Bug#707252: Unable to connect to certain IMAPS servers requiring SSL3
Hi, On Sun, Jul 07, 2013 at 05:29:27PM -0400, Ryan Kavanagh wrote: The attached patch appears to fix the bug; I've forwarded[0] it upstream. The patch I submitted contained a bug, upstream has applied a corrected version. See the attached patch. Best wishes, Ryan -- |_)|_/ Ryan Kavanagh | Debian Developer | \| \ http://ryanak.ca/ | GPG Key 4A11C97A From 2bacdb7fa3cc203cef69da0dee247c21b06e69da Mon Sep 17 00:00:00 2001 From: Ryan Kavanagh r...@debian.org Date: Sun, 7 Jul 2013 17:18:59 -0400 Subject: [PATCH] Allow setting IMAP servers' SSL version We now allow setting the SSL version used when connecting to IMAPS servers, and do so via the `ssl_version` configuration option. We default to the current practice (letting python's ssl library automatically detect the correct version). There are however rare cases where one must specify the version to use. Signed-off-by: Ryan Kavanagh r...@debian.org --- offlineimap.conf | 7 +++ offlineimap/imaplib2.py| 29 +++-- offlineimap/imapserver.py | 2 ++ offlineimap/repository/IMAP.py | 3 +++ 4 files changed, 35 insertions(+), 6 deletions(-) diff --git a/offlineimap.conf b/offlineimap.conf index fccceab..fabb52b 100644 --- a/offlineimap.conf +++ b/offlineimap.conf @@ -325,6 +325,13 @@ ssl = yes #cert_fingerprint = SHA1_of_server_certificate_here +# SSL version (optional) +# It is best to leave this unset, in which case the correct version will be +# automatically detected. In rare cases, it may be necessary to specify a +# particular version from: tls1, ssl2, ssl3, ssl23 (SSLv2 or SSLv3) + +# sslversion = ssl23 + # Specify the port. If not specified, use a default port. # remoteport = 993 diff --git a/offlineimap/imaplib2.py b/offlineimap/imaplib2.py index 8138d6c..b7e0d22 100644 --- a/offlineimap/imaplib2.py +++ b/offlineimap/imaplib2.py @@ -39,7 +39,8 @@ Timeout handling further improved by Ethan Glasser-Camp gla...@cs.rpi.edu Dece Time2Internaldate() patch to match RFC2060 specification of English month names from bugs.python.org/issue11024 March 2011. starttls() bug fixed with the help of Sebastian Spaeth sebast...@sspaeth.de April 2011. Threads now set the daemon flag (suggested by offlineimap-project) April 2011. -Single quoting introduced with the help of Vladimir Marek vladimir.ma...@oracle.com August 2011. +Single quoting introduced with the help of Vladimir Marek vladimir.ma...@oracle.com August 2011. +Support for specifying SSL version by Ryan Kavanagh r...@debian.org July 2013. __author__ = Piers Lauder pi...@janeelix.com __URL__ = http://imaplib2.sourceforge.net; __license__ = Python License @@ -460,7 +461,20 @@ class IMAP4(object): cert_reqs = ssl.CERT_REQUIRED else: cert_reqs = ssl.CERT_NONE -self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs) + +if self.ssl_version == tls1: +ssl_version = ssl.PROTOCOL_TLSv1 +elif self.ssl_version == ssl2: +ssl_version = ssl.PROTOCOL_SSLv2 +elif self.ssl_version == ssl3: +ssl_version = ssl.PROTOCOL_SSLv3 +elif self.ssl_version == ssl23 or self.ssl_version is None: +ssl_version = ssl.PROTOCOL_SSLv23 +else: +raise socket.sslerror(Invalid SSL version requested: %s, +self.ssl_version) + +self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs, ssl_version=ssl_version) ssl_exc = ssl.SSLError self.read_fd = self.sock.fileno() except ImportError: @@ -1040,8 +1054,8 @@ class IMAP4(object): return self._simple_command(name, sort_criteria, charset, *search_criteria, **kw) -def