MacOS – SSL error with mbsync

macosssl

I installed isync[1] on my personal Macbook, which runs OSX 10.11. I used the exact same .mbsyncrc file I wrote for my Macbook at work.

The setup works fine on my work machine. However when using the mbsync command on the personal machine, I get the following output:

SSL error connecting imap.gmail.com (74.125.133.109:993):
error:00000014:lib(0):func(0):SSL lib

The work macbook runs a fresh install of OSX 10.11 and Homebrew. The personal one also runs OSX 10.11 and Homebrew, but has known several upgrades since 2013 (it was mountain lion at the time).

Are you aware of any difference between fresh installs and upgrades, that could lead to this kind of error?

Links

http://isync.sourceforge.net/

Best Answer

This is a certificate issue. In my .mbsyncrc, I included as CertificateFile the entire certificate chain (Gmail -> Google, Google -> GeoTrust, GeoTrust -> Equifax). This started intermittently throwing the error you're describing around the time I fixed the curl SSL issue.

To fix it, use only the Gmail certificate in your .mbsyncrc. If you're unsure which of the certificates is the Gmail one, run:

openssl s_client -connect imap.gmail.com:993 -showcerts 2>&1 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | head -n 27 > gmail.crt

and use the resulting gmail.crt file.

Generate a host key

First, make a home for the new SSL files. I use /etc/apache2/ssl. Open up a terminal window, cd to the new directory and issue the following command to create a host key file.

sudo ssh-keygen -f host.key

Generate a certificate request file

This command create a certificate request file. A certificate request file contains information about your organization that will be used in the SSL certificate.

sudo openssl req -new -key host.key -out request.csr

Create the SSL certificate

Create a self signed SSL certificate using the request file.

sudo openssl x509 -req -days 365 -in request.csr -signkey host.key -out server.crt

Configure Apache

Create a backup of /etc/apache2/httpd.conf.

Append the contents of /etc/apache2/extra/httpd-ssl.conf to /etc/apache2/httpd.conf.

In /etc/apache2/httpd.conf, make sure the loading of SSL is enabled (remove the #)

LoadModule ssl_module libexec/apache2/mod_ssl.so

Also, edit SSL section to use the new certificate.

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/host.key

Check the config and restart Apache to try the new certificate.

sudo apachectl configtest
sudo apachectl restart

Thanks to the House of Ding and Matt Langtree for providing much of this solution.

Setting Safari SSL/TLS Cipher Suites

Unfortunately, AFAIK, this setting does not exist. (It doesn't exist in another WebKit browser, either: Google Chrome. You can do this in Firefox, though, using 'about:config'.)

About hard-coded cipher priorities/support for the SSL/TLS handshake:

I tested that Safari does not support 40-bit RC4 encryption with an MD5 hash. This means that it does not support some products that are required by US export law to use low (<64-bit) encryption.

Best Answer

Related Solutions

MacOS – Configuring SSL with Apache under Lion

Generate a host key

Generate a certificate request file

Create the SSL certificate

Configure Apache

Setting Safari SSL/TLS Cipher Suites

Related Question