on cebitec...done
No new newsgroups
Checking new news...
Reading active file via nnnil...done
Reading active file from cebitec via nnimap...done
Reading active file via nndraft...done
Checking new news...done
Warning: Unable to open server nnimap+cebitec due to: GnuTLS error: #<process *nnimap*>, -24
gnutls.c: [0] (Emacs) fatal error: The specified session has been invalidated for some reason. [2 times]
Making completion list... [2 times]
Quit

Load-path shadows:
/vol/gnu/share/emacs/site-lisp/psgml/psgml-edit hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.0/psgml-edit
/vol/gnu/share/emacs/site-lisp/psgml/psgml-charent hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.0/psgml-charent
/vol/gnu/share/emacs/site-lisp/psgml/psgml-dtd hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.0/psgml-dtd
/vol/gnu/share/emacs/site-lisp/psgml/psgml-parse hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.0/psgml-parse
/vol/gnu/share/emacs/site-lisp/psgml/psgml-api hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.0/psgml-api
/vol/gnu/share/emacs/site-lisp/psgml/psgml-info hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.0/psgml-info
/vol/gnu/share/emacs/site-lisp/psgml/psgml-other hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.0/psgml-other
/vol/gnu/share/emacs/site-lisp/psgml/psgml hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.0/psgml
/vol/gnu/share/emacs/site-lisp/psgml/psgml-other hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.5/psgml-other
/vol/gnu/share/emacs/site-lisp/psgml/psgml-edit hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.5/psgml-edit
/vol/gnu/share/emacs/site-lisp/psgml/psgml hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.5/psgml
/vol/gnu/share/emacs/site-lisp/psgml/psgml-api hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.5/psgml-api
/vol/gnu/share/emacs/site-lisp/psgml/psgml-info hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.5/psgml-info
/vol/gnu/share/emacs/site-lisp/psgml/psgml-dtd hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.5/psgml-dtd
/vol/gnu/share/emacs/site-lisp/psgml/psgml-charent hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.5/psgml-charent
/vol/gnu/share/emacs/site-lisp/psgml/psgml-parse hides /vol/gnu/share/emacs/site-lisp/psgml/1.2.5/psgml-parse
/vol/gnu/share/emacs/site-lisp/info-look hides /vol/gnu/src/emacs/emacs-24.2.92/lisp/info-look

Features:
(shadow sort mail-extr emacsbug sendmail help-mode gnus-topic nndraft
nnmh nnagent nnml gnutls network-stream auth-source eieio byte-opt
bytecomp byte-compile cconv starttls nnimap parse-time tls utf7 netrc
nnfolder nnnil gnus-agent gnus-srvr gnus-score score-mode nnvirtual
gnus-msg gnus-art mm-uu mml2015 epg-config mm-view mml-smime smime
password-cache dig mailcap nntp gnus-cache gnus-sum nnoo gnus-group
gnus-undo nnmail mail-source gnus-start gnus-spec gnus-int gnus-range
message idna format-spec rfc822 mml easymenu mml-sec mm-decode mm-bodies
mm-encode mail-parse rfc2231 rfc2047 rfc2045 ietf-drums mailabbrev
gmm-utils mailheader gnus-win gnus gnus-ems nnheader gnus-util
mail-utils mm-util mail-prsvr wid-edit dired tex-site go-mode-load
desktop time-date tooltip ediff-hook vc-hooks lisp-float-type mwheel
x-win x-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list
newcomment lisp-mode register page menu-bar rfn-eshadow timer select
scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame cham
georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao
korean japanese hebrew greek romanian slovak czech european ethiopic
indian cyrillic chinese case-table epa-hook jka-cmpr-hook help simple
abbrev minibuffer loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote make-network-process
dbusbind dynamic-setting system-font-setting font-render-setting
move-toolbar gtk x-toolkit x multi-tty emacs)

-- 
-----------------------------------------------------------------------------
Rainer Orth, Center for Biotechnology, Bielefeld University

Message #8 received at 13406 <at> debbugs.gnu.org (full text, mbox):

From: Ted Zlatanov <tzz <at> lifelogs.com>
To: Rainer Orth <ro <at> CeBiTec.Uni-Bielefeld.DE>
Cc: 13406 <at> debbugs.gnu.org
Subject: Re: bug#13406: 24.2.92; gnus fails imap connection with TLS
Date: Fri, 11 Jan 2013 09:09:54 -0500

On Thu, 10 Jan 2013 17:34:08 +0100 Rainer Orth <ro <at> CeBiTec.Uni-Bielefeld.DE> wrote: 

