From b72800944c4b81024d30c5395de1ff4565273463 Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Sat, 5 Jan 2019 00:00:10 +0100 Subject: [PATCH 01/15] fix formatting of uint in callback debug stubs amends bb632d1c. --- src/drv_proxy_gen.pl | 1 + 1 file changed, 1 insertion(+) diff --git a/src/drv_proxy_gen.pl b/src/drv_proxy_gen.pl index f2ef3fd..c7119a6 100755 --- a/src/drv_proxy_gen.pl +++ b/src/drv_proxy_gen.pl @@ -109,6 +109,7 @@ sub type_to_format($) { $_ = shift; s/xint /\%\#x/g; + s/uint /\%u/g; s/int /\%d/g; s/const char \*/\%s/g; return $_; From a8f6eebdd9233f98fc5eaefb4c5a34c3c6696d7e Mon Sep 17 00:00:00 2001 From: Gergely Risko Date: Tue, 5 Feb 2019 11:23:44 +0100 Subject: [PATCH 02/15] Work around useless SASL warnings Ater sasl_client_step() is called and the Cyrus SASL library forwards it to the client plugin, if the result value is OK (authentication succeeded), the clientout is filled out to be an empty string, even if the client plugin wanted to return NULL. To avoid that mbsync complains at this point, check the returned length instead of the pointer. --- src/drv_imap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/drv_imap.c b/src/drv_imap.c index 9e137cf..d92e218 100644 --- a/src/drv_imap.c +++ b/src/drv_imap.c @@ -2073,7 +2073,7 @@ done_sasl_auth( imap_store_t *ctx, imap_cmd_t *cmd ATTR_UNUSED, int response ) int rc = sasl_client_step( ctx->sasl, NULL, 0, &interact, &out, &out_len ); if (process_sasl_step( ctx, rc, NULL, 0, interact, &out, &out_len ) < 0) warn( "Warning: SASL reported failure despite successful IMAP authentication. Ignoring...\n" ); - else if (out) + else if (out_len > 0) warn( "Warning: SASL wants more steps despite successful IMAP authentication. Ignoring...\n" ); } From d61f46203962712faa1c488f3dc0a656f7e59b23 Mon Sep 17 00:00:00 2001 From: Klemens Nanni Date: Wed, 20 Feb 2019 19:19:58 +0100 Subject: [PATCH 03/15] Fix CopyArrivalDate on platforms without glibc strptime(3)'s "%d" day of the month conversion specifier does not accept leading blanks in case of single digit numbers. "%e" does that. While implementation details and differences between the two day-of-month conversion specifiers vary, none of the major libcs (incl. OpenBSD, FreeBSD, Illumos, musl) consume a leading blank for "%d" except glibc, which consumes any number of spaces like in the "%e" case. Using "%e" ensures that date strings like " 4-Mar-2018 16:49:25 -0500" are successfully parsed by all major implementations in compliance to X/Open Portability Guide Issue 4, Version 2 ("XPG4.2"). musl is now the only one that still treats "%d" and "%e" without stripping any space. Issue analysed and reported by Evan Silberman who found mbsync 1.3.0 on OpenBSD 6.4 to fail with `CopyArrivalDate' set when syncing mails with the above mentioned timestamp. See https://marc.info/?l=openbsd-tech&m=155044284526535 for details. --- src/drv_imap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/drv_imap.c b/src/drv_imap.c index d92e218..8a7e9be 100644 --- a/src/drv_imap.c +++ b/src/drv_imap.c @@ -949,7 +949,7 @@ parse_date( const char *str ) struct tm datetime; memset( &datetime, 0, sizeof(datetime) ); - if (!(end = strptime( str, "%d-%b-%Y %H:%M:%S ", &datetime ))) + if (!