1 files changed, 40 insertions, 0 deletions

diff --git a/repo/imap/2014_openssl1.1.1_sni.patch b/repo/imap/2014_openssl1.1.1_sni.patch
new file mode 100644
index 0000000..af2bf99
--- /dev/null
+++ b/repo/imap/2014_openssl1.1.1_sni.patch
@@ -0,0 +1,40 @@
+Bug-Debian: https://bugs.debian.org/916041
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1834340
+Description: 
+ Google IMAP servers require SNI if TLSv1.3 is used,
+ otherwise it sends a self-signed certificate which
+ fails validation.
+
+ OpenSSL support/versions:
+ - TLSv1.3 on 1.1.1,
+ - a2i_IPADDRESS() on 0.9.8'ish,
+ - SSL_set_tlsext_host_name() on 0.9.8'ish/1.0.0;
+ per 'git blame/describe' and the CHANGES file.
+
+ So check for TLSv1.3 support / OpenSSL 1.1.1
+ not to incur behavior changes on pre-TLSv1.3,
+ and set host_name to 'host' (ssl_open_verify()
+ validates this, via 'ssl_last_host' variable)
+
+ This patch just combines these two patches:
+ - BTS#916041 (message #5) by Ed Spiridonov,
+ - LP#916041 (comment #6) by David Zuelke.
+Author: Mauricio Faria de Oliveira <mfo@canonical.com>
+
+--- a/src/osdep/unix/ssl_unix.c
++++ b/src/osdep/unix/ssl_unix.c
+@@ -266,6 +266,14 @@ static char *ssl_start_work (SSLSTREAM *
+ 				/* create connection */
+   if (!(stream->con = (SSL *) SSL_new (stream->context)))
+     return "SSL connection failed";
++#if OPENSSL_VERSION_NUMBER >= 0x10101000
++  /* Use SNI in case server requires it with TLSv1.3.
++   * Literal IP addresses not permitted per RFC 6066. */
++  if (!a2i_IPADDRESS(host)) {
++    ERR_clear_error();
++    SSL_set_tlsext_host_name(stream->con,host);
++  }
++#endif
+   bio = BIO_new_socket (stream->tcpstream->tcpsi,BIO_NOCLOSE);
+   SSL_set_bio (stream->con,bio,bio);
+   SSL_set_connect_state (stream->con);