Yesterday's upgrade of openssl-1.1.0i to openssl-1.1.1 has broken my fetchmail downloads from pop.gmail.com. I have reverted to openssl-1.1.0i and it works fine again.
The gmail stanza in .fetchmailrc is as follows:
Code:
poll pop.gmail.com with proto pop3 port 995
auth password
user 'username' with password 'password' mda "/usr/bin/procmail" ssl sslproto ssl23 sslcertck
The errors I get with openssl-1.1.1 are:
Code:
fetchmail: Server CommonName mismatch: invalid2.invalid != pop.gmail.com
fetchmail: Server certificate verification error: self signed certificate
fetchmail: Missing trust anchor certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
fetchmail: OpenSSL reported: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
fetchmail: SSL connection failed.
Presumably openssl-1.1.1 has changed something as regards certificate validation. Any ideas about how to fix this?