(end = strptime( str, "%e-%b-%Y %H:%M:%S ", &datetime ))) return -1; if ((date = timegm( &datetime )) == -1) return -1; From 702b6ec4a14504d04fe413351765814f0116fcea Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Sun, 10 Mar 2019 11:30:05 +0100 Subject: [PATCH 04/15] fix spacing in "SASL mechanism(s) not available" error message amends fdb03b91. --- src/drv_imap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/drv_imap.c b/src/drv_imap.c index 8a7e9be..361d01c 100644 --- a/src/drv_imap.c +++ b/src/drv_imap.c @@ -2174,7 +2174,7 @@ imap_open_store_authenticate2( imap_store_t *ctx ) free( enc ); return; notsasl: - if (!ctx->sasl || sasl_listmech( ctx->sasl, NULL, "", "", "", &saslavail, NULL, NULL ) != SASL_OK) + if (!ctx->sasl || sasl_listmech( ctx->sasl, NULL, "", " ", "", &saslavail, NULL, NULL ) != SASL_OK) saslavail = "(none)"; /* EXTERNAL is always there anyway. */ if (!auth_login) { error( "IMAP error: selected SASL mechanism(s) not available;\n" From 2e515bf842ef1d637069d44b5f541ffef18a27ca Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Tue, 28 May 2019 15:44:55 +0200 Subject: [PATCH 05/15] make output of perl check more tidy amends c75001aa. --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index c901352..233901c 100644 --- a/configure.ac +++ b/configure.ac @@ -18,14 +18,14 @@ fi need_perl=5.14 AC_CACHE_CHECK([whether perl is recent enough], ob_cv_perl_ver, [ - if $PERL -e "use v$need_perl;"; then + if $PERL -e "use v$need_perl;" 2> /dev/null; then ob_cv_perl_ver=yes else ob_cv_perl_ver=no fi ]) if test "x$ob_cv_perl_ver" = "xno"; then - AC_MSG_ERROR([perl is too old]) + AC_MSG_ERROR([perl is too old, need v$need_perl]) fi AC_CACHE_CHECK([whether strftime supports %z], ob_cv_strftime_z, From fbc432aace071b774ebfc62be5d17f3b070fc22e Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Tue, 28 May 2019 17:27:09 +0200 Subject: [PATCH 06/15] fix parsing of NIL hierarchy delimiters in IMAP LIST responses a server which does not support hierarchical mailboxes (e.g., seznam.cz as of oct 2018) can legitimately send NIL (rather than an empty string). --- src/drv_imap.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/src/drv_imap.c b/src/drv_imap.c index 361d01c..0f72c1a 100644 --- a/src/drv_imap.c +++ b/src/drv_imap.c @@ -1197,17 +1197,16 @@ parse_response_code( imap_store_t *ctx, imap_cmd_t *cmd, char *s ) return RESP_OK; } +static int parse_list_rsp_p1( imap_store_t *, list_t *, char * ); static int parse_list_rsp_p2( imap_store_t *, list_t *, char * ); static int parse_list_rsp( imap_store_t *ctx, list_t *list, char *cmd ) { - char *arg; list_t *lp; if (!is_list( list )) { free_list( list ); - bad_list: error( "IMAP error: malformed LIST response\n" ); return LIST_BAD; } @@ -1217,10 +1216,19 @@ parse_list_rsp( imap_store_t *ctx, list_t *list, char *cmd ) return LIST_OK; } free_list( list ); - if (!(arg = next_arg( &cmd ))) - goto bad_list; - if (!ctx->delimiter[0]) - ctx->delimiter[0] = arg[0]; + return parse_list( ctx, cmd, parse_list_rsp_p1 ); +} + +static int +parse_list_rsp_p1( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED ) +{ + if (!is_opt_atom( list )) { + error( "IMAP error: malformed LIST response\n" ); + free_list( list ); + return LIST_BAD; + } + if (!ctx->delimiter[0] && is_atom( list )) + ctx->delimiter[0] = list->val[0]; return parse_list( ctx, cmd, parse_list_rsp_p2 ); } From bf147987003678ae70c2c2ed5275ca4d75842990 