Debian Bug report logs - #502361
courier-imap-ssl package breaks SSL on upgrade; hashed certs culprit.

version graph

Package: courier-imap-ssl; Maintainer for courier-imap-ssl is (unknown);

Reported by: Sam Vilain <sam@vilain.net>

Date: Wed, 15 Oct 2008 22:27:01 UTC

Severity: important

Found in version courier/0.60.0-2

Fixed in versions 0.75.0-1, 0.73.1-1.6

Done: Ondřej Surý <ondrej@sury.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#502361; Package courier-imap-ssl. (Wed, 15 Oct 2008 22:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Sam Vilain <sam@vilain.net>:
New Bug report received and forwarded. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. (Wed, 15 Oct 2008 22:27:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sam Vilain <sam@vilain.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: courier-imap-ssl package breaks SSL on upgrade; hashed certs culprit.
Date: Thu, 16 Oct 2008 11:24:21 +1300
Package: courier-imap-ssl
Version: 4.4.0-2
Severity: important


Hi,

I just upgraded to lenny and found that my imap SSL connection no
longer works.

 maia:~$ telnet -z ssl mail.utsl.gen.nz 993
 Trying 202.78.240.73...
 SSL_connect: Success
 maia:~$ 

In Evolution this manifested as "Error while Refreshing folder", and
clicking on the little alert triangle that appears in the bottom left
it then says "Server unexpectedly disconnected: Input/output error"

I downgraded to the etch courier-imap-ssl package, then re-upgraded,
keeping the old config file - which worked.  I eventually worked out
that the new TLS_TRUSTCERTS option was triggering the issue.

Also, I saw this error message in /var/log/mail.log:

Oct 16 11:12:49 mail imapd-ssl: couriertls: connect: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table

Removing the /var/lib/courier/couriersslcache file did not resolve
this, however removing all of the hashed certs in /usr/lib/ssl/certs
fixed it.

 maia:~$ telnet -z ssl mail.utsl.gen.nz 993
 Trying 202.78.240.73...
 Connected to mail.utsl.gen.nz.
 Escape character is '^]'.
 * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc.  See COPYING for distribution information.
 ^]
 telnet> close
 maia:~$ 

Workarounds:

 1. remove hashed certificates in /usr/lib/ssl/certs

   rm /usr/lib/ssl/certs/[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]*

 2. disable TLS_TRUSTCERTS in /etc/courier/imapd-ssl

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.16.x
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages courier-imap-ssl depends on:
di  courier-imap                  4.4.0-2    Courier mail server - IMAP server
ii  courier-ssl                   0.60.0-2   Courier mail server - SSL/TLS Supp
ii  openssl                       0.9.8g-13  Secure Socket Layer (SSL) binary a

courier-imap-ssl recommends no packages.

Versions of packages courier-imap-ssl suggests:
pn  courier-doc                   <none>     (no description available)
ii  mutt [imap-client]            1.5.18-4   text-based mailreader supporting M

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#502361; Package courier-imap-ssl. (Tue, 17 Mar 2009 18:24:02 GMT) (full text, mbox, link).

Acknowledgement sent to Eray Aslan <eray.aslan@caf.com.tr>:
Extra info received and forwarded to list. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. (Tue, 17 Mar 2009 18:24:02 GMT) (full text, mbox, link).

Message #10 received at 502361@bugs.debian.org (full text, mbox, reply):

From: Eray Aslan <eray.aslan@caf.com.tr>
To: 502361@bugs.debian.org
Subject: probable reason: duplicate certificates in ca-certificates
Date: Tue, 17 Mar 2009 20:22:49 +0200
Postfix is affected as well.  Probable reason:  same certificates with
different filenames for cacert.org in ca-certificates (#494343)

Relevant discussion in openssl-users list and gentoo bugzilla:
http://marc.info/?l=openssl-users&m=123721072930382&w=2
http://bugs.gentoo.org/show_bug.cgi?id=254328

Also
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494343

Reply sent to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility. (Wed, 16 Mar 2016 15:07:00 GMT) (full text, mbox, link).

Notification sent to Sam Vilain <sam@vilain.net>:
Bug acknowledged by developer. (Wed, 16 Mar 2016 15:07:01 GMT) (full text, mbox, link).

Message #15 received at 502361-done@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: 630166-done@bugs.debian.org, 669146-done@bugs.debian.org, 594847-done@bugs.debian.org, 647467-done@bugs.debian.org, 536253-done@bugs.debian.org, 502361-done@bugs.debian.org, 482127-done@bugs.debian.org, 460888-done@bugs.debian.org, 457066-done@bugs.debian.org, 450435-done@bugs.debian.org, 241299-done@bugs.debian.org, 255687-done@bugs.debian.org, 291325-done@bugs.debian.org, 294656-done@bugs.debian.org, 310839-done@bugs.debian.org, 317942-done@bugs.debian.org, 360246-done@bugs.debian.org, 394959-done@bugs.debian.org, 406877-done@bugs.debian.org, 427756-done@bugs.debian.org, 430166-done@bugs.debian.org, 438993-done@bugs.debian.org, 226141-done@bugs.debian.org, 379806-done@bugs.debian.org, 703570-done@bugs.debian.org, 100646-done@bugs.debian.org, 198880-done@bugs.debian.org, 218148-done@bugs.debian.org, 250817-done@bugs.debian.org, 296039-done@bugs.debian.org, 315636-done@bugs.debian.org, 495194-done@bugs.debian.org, 589225-done@bugs.debian.org, 273259-done@bugs.debian.org
Subject: Closing ancient bugs
Date: Wed, 16 Mar 2016 16:02:56 +0100
Version: 0.73.1-1.6

I am closing all pre-wheezy bug reports and non-critical wheezy bug
reports. If you can reproduce the issue using jessie (or even better
current unstable), feel free to reopen the bug.

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Marked as fixed in versions 0.75.0-1. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Tue, 14 Jun 2016 22:00:05 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 13 Jul 2016 07:32:25 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Jul 16 06:14:24 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.