info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1041517: sendemail: when using starttls, SSL_verifycn_name is not set, leading to hostname verification failed
430 views
Skip to first unread message
Judit Foglszinger
Jul 20, 2023, 2:20:06 AM7/20/23
to
Package: sendemail
Version: 1.56-5.1
Severity: normal
Tags: patch
Hi,
when using sendemail to send an email with
relay mail-submit.debian.org (uses starttls),
hostname verification fails -
$ sendEmail -o tls=yes -f "ur...@debian.org" \
-t reci...@example.org -s mail-submit.debian.org:587 \
-o message-file=/tmp/mail.txt \
-xu urbec -xp the-password-is-always-password \
-u "Test email"
Jul 13 21:06:32 (...) sendEmail[11565]: ERROR => TLS setup failed: hostname verification failed
$
Non recent versions of SSL.pm also did show the following error message -
Use of uninitialized value $2 in concatenation (.) or string at /usr/share/perl5/IO/Socket/SSL.pm line 792.
The current version in sid replaces the missing hostname
with the sender's IP, so no error message beyond
"hostname verification failed" anymore.
(versions before bookworm just allowed IP addresses as always verified,
but that's no longer the case)
The following patch passes the hostname -
Description: Fix TLS hostname verification.
Author: Unit 193 <uni...@debian.org>
Forwarded: no
--- sendemail-1.56.orig/sendEmail
+++ sendemail-1.56/sendEmail
@@ -1930,7 +1930,10 @@ if( $conf{'use_sendmail'} ) {
if ($conf{'tls_server'} == 1 and $conf{'tls_client'} == 1 and $opt{'tls'} =~ /^(yes|auto)$/) {
printmsg("DEBUG => Starting TLS", 2);
if (SMTPchat('STARTTLS')) { quit($conf{'error'}, 1); }
- if (! IO::Socket::SSL->start_SSL($SERVER, SSL_version => 'SSLv23:!SSLv2')) {
+ if (! IO::Socket::SSL->start_SSL($SERVER,
+ SSL_version => 'TLSv12:!SSLv2',
+ SSL_verifycn_scheme => 'smtp',
+ SSL_verifycn_name => $conf{'server'})) {
quit("ERROR => TLS setup failed: " . IO::Socket::SSL::errstr(), 1);
}
printmsg("DEBUG => TLS: Using cipher: ". $SERVER->get_cipher(), 3);
Version: 1.56-5.1
Severity: normal
Tags: patch
Hi,
when using sendemail to send an email with
relay mail-submit.debian.org (uses starttls),
hostname verification fails -
$ sendEmail -o tls=yes -f "ur...@debian.org" \
-t reci...@example.org -s mail-submit.debian.org:587 \
-o message-file=/tmp/mail.txt \
-xu urbec -xp the-password-is-always-password \
-u "Test email"
Jul 13 21:06:32 (...) sendEmail[11565]: ERROR => TLS setup failed: hostname verification failed
$
Non recent versions of SSL.pm also did show the following error message -
Use of uninitialized value $2 in concatenation (.) or string at /usr/share/perl5/IO/Socket/SSL.pm line 792.
The current version in sid replaces the missing hostname
with the sender's IP, so no error message beyond
"hostname verification failed" anymore.
(versions before bookworm just allowed IP addresses as always verified,
but that's no longer the case)
The following patch passes the hostname -
Description: Fix TLS hostname verification.
Author: Unit 193 <uni...@debian.org>
Forwarded: no
--- sendemail-1.56.orig/sendEmail
+++ sendemail-1.56/sendEmail
@@ -1930,7 +1930,10 @@ if( $conf{'use_sendmail'} ) {
if ($conf{'tls_server'} == 1 and $conf{'tls_client'} == 1 and $opt{'tls'} =~ /^(yes|auto)$/) {
printmsg("DEBUG => Starting TLS", 2);
if (SMTPchat('STARTTLS')) { quit($conf{'error'}, 1); }
- if (! IO::Socket::SSL->start_SSL($SERVER, SSL_version => 'SSLv23:!SSLv2')) {
+ if (! IO::Socket::SSL->start_SSL($SERVER,
+ SSL_version => 'TLSv12:!SSLv2',
+ SSL_verifycn_scheme => 'smtp',
+ SSL_verifycn_name => $conf{'server'})) {
quit("ERROR => TLS setup failed: " . IO::Socket::SSL::errstr(), 1);
}
printmsg("DEBUG => TLS: Using cipher: ". $SERVER->get_cipher(), 3);
Unit 193
Aug 4, 2023, 6:30:04 PM8/4/23
to
Package: sendemail
Version: 1.56-5.1
Severity: normal
Tags: patch pending
Version: 1.56-5.1
Severity: normal
Dear maintainer,
I've prepared an NMU for sendemail (versioned as 1.56-5.2) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards.