Mon Sep 17 00:00:00 2001 From: Dmitry Torokhov Date: Tue, 9 Jul 2019 11:51:21 -0700 Subject: [PATCH 07/15] Bump up PassCmd buffer size to 2KiB While ordinary passwords are rarely longer than 80 bytes, XOAUTH2 tokens easily exceed this limit. Let's bump it up to 2K to be really safe. --- src/drv_imap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/drv_imap.c b/src/drv_imap.c index 0f72c1a..a4959fb 100644 --- a/src/drv_imap.c +++ b/src/drv_imap.c @@ -1875,7 +1875,7 @@ ensure_password( imap_server_conf_t *srvc ) if (cmd) { FILE *fp; int ret; - char buffer[80]; + char buffer[2048]; // Hopefully more than enough room for XOAUTH2, etc. tokens if (*cmd == '+') { flushn(); From 7607e53d56f9470ee221cd5b644dda829f54b005 Mon Sep 17 00:00:00 2001 From: Caspar Schutijser Date: Sun, 18 Aug 2019 10:38:48 +0200 Subject: [PATCH 08/15] Do not crash when using Tunnel in an IPv6-enabled build socket_connected() is also called on the tunnel pipe. amends 3ceb55310. --- src/socket.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/socket.c b/src/socket.c index e3fda42..f1def1e 100644 --- a/src/socket.c +++ b/src/socket.c @@ -545,8 +545,10 @@ static void socket_connected( conn_t *conn ) { #ifdef HAVE_IPV6 - freeaddrinfo( conn->addrs ); - conn->addrs = 0; + if (conn->addrs) { + freeaddrinfo( conn->addrs ); + conn->addrs = 0; + } #endif conf_notifier( &conn->notify, 0, POLLIN ); socket_expect_read( conn, 0 ); From 36062c5220cb73444a4a99dba0fbc4ba3c832815 Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Tue, 10 Sep 2019 13:00:18 +0200 Subject: [PATCH 09/15] wording fixes in mbsync.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit inspired by Ulrich Ölmann . --- src/mbsync.1 | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/src/mbsync.1 b/src/mbsync.1 index d7bd945..883fc4f 100644 --- a/src/mbsync.1 +++ b/src/mbsync.1 @@ -267,7 +267,7 @@ with DOS/Windows file systems. .TP \fBSubFolders\fR \fBVerbatim\fR|\fBMaildir++\fR|\fBLegacy\fR The on-disk folder naming style used for hierarchical mailboxes. -This has option has no effect when \fBFlatten\fR is used. +This option has no effect when \fBFlatten\fR is used. .br Suppose mailboxes with the canonical paths \fBtop/sub/subsub\fR and \fBINBOX/sub/subsub\fR, the styles will yield the following on-disk paths: @@ -601,12 +601,13 @@ which in turn are overridden by command line switches. .. .TP \fBSyncState\fR {\fB*\fR|\fIpath\fR} -Set the location of this Channel's synchronization state files. \fB*\fR means -that the state should be saved in a file named .mbsyncstate in the -Slave mailbox itself; this has the advantage that you needn't to care for the -state file if you delete the mailbox, but it works only with Maildir mailboxes, -obviously. Otherwise this is interpreted as a string to prepend to the Slave -mailbox name to make up a complete path. +Set the location of this Channel's synchronization state files. +\fB*\fR means that the state should be saved in a file named .mbsyncstate +in the Slave mailbox itself; this has the advantage that you do not need +to handle the state file separately if you delete the mailbox, but it works +only with Maildir mailboxes, obviously. +Otherwise this is interpreted as a string to prepend to the Slave mailbox +name to make up a complete path. .br This option can be used