RO> On Solaris 11.1/x86, I cannot connect to our imap server with TLS
RO> anymore: 

RO> .emacs has 

RO> (setq gnus-secondary-select-methods
RO>       '((nnimap "cebitec"
RO> 		(nnimap-address "<imap server elided>")
RO> 		(nnimap-stream ssl))))

RO> In *Messages*, I find

RO> Opening nnimap server on cebitec...
RO> Opening connection to <imap server elided> via tls...
RO> gnutls.c: [0] (Emacs) fatal error: Decryption has failed.
RO> gnutls.el: (err=[-24] Decryption has failed.) boot: (:priority NORMAL :hostname <imap server elided> :loglevel 0 :min-prime-bits 256 :trustfiles nil :crlfiles nil :keylist nil :verify-flags nil :verify-error nil :verify-hostname-error nil :callbacks nil)
RO> Unable to open server nnimap+cebitec due to: GnuTLS error: #<process *nnimap*>, -24
RO> Opening nnimap server on cebitec...done
RO> No new newsgroups
RO> Checking new news...
RO> Reading active file via nnnil...done
RO> Reading active file from cebitec via nnimap...done
RO> Reading active file via nndraft...done
RO> Checking new news...done
RO> Warning: Unable to open server nnimap+cebitec due to: GnuTLS error: #<process *nnimap*>, -24
RO> gnutls.c: [0] (Emacs) fatal error: The specified session has been invalidated for some reason. [2 times]

RO> libgnutls.so.26 from gnutls 2.8.6 is bundled with the OS.

Can you try from the command line, with `gnutls-cli'?

Thanks
Ted

Message #11 received at 13406 <at> debbugs.gnu.org (full text, mbox):

From: Rainer Orth <ro <at> CeBiTec.Uni-Bielefeld.DE>
To: 13406 <at> debbugs.gnu.org
Subject: Re: bug#13406: 24.2.92; gnus fails imap connection with TLS
Date: Tue, 15 Jan 2013 11:24:29 +0100

Ted Zlatanov <tzz <at> lifelogs.com> writes:

> Can you try from the command line, with `gnutls-cli'?

gnutls-cli isn't installed on Solaris 11, so I built the upstream
version of gnutls 2.8.6 myself.  With the unchanged version, imap with
TLS works fine.  I've then dug up the build receipe on opensolaris.org
and found that the fix for CVE-2012-1573 is wrong: while upstream

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=422214868061370aeeb0ac9cd0f021a5c350a57d;hp=cfea38b5482c21fe6ddffaddc59a0040f80bd578

uses a ciphertext.size < hash_size test, Solaris has

http://src.opensolaris.org/source/xref/jds/spec-files/branches/gnome-2-30-s11update/patches/gnutls-02-cve-2012-1573.diff

> hash_size instead.

So the report is invalid and I'll report upstream.

	Rainer

-- 
-----------------------------------------------------------------------------
Rainer Orth, Center for Biotechnology, Bielefeld University

Message #18 received at 13406 <at> debbugs.gnu.org (full text, mbox):

From: Ted Zlatanov <tzz <at> lifelogs.com>
To: Rainer Orth <ro <at> CeBiTec.Uni-Bielefeld.DE>
Cc: 13406 <at> debbugs.gnu.org, 13406-done <at> debbugs.gnu.org
Subject: Re: bug#13406: 24.2.92; gnus fails imap connection with TLS
Date: Wed, 16 Jan 2013 09:09:06 -0500

On Tue, 15 Jan 2013 11:24:29 +0100 Rainer Orth <ro <at> CeBiTec.Uni-Bielefeld.DE> wrote: 

RO> Ted Zlatanov <tzz <at> lifelogs.com> writes:
>> Can you try from the command line, with `gnutls-cli'?

RO> gnutls-cli isn't installed on Solaris 11, so I built the upstream
RO> version of gnutls 2.8.6 myself.  With the unchanged version, imap with
RO> TLS works fine.  I've then dug up the build receipe on opensolaris.org
RO> and found that the fix for CVE-2012-1573 is wrong: while upstream

RO> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=422214868061370aeeb0ac9cd0f021a5c350a57d;hp=cfea38b5482c21fe6ddffaddc59a0040f80bd578

RO> uses a ciphertext.size < hash_size test, Solaris has

RO> http://src.opensolaris.org/source/xref/jds/spec-files/branches/gnome-2-30-s11update/patches/gnutls-02-cve-2012-1573.diff

>> hash_size instead.

RO> So the report is invalid and I'll report upstream.

Thank you for the thoroughness, it saves us a lot of work!  Marking this
bug as done.

Ted

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.