I've just updated openssl from 1.0.2t-r1 to 1.1.1d-r2 and fetchmail immediately start failing to connect to gmail (but it still able to connect to yandex): fetchmail: No mail for powerman-asdf at pop3.yandex.ru fetchmail: Server CommonName mismatch: invalid2.invalid != pop.gmail.com fetchmail: Server certificate verification error: self signed certificate fetchmail: Missing trust anchor certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. fetchmail: OpenSSL reported: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed fetchmail: SSL connection failed. fetchmail: socket error while fetching from powerman.asdf@gmail.com@pop.gmail.com fetchmail: Query status=2 (SOCKET) I've re-emerged fetchmail but this doesn't helps.
Portage 2.3.76 (python 3.6.9-final-0, default/linux/amd64/17.1/hardened, gcc-8.3.0, glibc-2.29-r2, 4.19.72-gentoo x86_64) ================================================================= System uname: Linux-4.19.72-gentoo-x86_64-Intel-R-_Core-TM-_i7-2600K_CPU_@_3.40GHz-with-gentoo-2.6 KiB Mem: 24636952 total, 5605812 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Tue, 08 Oct 2019 23:45:01 +0000 Head commit of repository gentoo: 9e5783e47f8368f2c86564af3066b52b447137fb sh bash 4.4_p23-r1 ld GNU ld (Gentoo 2.32 p2) 2.32.0 ccache version 3.7.2 [enabled] app-shells/bash: 4.4_p23-r1::gentoo dev-java/java-config: 2.2.0-r4::gentoo dev-lang/perl: 5.30.0::gentoo dev-lang/python: 2.7.16::gentoo, 3.6.9::gentoo dev-util/ccache: 3.7.2::gentoo dev-util/cmake: 3.14.6::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.6-r1::gentoo sys-apps/sandbox: 2.13::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r4::gentoo sys-devel/automake: 1.13.4-r2::gentoo, 1.16.1-r1::gentoo sys-devel/binutils: 2.32-r1::gentoo sys-devel/gcc: 8.3.0-r1::gentoo sys-devel/gcc-config: 2.0::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1-r4::gentoo sys-kernel/linux-headers: 4.19::gentoo (virtual/os-headers) sys-libs/glibc: 2.29-r2::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.nl.gentoo.org/gentoo-portage priority: -1000 sync-rsync-extra-opts: sync-rsync-verify-metamanifest: yes sync-rsync-verify-jobs: 1 sync-rsync-verify-max-age: 24 local location: /usr/local/portage masters: gentoo priority: 0 powerman location: /home/powerman/proj/gentoo/powerman-overlay masters: gentoo priority: 50 steam-overlay location: /var/lib/layman/steam-overlay masters: gentoo priority: 50 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /service /usr/inferno/keydb /usr/inferno/lib /usr/inferno/services /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /usr/share/i2p/scripts /var/log /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage-distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps=y --autounmask-write --alert=y" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-march=native -O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs ccache clean-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned sandbox sfperms strict strict-keepdir unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=native -O2 -pipe" GENTOO_MIRRORS="http://mirrors.soeasyto.com/distfiles.gentoo.org/ http://gentoo.supp.name/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://mirror.netcologne.de/gentoo/" LANG="ru_RU.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en ru ru_RU" MAKEOPTS="-j8" PKGDIR="/usr/portage-packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X a52 aac acl acpi adns aes alac alsa amd64 avx bash-completion berkdb bluetooth branding bzip2 cairo caps cdda cddb cdr chm cli consolekit crypt cups cxx dbus dga djvu dri dts dvb dvd dvdr egl eglfs emboss encode exif fam ffmpeg firefox flac fontconfig gallium gdbm gif glamor gpg gtk gtkstyle hardened iconv icu id3tag idn ipv6 jpeg jpeg2k lcms libnotify libtirpc mac mad matroska mmx mmxext mng mp3 mp4 mpeg multilib musepack ncurses network-cron nls nptl nsplugin ogg opengl openmp pam pango pclmul pcre pdf perl pie png policykit popcnt ppds projectm qt5 readline rtc sdl seccomp spell split-usr sse sse2 sse3 sse4_1 sse4_2 ssl ssp ssse3 startup-notification svg tcpd theora tiff truetype udev udisks unicode upower usb vaapi vdpau vim-syntax vorbis wavpack wxwidgets x264 x265 xattr xcb xml xscreensaver xtpax xv xvid xvmc zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="log_config vhost_alias autoindex alias rewrite dir deflate filter mime negotiation auth_basic authn_file authz_host authz_user authz_groupfile cgi actions headers env setenvif authn_core authz_core unixd socache_shmcb access_compat" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="evdev" KERNEL="linux" L10N="en ru" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif fastcgi geo gzip limit_conn limit_req map memcached proxy referer rewrite scgi split_clients ssi upstream_ip_hash userid uwsgi fancyindex" OFFICE_IMPLEMENTATION="libreoffice" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" QEMU_SOFTMMU_TARGETS="x86_64 i386" QEMU_USER_TARGETS="x86_64 i386" RUBY_TARGETS="ruby24 ruby25" USERLAND="GNU" VIDEO_CARDS="nvidia nouveau" XFCE_PLUGINS="clock trash" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Downgrading to dev-libs/openssl-1.0.2t-r1 and then rebuilding fetchmail solved the issue.
I was seeing something similar. Based on information I gleamed from https://www.linuxquestions.org/questions/slackware-14/openssl-1-1-1-upgrade-breaks-fetchmail-with-gmail-4175638336/ , a better workaround seems to be to add the two word phrase "sslproto tls1" to each stanza in your .fetchmailrc file. At least it works for me. I'm not exactly sure why it can't (or stopped?) auto-negotiating this, and I suspect it may be necessary to revisit how to configure ssl after fetchmail 6.4.x is stabilized.
Proper fix is this patch: https://gitlab.com/fetchmail/fetchmail/commit/9b8b634312f169fab872f3580c2febe5af031615 Relevant Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1611815 Applying this patch on stable 6.3.26-r4 worked on my server And apparently, yes downgrading to tls 1.0 is a workaround, but I do not recommend it (and Google may also not allow it anymore soon). Also I realize fetchmail is maintainer-needed... I will try to find some time for it (and get a 6.4.x version in tree)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=007a2aaf7a9ddc876bc374305c498c270e2727cd commit 007a2aaf7a9ddc876bc374305c498c270e2727cd Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2019-10-27 08:58:28 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2019-10-27 08:58:41 +0000 net-mail/fetchmail: 6.4.1 bump 6.4 release is available and is recommended update upstream GLEP 81 conversion will be done later, this has minimal changes so it can be stabilized quickly Closes: https://bugs.gentoo.org/697030 Package-Manager: Portage-2.3.78, Repoman-2.3.17 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> net-mail/fetchmail/Manifest | 1 + net-mail/fetchmail/fetchmail-6.4.1.ebuild | 108 ++++++++++++++++++++++++++++++ 2 files changed, 109 insertions(+)