outside any section for a global effect. In this case the appended string is made up according to the pattern From 8959c6b791676a77b6432e5090490730020471e2 Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Tue, 10 Sep 2019 13:14:43 +0200 Subject: [PATCH 10/15] fix libcrypto detection in openssl 1.1+ without pkg-config CRYPTO_lock() was removed. test for X509_cmp() instead, which we actually use. inspired by report from FX . --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 233901c..66ce71a 100644 --- a/configure.ac +++ b/configure.ac @@ -94,7 +94,7 @@ if test "x$ob_cv_with_ssl" != xno; then sav_LDFLAGS=$LDFLAGS LDFLAGS="$LDFLAGS $SSL_LDFLAGS" AC_CHECK_LIB(dl, dlopen, [LIBDL=-ldl]) - AC_CHECK_LIB(crypto, CRYPTO_lock, [LIBCRYPTO=-lcrypto]) + AC_CHECK_LIB(crypto, X509_cmp, [LIBCRYPTO=-lcrypto]) AC_CHECK_LIB(ssl, SSL_connect, [SSL_LIBS="-lssl $LIBCRYPTO $LIBDL" have_ssl_paths=yes]) LDFLAGS=$sav_LDFLAGS From f63e4338e8e3984f9726c94988b948590431f538 Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Sun, 28 Jul 2019 11:46:43 +0200 Subject: [PATCH 11/15] fix leak of openssl X509 objects SSL_get_peer_certificate() increments the refcount of the object. --- src/socket.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/socket.c b/src/socket.c index f1def1e..2e9ae72 100644 --- a/src/socket.c +++ b/src/socket.c @@ -176,22 +176,29 @@ verify_cert_host( const server_conf_t *conf, conn_t *sock ) trusted = (STACK_OF(X509_OBJECT) *)sock->conf->trusted_certs; for (i = 0; i < sk_X509_OBJECT_num( trusted ); i++) { - if (!X509_cmp( cert, X509_OBJECT_get0_X509( sk_X509_OBJECT_value( trusted, i ) ) )) + if (!X509_cmp( cert, X509_OBJECT_get0_X509( sk_X509_OBJECT_value( trusted, i ) ) )) { + X509_free( cert ); return 0; + } } err = SSL_get_verify_result( sock->ssl ); if (err != X509_V_OK) { error( "SSL error connecting %s: %s\n", sock->name, X509_verify_cert_error_string( err ) ); + X509_free( cert ); return -1; } if (!conf->host) { error( "SSL error connecting %s: Neither host nor matching certificate specified\n", sock->name ); + X509_free( cert ); return -1; } - return verify_hostname( cert, conf->host ); + int ret = verify_hostname( cert, conf->host ); + + X509_free( cert ); + return ret; } static int From 91abf2b83082f60c1d36e09d3a7078463b8c9e56 Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Sun, 28 Jul 2019 12:02:30 +0200 Subject: [PATCH 12/15] modernize ssl context init with openssl 1.1+, use TLS_client_method() instead of the deprecated SSLv23_client_method(). --- src/socket.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/socket.c b/src/socket.c index 2e9ae72..eae3b74 100644 --- a/src/socket.c +++ b/src/socket.c @@ -210,7 +210,12 @@ init_ssl_ctx( const server_conf_t *conf ) if (conf->SSLContext) return conf->ssl_ctx_valid; - mconf->SSLContext = SSL_CTX_new( SSLv23_client_method() ); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const SSL_METHOD *method = TLS_client_method(); +#else + const SSL_METHOD *method = SSLv23_client_method(); +#endif + mconf->SSLContext = SSL_CTX_new( method ); if (!