starttls(self, keyfile=None, certfile=None, ca_certs=None, cert_verify_cb=None, **kw): -(typ, [data]) = starttls(keyfile=None, certfile=None, ca_certs=None, cert_verify_cb=None) +def starttls(self, keyfile=None, certfile=None, ca_certs=None, cert_verify_cb=None, ssl_version=ssl23, **kw): +(typ, [data]) = starttls(keyfile=None, certfile=None, ca_certs=None, cert_verify_cb=None, ssl_version=ssl23) Start TLS negotiation as per RFC 2595. name = 'STARTTLS' @@ -1076,6 +1090,7 @@ class IMAP4(object): self.certfile = certfile self.ca_certs = ca_certs self.cert_verify_cb = cert_verify_cb +self.ssl_version = ssl_version try: self.ssl_wrap_socket() @@ -1972,7 +1987,7 @@ class IMAP4_SSL(IMAP4): IMAP4 client class over SSL connection Instantiate with: -IMAP4_SSL(host=None, port=None, keyfile=None, certfile=None, debug=None, debug_file=None, identifier=None, timeout=None) +IMAP4_SSL(host=None, port=None, keyfile=None, certfile=None,
Bug#707252: Unable to connect to certain IMAPS servers requiring SSL3
On 10 July 2013 02:10, Ryan Kavanagh r...@debian.org wrote: Hi, On Sun, Jul 07, 2013 at 05:29:27PM -0400, Ryan Kavanagh wrote: The attached patch appears to fix the bug; I've forwarded[0] it upstream. The patch I submitted contained a bug, upstream has applied a corrected version. See the attached patch. upstream, as in me ;-) I will make a new upstream rc release and push that into unstable. Regards, Dmitrijs. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#707252: Unable to connect to certain IMAPS servers requiring SSL3
tags 707252 + patch thanks The attached patch appears to fix the bug; I've forwarded[0] it upstream. Best wishes, Ryan [0] https://github.com/OfflineIMAP/offlineimap/pull/42 -- |_)|_/ Ryan Kavanagh | Debian Developer | \| \ http://ryanak.ca/ | GPG Key 4A11C97A From 58ad7d238971d2f55089c37a5f2621e264cd3752 Mon Sep 17 00:00:00 2001 From: Ryan Kavanagh r...@debian.org Date: Sun, 7 Jul 2013 17:18:59 -0400 Subject: [PATCH] Allow setting IMAP servers' SSL version We now allow setting the SSL version used when connecting to IMAPS servers, and do so via the `ssl_version` configuration option. We default to the current practice (letting python's ssl library automatically detect the correct version). There are however rare cases where one must specify the version to use. Signed-off-by: Ryan Kavanagh r...@debian.org --- offlineimap.conf | 7 +++ offlineimap/imaplib2.py| 26 +- offlineimap/imapserver.py | 2 ++ offlineimap/repository/IMAP.py | 3 +++ 4 files changed, 33 insertions(+), 5 deletions(-) diff --git a/offlineimap.conf b/offlineimap.conf index fccceab..fabb52b 100644 --- a/offlineimap.conf +++ b/offlineimap.conf @@ -325,6 +325,13 @@ ssl = yes #cert_fingerprint = SHA1_of_server_certificate_here +# SSL version (optional) +# It is best to leave this unset, in which case the correct version will be +# automatically detected. In rare cases, it may be necessary to specify a +# particular version from: tls1, ssl2, ssl3, ssl23 (SSLv2 or SSLv3) + +# sslversion = ssl23 + # Specify the port. If not specified, use a default port. # remoteport = 993 diff --git a/offlineimap/imaplib2.py b/offlineimap/imaplib2.py index 8138d6c..2ad873a 100644 --- a/offlineimap/imaplib2.py +++ b/offlineimap/imaplib2.py @@ -460,7 +460,20 @@ class IMAP4(object): cert_reqs = ssl.CERT_REQUIRED else: cert_reqs = ssl.CERT_NONE -self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs) + +if self.ssl_version == tls1: +ssl_version = ssl.PROTOCOL_TLSv1 +elif self.ssl_version == ssl2: +ssl_version = ssl.PROTOCOL_SSLv2 +elif self.ssl_version == ssl3: +ssl_version = ssl.PROTOCOL_SSLv3 +elif self.ssl_version == ssl23: +ssl_version = ssl.PROTOCOL_SSLv23 +else: +raise socket.sslerror(Invalid SSL version requested: %s, +self.ssl_version) + +self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs, ssl_version=ssl_version) ssl_exc = ssl.SSLError self.read_fd = self.sock.fileno() except ImportError: @@ -1040,8 +1053,8 @@ class IMAP4(object): return self._simple_command(name, sort_criteria, charset, *search_criteria, **kw) -def starttls(self, keyfile=None, certfile=None, ca_certs=None, cert_verify_cb=None, **kw): -(typ, [data]) = starttls(keyfile=None, certfile=None, ca_certs=None, cert_verify_cb=None) +def starttls(self, keyfile=None, certfile=None, ca_certs=None, cert_verify_cb=None, ssl_version=ssl23, **kw): +(typ, [data]) = starttls(keyfile=None, certfile=None, ca_certs=None, cert_verify_cb=None, ssl_version=ssl23) Start TLS negotiation as per RFC 2595. name = 'STARTTLS' @@ -1076,6 +1089,7 @@ class IMAP4(object): self.certfile = certfile self.ca_certs = ca_certs self.cert_verify_cb = cert_verify_cb +self.ssl_version = ssl_version try: self.ssl_wrap_socket() @@ -1972,7 +1986,7 @@ class IMAP4_SSL(IMAP4): IMAP4 client class over SSL connection Instantiate with: -IMAP4_SSL(host=None, port=None, keyfile=None, certfile=None, debug=None, debug_file=None, identifier=None, timeout=None) +IMAP4_SSL(host=None, port=None, keyfile=None, certfile=None, ssl_version=ssl23, debug=None, debug_file=None, identifier=None, timeout=None) host - host's name (default: localhost); port - port number (default: standard IMAP4 SSL port); @@ -1980,6 +1994,7 @@ class IMAP4_SSL(IMAP4): certfile - PEM formatted certificate chain file (default: None); ca_certs - PEM formatted certificate chain file used to validate server certificates (default: None); cert_verify_cb - function to verify authenticity of server certificates (default: None); +ssl_version- SSL version to use (default: ssl23, choose from: tls1,ssl2,ssl3,ssl23); debug - debug level (default: 0 - no debug); debug_file - debug stream (default: sys.stderr); identifier - thread identifier prefix (default: host); @@ -1990,11 +2005,12 @@ class IMAP4_SSL(IMAP4): -def
Bug#707252: Unable to connect to certain IMAPS servers requiring SSL3
Package: offlineimap Version: 6.5.4-2 Severity: normal Certain IMAPS servers require openssl to be invoked with the '-ssl3' to be invoked. For example, MIT's exchange servers require the -ssl3 flag in order to connect, in e.g., (echo 001 capability ; sleep 1) | openssl s_client -crlf -ssl3 -connect \ imap.exchange.mit.edu:imaps without which the connection hangs because it receives no response. Because of this, offlineimap hangs when trying to download mail: -- BEGIN TRACE -- % offlineimap -a MIT -o -d ALL -1 OfflineIMAP 6.5.4 Licensed under the GNU GPL v2+ (v2 or any later version) Debug mode: Forcing to singlethreaded. Now debugging for imap: IMAP protocol debugging Now debugging for maildir: Maildir repository debugging Now debugging for thread: Threading debugging Now debugging for : Other offlineimap related sync messages Account sync MIT: [thread]: Register new thread 'Account sync MIT' (account 'MIT') *** Processing account MIT Establishing connection to imap.exchange.mit.edu:993 [imap]: 34:11.70 Account sync MIT imaplib2 version 2.33 [imap]: 34:11.70 Account sync MIT imaplib2 debug level 5, buffer