View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0017352CentOS-7gnutlspublic2020-05-10 19:072020-06-11 16:54
Reporterszinger Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionnot fixable 
Product Version7.8-2003 
Summary0017352: GnuTLS error: Internal error in memory allocation.
DescriptionGnuTLS can't establish a connection; dies with cryptic error.
Steps To Reproduce$ rpm -q gnutls
gnutls-3.3.29-9.el7_6.x86_64
$ $ gnutls-cli -p 993 imap.mail.yahoo.com
Processed 154 CA certificate(s).
Resolving 'imap.mail.yahoo.com'...
Connecting to '216.155.194.49:993'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `C=US,ST=California,L=Sunnyvale,O=Oath Inc,CN=*.imap.mail.yahoo.com', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2020-02-01 00:00:00 UTC', expires `2020-07-30 12:00:00 UTC', SHA-1 fingerprint `f8047f0f60c4641f718353be7ddc31665b96b5c0'
    Public Key ID:
        ad5973ba0fac1faa34d80fc06b1eca7038331f8b
    Public key's random art:
        +--[ RSA 2048]----+
        | |
        | |
        | |
        | . . |
        | o S + . |
        | . = = + |
        |* o = = o = |
        | X * o + o + |
        |E = . ..+.o.. |
        +-----------------+

- Certificate[1] info:
 - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-10-22 12:00:00 UTC', expires `2028-10-22 12:00:00 UTC', SHA-1 fingerprint `a031c46782e6e6c662c2c87c76da9aa62ccabd8e'
- Status: The certificate is trusted.
- Successfully sent 0 certificate(s) to server.
*** Fatal error: Internal error in memory allocation.
*** Handshake has failed
GnuTLS error: Internal error in memory allocation.
Additional InformationThe same command works on Fedora 31 and 32.

`openssl s_client -connect imap.mail.yahoo.com:993` succeeds.

This appeared when claws-mail (I compiled it myself) stopped connecting to Yahoo last week.
TagsNo tags attached.
abrt_hash
URL

Activities

ManuelWolfshant

ManuelWolfshant

2020-05-11 00:13

manager   ~0036912

Last edited: 2020-05-11 00:14

 Can you please file the bug at bugzilla.redhat.com ( and crosslink that bug with this one for easier tracking) ? CentOS is built from the sources published by RedHat and once they fix the problem , the fix will automatically be included in CentOS as well.
szinger

szinger

2020-05-20 15:36

reporter   ~0036969

https://bugzilla.redhat.com/show_bug.cgi?id=1838187
hazyl

hazyl

2020-06-11 03:44

reporter   ~0037069

Please note: The folks at RedHat are dragging their feet and do not want to fix the bug since their releases have a short lifespan, unlike CentOS. Someone at CentOS would need to simply replace the RHEL7 gnutls package with one created from the fixed sources.
tigalch

tigalch

2020-06-11 05:57

manager   ~0037070

That is not how CentOS works. We rebuild from the sources of RHEL, not from individuall sources. See first reply.
ManuelWolfshant

ManuelWolfshant

2020-06-11 06:42

manager   ~0037071

@hazyl: The aim of CentOS is to reproduce each and every possible feature from the equivalent RHEL distribution, bug for bug. So unfortunately there will be no such fix, unless it is found to be _extremely_ important, in which case it could be published via the centosplus repo. Traditionally this has happened very very rarely and I doubt CentOS will diverge this time.
hazyl

hazyl

2020-06-11 13:57

reporter   ~0037072

@tigalch and @ManuelWolfshant: Yes, I am aware of how CentOS works. That being said, the bug prevents people from reading their email. That, from all practical points of view, qualifies as a serious bug. Since CentOS 7 still has plenty of service life left, while RHEL-7 does not, I would like to kindly suggest fixing the bug irrespective of RHEL.
ManuelWolfshant

ManuelWolfshant

2020-06-11 16:30

manager   ~0037073

Unfortunately from RedHat's point of view GnuTLS seems to be a second class citizen as they favor openssl for almost everything. And since claws-mail is neither the only existing mail client nor provided by RedHat/Centos, I see zero chance of having another version of gnutls provided by CentOS. Especially as we cannot know which bugs or incompatibilities with other provided applications that might introduce and we cannot do that type of QA and regression testing.
Since you seem to already do some building, I suggest to build and use yourself a patched ( or newer ) GnuTLS. You could start from the source rpm provided by Fedora.
TrevorH

TrevorH

2020-06-11 16:54

manager   ~0037074

CentOS 7 has exactly the same shelf life left as RHEL 7 does. It is a rebuild of the same sources so if RHEL 7 is unmaintained then so is CentOS. But it isn't, RHEL is maintained until 2024. And a serious bug is a security one marked as critical and allowing remote code execution or similar, not a "I can't read my email"

Issue History

Date Modified Username Field Change
2020-05-10 19:07 szinger New Issue
2020-05-11 00:13 ManuelWolfshant Note Added: 0036912
2020-05-11 00:13 ManuelWolfshant Status new => confirmed
2020-05-11 00:14 ManuelWolfshant Note Edited: 0036912
2020-05-20 15:36 szinger Note Added: 0036969
2020-06-11 03:44 hazyl Note Added: 0037069
2020-06-11 05:57 tigalch Note Added: 0037070
2020-06-11 06:42 ManuelWolfshant Note Added: 0037071
2020-06-11 13:57 hazyl Note Added: 0037072
2020-06-11 16:30 ManuelWolfshant Status confirmed => closed
2020-06-11 16:30 ManuelWolfshant Resolution open => not fixable
2020-06-11 16:30 ManuelWolfshant Note Added: 0037073
2020-06-11 16:54 TrevorH Note Added: 0037074