diff -Nru sendemail-1.56/debian/changelog sendemail-1.56/debian/changelog
--- sendemail-1.56/debian/changelog 2021-01-01 10:47:46.000000000 -0500
+++ sendemail-1.56/debian/changelog 2023-08-04 17:32:05.000000000 -0400
@@ -1,3 +1,12 @@
+sendemail (1.56-5.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * d/p/fix_tls_hostname_verification.patch: Fix TLS hostname verification.
+ Closes: #1041517.
+ * d/control, Update 'homepage' field. (Closes: #884459)
+
+ -- Unit 193 <uni...@debian.org> Fri, 04 Aug 2023 17:32:05 -0400
+
sendemail (1.56-5.1) unstable; urgency=medium
* Non maintainer upload by the Reproducible Builds team.
diff -Nru sendemail-1.56/debian/control sendemail-1.56/debian/control
--- sendemail-1.56/debian/control 2013-09-01 09:20:32.000000000 -0400
+++ sendemail-1.56/debian/control 2023-08-04 17:31:54.000000000 -0400
@@ -4,7 +4,7 @@
Maintainer: Alejandro Garrido Mota <alej...@debian.org>
Build-Depends: debhelper (>= 9)
Standards-Version: 3.9.4
-Homepage: http://www.caspian.dotconf.net/menu/Software/SendEmail/
+Homepage: http://caspian.dotconf.net/menu/Software/SendEmail/
Vcs-Git: git://github.com/mogaal/sendemail.git
Vcs-Browser: https://github.com/mogaal/sendemail
diff -Nru sendemail-1.56/debian/patches/fix_tls_hostname_verification.patch sendemail-1.56/debian/patches/fix_tls_hostname_verification.patch
--- sendemail-1.56/debian/patches/fix_tls_hostname_verification.patch 1969-12-31 19:00:00.000000000 -0500
+++ sendemail-1.56/debian/patches/fix_tls_hostname_verification.patch 2023-08-04 17:31:54.000000000 -0400
@@ -0,0 +1,23 @@
+Description: Fix TLS hostname verification.
+Author: Unit 193 <uni...@debian.org>
+Forwarded: no
+Bug: #1041517
+
+---
+ sendEmail | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/sendEmail
++++ b/sendEmail
+@@ -1930,7 +1930,10 @@ if( $conf{'use_sendmail'} ) {
+ if ($conf{'tls_server'} == 1 and $conf{'tls_client'} == 1 and $opt{'tls'} =~ /^(yes|auto)$/) {
+ printmsg("DEBUG => Starting TLS", 2);
+ if (SMTPchat('STARTTLS')) { quit($conf{'error'}, 1); }
+- if (! IO::Socket::SSL->start_SSL($SERVER, SSL_version => 'SSLv23:!SSLv2')) {
++ if (! IO::Socket::SSL->start_SSL($SERVER,
++ SSL_version => 'TLSv12:!SSLv2',
++ SSL_verifycn_scheme => 'smtp',
++ SSL_verifycn_name => $conf{'server'})) {
+ quit("ERROR => TLS setup failed: " . IO::Socket::SSL::errstr(), 1);
+ }
+ printmsg("DEBUG => TLS: Using cipher: ". $SERVER->get_cipher(), 3);
diff -Nru sendemail-1.56/debian/patches/series sendemail-1.56/debian/patches/series
--- sendemail-1.56/debian/patches/series 2013-09-01 09:20:32.000000000 -0400
+++ sendemail-1.56/debian/patches/series 2023-08-04 17:31:54.000000000 -0400
@@ -1,3 +1,4 @@
fix_ssl_version.patch
add-ipv6-support.patch
local-sendmail.patch
+fix_tls_hostname_verification.patch
0 new messages