level 3 ERROR: While attempting to sync account 'MIT' [Errno 104] Connection reset by peer [' File /usr/lib/python2.7/dist-packages/offlineimap/accounts.py, line 234, in syncrunner\nself.sync()\n', ' File /usr/lib/python2.7/dist-packages/offlineimap/accounts.py, line 290, in sync\n remoterepos.getfolders()\n', ' File /usr/lib/python2.7/dist-packages/offlineimap/repository/IMAP.py, line 268, in getfolders\nimapobj = self.imapserver.acquireconnection()\n', ' File /usr/lib/python2.7/dist-packages/offlineimap/imapserver.py, line 215, in acquireconnection\nfingerprint=fingerprint\n', ' File /usr/lib/python2.7/dist-packages/offlineimap/imaplibutil.py, line 142, in __init__\nsuper(WrappedIMAP4_SSL, self).__init__(*args, **kwargs)\n', ' File /usr/lib/python2.7/dist-packages/offlineimap/imaplib2.py, line 1998, in __init__\nIMAP4.__init__(self, host, port, debug, debug_file, identifier, timeout, debug_buf_lvl)\n', ' File /usr/lib/python2.7/dist-packages/offlineimap/imaplib2.py, line 329, in __init__\nself.open(host, port)\n', ' File /usr/lib/python2.7/dist-packages/offlineimap/imaplibutil.py, line 145, in open\nsuper(WrappedIMAP4_SSL, self).open(host, port)\n', ' File /usr/lib/python2.7/dist-packages/offlineimap/imaplib2.py, line 2011, in open\nself.ssl_wrap_socket()\n', ' File /usr/lib/python2.7/dist-packages/offlineimap/imaplib2.py, line 463, in ssl_wrap_socket\nself.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs)\n', ' File /usr/lib/python2.7/ssl.py, line 381, in wrap_socket\nciphers=ciphers)\n', ' File /usr/lib/python2.7/ssl.py, line 143, in __init__\n self.do_handshake()\n', ' File /usr/lib/python2.7/ssl.py, line 305, in do_handshake\nself._sslobj.do_handshake()\n'] *** Finished account 'MIT' in 1:00 ERROR: Exceptions occurred during the run! ERROR: While attempting to sync account 'MIT' [Errno 104] Connection reset by peer Traceback: File /usr/lib/python2.7/dist-packages/offlineimap/accounts.py, line 234, in syncrunner self.sync() File /usr/lib/python2.7/dist-packages/offlineimap/accounts.py, line 290, in sync remoterepos.getfolders() File /usr/lib/python2.7/dist-packages/offlineimap/repository/IMAP.py, line 268, in getfolders imapobj = self.imapserver.acquireconnection() File /usr/lib/python2.7/dist-packages/offlineimap/imapserver.py, line 215, in acquireconnection fingerprint=fingerprint File /usr/lib/python2.7/dist-packages/offlineimap/imaplibutil.py, line 142, in __init__ super(WrappedIMAP4_SSL, self).__init__(*args, **kwargs) File /usr/lib/python2.7/dist-packages/offlineimap/imaplib2.py, line 1998, in __init__ IMAP4.__init__(self, host, port, debug, debug_file, identifier, timeout, debug_buf_lvl) File /usr/lib/python2.7/dist-packages/offlineimap/imaplib2.py, line 329, in __init__ self.open(host, port) File /usr/lib/python2.7/dist-packages/offlineimap/imaplibutil.py, line 145, in open super(WrappedIMAP4_SSL, self).open(host, port) File /usr/lib/python2.7/dist-packages/offlineimap/imaplib2.py, line 2011, in open self.ssl_wrap_socket() File /usr/lib/python2.7/dist-packages/offlineimap/imaplib2.py, line 463, in ssl_wrap_socket self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs) File /usr/lib/python2.7/ssl.py, line 381, in wrap_socket ciphers=ciphers) File /usr/lib/python2.7/ssl.py, line 143, in __init__ self.do_handshake() File /usr/lib/python2.7/ssl.py, line 305, in do_handshake self._sslobj.do_handshake() -- END TRACE -- Best wishes, Ryan -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental')