support for starttls

Johannes Stezenbach js at
Fri Apr 8 17:57:33 BST 2011


On Tue, Apr 05, 2011 at 11:26:33PM +0200, dtk wrote:
> FWIW I attached some wireshark dumps.

I looked at your dumps and it seems to me like your Python ssl
support is buggy.  Maybe you can try with a different Python and/or
openssl version.

FWIW, you can make wireshark decode the TLS handshake
by right-clicking on the first packet after the STARTLS
"Response: OK Begin TLS negotiation now", then
"Decode As...", then on the Transport tab choose
"TCP _both_ ports as _SSL_".

Your client announces TLSv1 protocol version, which the
server accepts, but then the client errors with
"wrong protocol version", or just stops responding.
Doesn't make sense to me.

Can you connect using openssl s_client?

openssl s_client -connect <host>:143 -starttls imap -crlf -tls1

If that works and your openssl uses the same
as Python's ssl module, then maybe the latter has an issue.

You could try to edit to change
the ssl.wrap_socket() call in starttls() to add
"ssl_version=ssl.PROTOCOL_TLSv1" as last parameter.
However, since the TLSv1 Client Hello in you pcap dumps
already announces TLSv1 I'm not sure this will help.
Worth a try anyway.


More information about the OfflineIMAP-project mailing list