Hi, On Thu, Aug 31, 2017 at 12:47PM, ael wrote: > As reported on the mailing list, offlineimap can no longer > connect to the large number of insecure imap servers which still > use TLS 1.0 or TLS 1.2, over which users have no control. > This was the result of Kurt Roecke disabling those protocols > in the Debian openssl packages. > > He has now released version openssl (1.1.0f-5) which now allows > those protocols to be used in restricted circumstances. From the > changelog comment: > > "Instead of completly disabling TLS 1.0 and 1.1, just set the minimum > version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by > calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version()" > > So the Debian package must now call those procedures to enable > connection to many imap servers. > > As far as I have seen, Kurt did not comment about this on the > offlineimap thread, so this is my interpretation of what is required. > In any case, offlineiamp 7.1.2+dfsg1-2 is currently failing to connect > with the message as before > > OpenSSL responded: > [SSL: VERSION_TOO_LOW] version too low (_ssl.c:661) > *** Finished account 'ntlspam' in 0:00
If I understand correctly, you tested the above with the latest openssl (1.1.0f-5), is that right? If so, could you please try and set the `ssl_version` in offlineimap.conf file to tls1_1 or tls1, accordingly? This should force offlineimap to use the specified version. -- Ilias
