New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upon certificate issues, STARTTLS is ignored and the password sent in plaintext #15
Comments
|
Hello Dennis, STARTTLS is supported. What are your command line options? --authmd51 : Use MD5 authentification for host1. On 19/01/2014 20:29, Dennis Schridde wrote:
Au revoir, 09 51 84 42 42 |
|
Hello Gilles! My server surely allows PLAIN and LOGIN over an encrypted connection. It authenticates against PAM, so there is no other way. The commandline options were: |
|
Hi Dennis, Ok but the error message "NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections." is given by the imap server, not by imapsync. Try also imapsync ... --ssl1 Then debug what's wrong with your server, maybe it wants certificates or something like that?
Au revoir, 09 51 84 42 42 |
|
The problem seems to be that imapsync cannot verify the server certificate (own CA). After STARTTLS fails locally, it tries to send CAPABILITY, which likely fails because the server expects the client to finish the STARTTLS sequence instead. Afterwards imapsync just reconnects, ignores the LOGINDISABLED capability and tries to LOGIN over a plaintext connection. The major problems I see in this:
|
|
Dear Dennis,
Ok. Bad imapsync.
Yes, you are twice right. I'll fix that soon. Now did you find why you get "SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"? Can you try with option --ssl1_SSL_version fixing the ssl version, for example imapsync ... --ssl1 --ssl1_SSL_version "SSLv3" Possibilities:
Au revoir, 09 51 84 42 42 |
Yes, the CA cert I added to /usr/local/share/ca-certificates was old and expired (i.e. not the one that signed the server's cert), so OpenSSL considered the chain untrusted. Rightly so, as there was a self-signed certificate in it. After I fixed that, imapsync worked like a charm. |
|
Dear Dennis, I fixed this ugly bug in imapsync 1.582 |
|
Dear Dennis, I fixed this ugly bug in imapsync 1.582 On 22/01/2014 00:30, Dennis Schridde wrote:
Au revoir, 09 51 84 42 42 |
|
Thanks! My server is configured to listen only on port 143 and to require starttls before allowing login - if that helps you reproduce it. If you want, I can send you a copy of my dovecot config. |
|
Hi Dennis,
I already have tls servers. Au revoir, 09 51 84 42 42 |
It's easier than that. If you have a server with a valid certificate that was signed by a local CA, and you do not put the CA cert in /usr/local/share/ca-certificates, you'll be able to reproduce. CAcert will probably work as well, if it is not automatically trusted by your distribution. |
|
Hallo Dennis, In fact I had nothing tp prepare, But it more complicated, there's still something weird, since I found that: --ssl1 --tls2 fails on host2 login with "Unable to start TLS: Cannot determine peer hostname for verification" I search. 2 ll_dev_reconnect_ssl_tlsTransfer started at Tue Jan 28 15:35:55 2014 Info: will act as --uidexpunge2 On 24/01/2014 23:19, Dennis Schridde wrote:
Au revoir, 09 51 84 42 42 |
Currently there seems to be no STARTTLS support in imapsync, is that correct?
--tls1/2on my system still results in (excerpt from output):The text was updated successfully, but these errors were encountered: