[pkg-fetchmail-maint] Bug#576430: Bug#576430: fetchmail: Doesn't load all ssl algorhitms

Sjoerd Simons sjoerd at luon.net
Mon Apr 5 23:23:24 UTC 2010


On Mon, Apr 05, 2010 at 11:22:53PM +0200, Matthias Andree wrote:
> Am 04.04.2010, 17:39 Uhr, schrieb Sjoerd Simons:
> 
> >Package: fetchmail
> >Version: 6.3.15-1
> >Severity: important
> >Tags: patch
> >
> >
> >As the subject says, during openssl initialisation fetchmail
> >doesn't seem to load all ssl algorithms causing the ssl
> >negotiation to fail depending on what the server wants to use..
> 
> ssl(3) doesn't state that this OpenSSL_add_all_algorithms() is
> needed. Neither does SSL_connect or SSL_library_init. The only EVP
> reference is EVP_md5() explicitly, which doesn't need
> OpenSSL_add_all_algorithms() either. So could you:
> 
> 1. please demonstrate an actual failure case

I can't get my mail without that patch otherwise i wouldn't even have bothered
looking at the fetchmail code :) It produces errors like:

28607:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message
digest algorithm:a_verify.c:146:
28607:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed:s3_clnt.c:982:

> 2. tell me how I as programmer should/could have known this in
> advance? I'm really annoyed that so much ssl lore needs to be
> retrofitted over time whenever there appears to be some new failure.
> ssl(3) states I need to run SSL_library_init and seed the RNG on
> machines without /dev/*random. Nothing about
> OpenSSL_add_all_algorithms().
> 
> If the OpenSSL documentation is so incomplete, I may have to switch
> the SSL library inside stable versions to avoid such issues.

The OpenSSL API is horrible, welcome to reality? :) Note that nobody is saying
that you should have known this in advance, openssl is a bit special like this
unfortunately. Luckily there are poor people like myself around who have had
the ``pleasure'' of dealing with openssl before and instantly recognize these
kinds of failure cases as, oh, this little bit is missing over there...

If you want to dig slightly deeper, our certificate uses sha-256 as a digest
which doesn't get added by SSL_library_init by default for some reason :/

  Sjoerd
-- 
The optimist thinks that this is the best of all possible worlds,
and the pessimist knows it.
		-- J. Robert Oppenheimer, "Bulletin of Atomic Scientists"





More information about the pkg-fetchmail-maint mailing list