support for starttls

Daniel Kreischer d.t.k at
Sun Apr 10 20:08:55 BST 2011

Hi Johannes,

Excerpts from Johannes Stezenbach's message of Fri Apr 08 18:57:33 +0200 2011:
> On Tue, Apr 05, 2011 at 11:26:33PM +0200, dtk wrote:
> > FWIW I attached some wireshark dumps.
> I looked at your dumps

> and it seems to me like your Python ssl
> support is buggy.  Maybe you can try with a different Python and/or
> openssl version.
hmm, maybe tomorrow at work.

> FWIW, you can make wireshark decode the TLS handshake
> by right-clicking on the first packet after the STARTLS
> "Response: OK Begin TLS negotiation now", then
> "Decode As...", then on the Transport tab choose
> "TCP _both_ ports as _SSL_".
sweet! didn't know that! thx!

> Your client announces TLSv1 protocol version, which the
> server accepts, but then the client errors with
> "wrong protocol version", or just stops responding.

> Doesn't make sense to me.
to me neither

> Can you connect using openssl s_client?
> openssl s_client -connect <host>:143 -starttls imap -crlf -tls1
yes, works nicely. no surprise, though, since I played already with gnutls-cli
and thunderbird and mutt have been connecting to the server via their built-in
mechanisms all day long.

> If that works and your openssl uses the same
> as Python's ssl module, then maybe the latter has an issue.
> You could try to edit to change
> the ssl.wrap_socket() call in starttls() to add
> "ssl_version=ssl.PROTOCOL_TLSv1" as last parameter.
> However, since the TLSv1 Client Hello in you pcap dumps
> already announces TLSv1 I'm not sure this will help.
> Worth a try anyway.
will try as soon as I get my checkout working (cf other mail) -.-

> HTH,
> Johannes
thanks for your kind support!

Please use my PGP key to verify the signature of this mail
and encrypt mails for me:

pub   4096R/5E65930D 2009-04-27 [expires: 2011-04-25]
fpr   524B DC51 1D19 9943 1963  D00B 7AF6 BB87 5E65 930D

More information about the OfflineIMAP-project mailing list