View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0017352||CentOS-7||gnutls||public||2020-05-10 19:07||2020-06-11 16:54|
|Summary||0017352: GnuTLS error: Internal error in memory allocation.|
|Description||GnuTLS can't establish a connection; dies with cryptic error.|
|Steps To Reproduce||$ rpm -q gnutls|
$ $ gnutls-cli -p 993 imap.mail.yahoo.com
Processed 154 CA certificate(s).
Connecting to '188.8.131.52:993'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate info:
- subject `C=US,ST=California,L=Sunnyvale,O=Oath Inc,CN=*.imap.mail.yahoo.com', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2020-02-01 00:00:00 UTC', expires `2020-07-30 12:00:00 UTC', SHA-1 fingerprint `f8047f0f60c4641f718353be7ddc31665b96b5c0'
Public Key ID:
Public key's random art:
+--[ RSA 2048]----+
| . . |
| o S + . |
| . = = + |
|* o = = o = |
| X * o + o + |
|E = . ..+.o.. |
- Certificate info:
- subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-10-22 12:00:00 UTC', expires `2028-10-22 12:00:00 UTC', SHA-1 fingerprint `a031c46782e6e6c662c2c87c76da9aa62ccabd8e'
- Status: The certificate is trusted.
- Successfully sent 0 certificate(s) to server.
*** Fatal error: Internal error in memory allocation.
*** Handshake has failed
GnuTLS error: Internal error in memory allocation.
|Additional Information||The same command works on Fedora 31 and 32. |
`openssl s_client -connect imap.mail.yahoo.com:993` succeeds.
This appeared when claws-mail (I compiled it myself) stopped connecting to Yahoo last week.
|Tags||No tags attached.|
Can you please file the bug at bugzilla.redhat.com ( and crosslink that bug with this one for easier tracking) ? CentOS is built from the sources published by RedHat and once they fix the problem , the fix will automatically be included in CentOS as well.
|Please note: The folks at RedHat are dragging their feet and do not want to fix the bug since their releases have a short lifespan, unlike CentOS. Someone at CentOS would need to simply replace the RHEL7 gnutls package with one created from the fixed sources.|
|That is not how CentOS works. We rebuild from the sources of RHEL, not from individuall sources. See first reply.|
|@hazyl: The aim of CentOS is to reproduce each and every possible feature from the equivalent RHEL distribution, bug for bug. So unfortunately there will be no such fix, unless it is found to be _extremely_ important, in which case it could be published via the centosplus repo. Traditionally this has happened very very rarely and I doubt CentOS will diverge this time.|
|@tigalch and @ManuelWolfshant: Yes, I am aware of how CentOS works. That being said, the bug prevents people from reading their email. That, from all practical points of view, qualifies as a serious bug. Since CentOS 7 still has plenty of service life left, while RHEL-7 does not, I would like to kindly suggest fixing the bug irrespective of RHEL.|
Unfortunately from RedHat's point of view GnuTLS seems to be a second class citizen as they favor openssl for almost everything. And since claws-mail is neither the only existing mail client nor provided by RedHat/Centos, I see zero chance of having another version of gnutls provided by CentOS. Especially as we cannot know which bugs or incompatibilities with other provided applications that might introduce and we cannot do that type of QA and regression testing.
Since you seem to already do some building, I suggest to build and use yourself a patched ( or newer ) GnuTLS. You could start from the source rpm provided by Fedora.
|CentOS 7 has exactly the same shelf life left as RHEL 7 does. It is a rebuild of the same sources so if RHEL 7 is unmaintained then so is CentOS. But it isn't, RHEL is maintained until 2024. And a serious bug is a security one marked as critical and allowing remote code execution or similar, not a "I can't read my email"|
|2020-05-10 19:07||szinger||New Issue|
|2020-05-11 00:13||ManuelWolfshant||Note Added: 0036912|
|2020-05-11 00:13||ManuelWolfshant||Status||new => confirmed|
|2020-05-11 00:14||ManuelWolfshant||Note Edited: 0036912|
|2020-05-20 15:36||szinger||Note Added: 0036969|
|2020-06-11 03:44||hazyl||Note Added: 0037069|
|2020-06-11 05:57||tigalch||Note Added: 0037070|
|2020-06-11 06:42||ManuelWolfshant||Note Added: 0037071|
|2020-06-11 13:57||hazyl||Note Added: 0037072|
|2020-06-11 16:30||ManuelWolfshant||Status||confirmed => closed|
|2020-06-11 16:30||ManuelWolfshant||Resolution||open => not fixable|
|2020-06-11 16:30||ManuelWolfshant||Note Added: 0037073|
|2020-06-11 16:54||TrevorH||Note Added: 0037074|