Hi openssl team,
fairly recently my OS archlinux hopped to 3.0.7. Since then …I cannot
synchronize one of my email accounts anymore (via offlineimap). I will
post below the error I get. Honestly, I am not even sure if this is
related to openssl at all, but I think it is (could also be the server,
but I doubt that since it is in active use daily by thousands). Any help is appreciated.
```
$ openssl version -a
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
built on: Tue Nov 1 18:21:33 2022 UTC
platform: linux-x86_64
options: bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -flto=auto -Wa,--noexecstack -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -flto=auto -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -flto=auto -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
OPENSSLDIR: "/etc/ssl"
ENGINESDIR: "/usr/lib/engines-3"
MODULESDIR: "/usr/lib/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x7ed8320b078bffff:0x400004219c91a9
```
```
$ openssl s_client -host imap.cern.ch -port 993
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = CH, ST = Gen\C3\A8ve, O = CERN Organisation Europ\C3\A9enne pour la Recherche Nucl\C3\A9aire, CN = mmm.cern.ch
verify return:1
4047CDAA757F0000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2254:
---
Certificate chain
0 s:C = CH, ST = Gen\C3\A8ve, O = CERN Organisation Europ\C3\A9enne pour la Recherche Nucl\C3\A9aire, CN = mmm.cern.ch
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 12 00:00:00 2022 GMT; NotAfter: Nov 12 23:59:59 2023 GMT
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
v:NotBefore: Nov 2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHPDCCBiSgAwIBAgIRAL9LNI6mi8nzDIKo9/ABvHEwDQYJKoZIhvcNAQELBQAw
gZUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE9MDsGA1UE
AxM0U2VjdGlnbyBSU0EgT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gU2VjdXJlIFNl
cnZlciBDQTAeFw0yMjExMTIwMDAwMDBaFw0yMzExMTIyMzU5NTlaMHoxCzAJBgNV
BAYTAkNIMRAwDgYDVQQIDAdHZW7DqHZlMUMwQQYDVQQKDDpDRVJOIE9yZ2FuaXNh
dGlvbiBFdXJvcMOpZW5uZSBwb3VyIGxhIFJlY2hlcmNoZSBOdWNsw6lhaXJlMRQw
EgYDVQQDEwttbW0uY2Vybi5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAK2FIE0gI0ElE4J1JgkAaDFUyDOKnRWxuiDtBHNKjGGiRuThoZD6zGIBHUNU
sYl/3OHaPWzyaksBIbpXF68QV4TOIGlcHte2x7teYJ2l/3VGe/G66ubk0fQeN1pR
mSo52MKrNZY6EM90vD4fV464m69FivhZgq5AqHdO1RF+8x6WfkCL6EkBbfp9tswi
/FSWPVkyVOt8UlxDBTHNDXnRpyl3aysaZWt6QPZDvvDX8XpHpfby7jEzYgwKha8S
+Ojr6tYve+3bivRIuPCIFv34qv/l5/BTS928XYuqWsRNzp5VFy1mggAxSyBOR/7L
dGgWtykm/P+VtCuuxu8KBqDUH50CAwEAAaOCA58wggObMB8GA1UdIwQYMBaAFBfZ
1iUnZ/kxwklD2TA2RIxsqU/rMB0GA1UdDgQWBBQLwS6tYjWxWP8h6PNyphiXe/95
SjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwSgYDVR0gBEMwQTA1BgwrBgEEAbIxAQIBAwQwJTAjBggr
BgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQICMFoGA1Ud
HwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1JTQU9y
Z2FuaXphdGlvblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYoGCCsGAQUF
BwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0
aWdvUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAj
BggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wggGABgorBgEEAdZ5
AgQCBIIBcASCAWwBagB3AK33vvp8/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr3IKK
AAABhGtrl50AAAQDAEgwRgIhAMgQijAxWyTL+t5TqIWp4shmWWnZNgW2WpJiKABj
baqBAiEAt+rNm1ZakYlWmBhJV21wI9Bi6b3yEsRgPV4o8JuCaN4AdwB6MoxU2Lct
tiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYRra5d/AAAEAwBIMEYCIQCKGPTo
dW/NLZBX0MtxSWI15C+Ebo/S5Npp8jRao2fXSgIhAJEoAONKt5v9+/GzlGFBymu6
CLCWI45uHsLfBPA6c77kAHYA6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0G
vW4AAAGEa2uXRwAABAMARzBFAiEAuK0bOXziliJXfaI8bxZuzUk1X5jIoZIIwVTx
VZ/axrgCIAbWyyR/8Z3e8ExKDEt/xOwUuQYAvQurdcB4VGJmQh99MGMGA1UdEQRc
MFqCC21tbS5jZXJuLmNoghRhdXRvZGlzY292ZXIuY2Vybi5jaIIMaW1hcC5jZXJu
LmNoggxsZGFwLmNlcm4uY2iCC3BvcC5jZXJuLmNoggxzbXRwLmNlcm4uY2gwDQYJ
KoZIhvcNAQELBQADggEBAAXWpsYbTbDwCI3JFCVfVtLV07Rois5lNagO/uJNWdPn
vuEJMp/RwA7+HfofdhmR3x0G4MBvmOzFS5OKU1XHYijDnSr69TRJv6IXEKVagjq/
y6Q/bseN4gYnJyoc1AjHttfztjyVhHdPeHknCi+uujnRNA1UEh7fFswgFuv4SPep
Jmaq8QGYVsngCcVICv7UAlVyvAbF/aqx7NPh4JSUhtsGFf9HTcYAmeRTsj06Wt1O
3qrGj/g/u/uIdceiDJdBxSbXg/m/mXn2RHceMOUi16y9wuuVAr9XXdUqXdUbaNP3
CU/lSC0wMuIjGQ4nt/1M1v/wwwEwhbaOShGwa93MLHQ=
-----END CERTIFICATE-----
subject=C = CH, ST = Gen\C3\A8ve, O = CERN Organisation Europ\C3\A9enne pour la Recherche Nucl\C3\A9aire, CN = mmm.cern.ch
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5275 bytes and written 325 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID: BD2A0000325E656B9F5CA29F00AD3CE4BA28BA10A5382DA19A9D0C8E9B5E28B1
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1670528517
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
```
As you can see above there is an error and I have not idea what it
means. This manifests in me not being able to sync my email on this server.
Note that I have no experience with openssl, just used it
passively.
If it is not related to openssl, sorry for the noise :)