support for starttls
Daniel Kreischer
d.t.k at gmx.de
Sun Apr 10 20:08:55 BST 2011
Hi Johannes,
Excerpts from Johannes Stezenbach's message of Fri Apr 08 18:57:33 +0200 2011:
> On Tue, Apr 05, 2011 at 11:26:33PM +0200, dtk wrote:
> > FWIW I attached some wireshark dumps.
>
> I looked at your dumps
thx!
> and it seems to me like your Python ssl
> support is buggy. Maybe you can try with a different Python and/or
> openssl version.
hmm, maybe tomorrow at work.
> FWIW, you can make wireshark decode the TLS handshake
> by right-clicking on the first packet after the STARTLS
> "Response: OK Begin TLS negotiation now", then
> "Decode As...", then on the Transport tab choose
> "TCP _both_ ports as _SSL_".
sweet! didn't know that! thx!
> Your client announces TLSv1 protocol version, which the
> server accepts, but then the client errors with
> "wrong protocol version", or just stops responding.
*meh*
> Doesn't make sense to me.
to me neither
> Can you connect using openssl s_client?
>
> openssl s_client -connect <host>:143 -starttls imap -crlf -tls1
yes, works nicely. no surprise, though, since I played already with gnutls-cli
and thunderbird and mutt have been connecting to the server via their built-in
mechanisms all day long.
> If that works and your openssl uses the same libcrypto.so/libssl.so
> as Python's ssl module, then maybe the latter has an issue.
>
> You could try to edit imaplib2.py to change
> the ssl.wrap_socket() call in starttls() to add
> "ssl_version=ssl.PROTOCOL_TLSv1" as last parameter.
> However, since the TLSv1 Client Hello in you pcap dumps
> already announces TLSv1 I'm not sure this will help.
> Worth a try anyway.
will try as soon as I get my checkout working (cf other mail) -.-
> HTH,
> Johannes
thanks for your kind support!
dtk
--
Please use my PGP key to verify the signature of this mail
and encrypt mails for me:
pub 4096R/5E65930D 2009-04-27 [expires: 2011-04-25]
fpr 524B DC51 1D19 9943 1963 D00B 7AF6 BB87 5E65 930D
More information about the OfflineIMAP-project
mailing list