(conf->ssl_versions & SSLv3)) options |= SSL_OP_NO_SSLv3; From 5f908b7672d2975d72638c5d22a186d4e2163d21 Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Sun, 28 Jul 2019 11:35:02 +0200 Subject: [PATCH 13/15] attempt to improve ssl error handling (again) the error queue may contain multiple errors, so make sure to drain it completely. also, don't try to fall back to errno in case of SSL_ERROR_SSL. --- src/common.h | 1 + src/socket.c | 67 ++++++++++++++++++++++++++++++++++++---------------- 2 files changed, 48 insertions(+), 20 deletions(-) diff --git a/src/common.h b/src/common.h index c731126..d45929c 100644 --- a/src/common.h +++ b/src/common.h @@ -33,6 +33,7 @@ typedef unsigned char uchar; typedef unsigned short ushort; typedef unsigned int uint; +typedef unsigned long ulong; #define as(ar) (sizeof(ar)/sizeof(ar[0])) diff --git a/src/socket.c b/src/socket.c index eae3b74..7354c6f 100644 --- a/src/socket.c +++ b/src/socket.c @@ -63,6 +63,34 @@ socket_fail( conn_t *conn ) } #ifdef HAVE_LIBSSL +static void ATTR_PRINTFLIKE(1, 2) +print_ssl_errors( const char *fmt, ... ) +{ + char *action; + va_list va; + ulong err; + + va_start( va, fmt ); + nfvasprintf( &action, fmt, va ); + va_end( va ); + while ((err = ERR_get_error())) + error( "Error while %s: %s\n", action, ERR_error_string( err, 0 ) ); + free( action ); +} + +static int +print_ssl_socket_errors( const char *func, conn_t *conn ) +{ + ulong err; + int num = 0; + + while ((err = ERR_get_error())) { + error( "Socket error: secure %s %s: %s\n", func, conn->name, ERR_error_string( err, 0 ) ); + num++; + } + return num; +} + static int ssl_return( const char *func, conn_t *conn, int ret ) { @@ -76,20 +104,20 @@ ssl_return( const char *func, conn_t *conn, int ret ) FALLTHROUGH case SSL_ERROR_WANT_READ: return 0; - case SSL_ERROR_SYSCALL: case SSL_ERROR_SSL: - if (!(err = ERR_get_error())) { - if (ret == 0) { + print_ssl_socket_errors( func, conn ); + break; + case SSL_ERROR_SYSCALL: + if (print_ssl_socket_errors( func, conn )) + break; + if (ret == 0) { case SSL_ERROR_ZERO_RETURN: - /* Callers take the short path out, so signal higher layers from here. */ - conn->state = SCK_EOF; - conn->read_callback( conn->callback_aux ); - return -1; - } - sys_error( "Socket error: secure %s %s", func, conn->name ); - } else { - error( "Socket error: secure %s %s: %s\n", func, conn->name, ERR_error_string( err, 0 ) ); + /* Callers take the short path out, so signal higher layers from here. */ + conn->state = SCK_EOF; + conn->read_callback( conn->callback_aux ); + return -1; } + sys_error( "Socket error: secure %s %s", func, conn->name ); break; default: error( "Socket error: secure %s %s: unhandled SSL error %d\n", func, conn->name, err ); @@ -233,25 +261,24 @@ init_ssl_ctx( const server_conf_t *conf ) SSL_CTX_set_options( mconf->SSLContext, options ); if (conf->cert_file && !SSL_CTX_load_verify_locations( mconf->SSLContext, conf->cert_file, 0 )) { - error( "Error while loading certificate file '%s': %s\n", - conf->cert_file, ERR_error_string( ERR_get_error(), 0 ) ); + print_ssl_errors( "loading certificate file '%s'", conf->cert_file ); return 0; } mconf->trusted_certs = (_STACK *)sk_X509_OBJECT_dup( X509_STORE_get0_objects( SSL_CTX_get_cert_store( mconf->SSLContext ) ) ); - if (mconf->system_certs && !SSL_CTX_set_default_verify_paths( mconf->SSLContext )) - warn( "Warning: Unable to load default certificate files: %s\n", - ERR_error_string( ERR_get_error(), 0 ) ); + if (mconf->system_certs && !SSL_CTX_set_default_verify_paths( mconf->SSLContext )) { + ulong err; + while ((err = ERR_get_error())) + warn( "Warning: Unable to load default certificate files: %s\n", ERR_error_string( err, 0 ) ); + } SSL_CTX_set_verify( mconf->SSLContext, SSL_VERIFY_NONE, NULL ); if (conf->client_certfile && !SSL_CTX_use_certificate_chain_file( mconf->SSLContext, conf->client_certfile)) { - error( "Error while loading client certificate file '%s': %s\n", - conf->client_certfile, ERR_error_string( ERR_get_error(), 0 ) ); + print_ssl_errors( "loading client certificate file '%s'", conf->client_certfile ); return 0; } if (conf->client_keyfile && !SSL_CTX_use_PrivateKey_file( mconf->SSLContext, conf->client_keyfile, SSL_FILETYPE_PEM)) { - error( "Error while loading client private key '%s': %s\n", - conf->client_keyfile, ERR_error_string( ERR_get_error(), 0 ) ); + print_ssl_errors( "loading client private key '%s'", conf->client_keyfile ); return 0; } From 6a874b5877e5e0b211f844daa5148b372bde801e Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Sun, 28 Jul 2019 12:11:48 +0200 Subject: [PATCH 14/15] error-check more openssl function calls --- src/socket.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/socket.c b/src/socket.c index 7354c6f..083d274 100644 --- a/src/socket.c +++ b/src/socket.c @@ -243,7 +243,10 @@ init_ssl_ctx( const server_conf_t *conf ) #else const SSL_METHOD *method = SSLv23_client_method(); #endif - mconf->SSLContext = SSL_CTX_new( method ); + if (!(mconf->SSLContext = SSL_CTX_new( method ))) { + print_ssl_errors( "initializing SSL context" ); + return 0; + } if (!(conf->ssl_versions & SSLv3)) options |= SSL_OP_NO_SSLv3; @@ -309,10 +312,18 @@ socket_start_tls( conn_t *conn, void (*cb)( int ok, void *aux ) ) } init_wakeup( &conn->ssl_fake, ssl_fake_cb, conn ); - conn->ssl = SSL_new( ((server_conf_t *)conn->conf)->SSLContext ); + if (!(conn->ssl = SSL_new( ((server_conf_t *)conn->conf)->SSLContext ))) { + print_ssl_errors( "initializing SSL connection" ); + start_tls_p3( conn, 0 ); + return; + } if (ssl_return( "set server name", conn, SSL_set_tlsext_host_name( conn->ssl, conn->conf->host ) ) < 0) return; - SSL_set_fd( conn->ssl, conn->fd ); + if (!SSL_set_fd( conn->ssl, conn->fd )) { + print_ssl_errors( "setting SSL socket fd" ); + start_tls_p3( conn, 0 ); + return; + } SSL_set_mode( conn->ssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER ); socket_expect_read( conn, 1 ); conn->state = SCK_STARTTLS; From d0a8551703ee77b09820e359f2229476cb1dd038 Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Sun, 28 Jul 2019 13:33:12 +0200 Subject: [PATCH 15/15] fix error handling of SSL_set_tlsext_host_name() it is not one of the functions to be checked with SSL_get_error(). amends 17babc169. --- src/socket.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/socket.c b/src/socket.c index 083d274..950c956 100644 --- a/src/socket.c +++ b/src/socket.c @@ -317,8 +317,11 @@ socket_start_tls( conn_t *conn, void (*cb)( int ok, void *aux ) ) start_tls_p3( conn, 0 ); return; } - if (ssl_return( "set server name", conn, SSL_set_tlsext_host_name( conn->ssl, conn->conf->host ) ) < 0) + if (!SSL_set_tlsext_host_name( conn->ssl, conn->conf->host )) { + print_ssl_errors( "setting SSL server host name" ); + start_tls_p3( conn, 0 ); return; + } if (!SSL_set_fd( conn->ssl, conn->fd )) { print_ssl_errors( "setting SSL socket fd" ); start_tls_p3( conn, 0 );