support for starttls

Johannes Stezenbach js at
Mon Apr 11 13:44:39 BST 2011

On Mon, Apr 11, 2011 at 01:37:23PM +0200, dtk wrote:
> Excerpts from Daniel Kreischer's message of Sun Apr 10 21:08:55 +0200 2011:
> > > and it seems to me like your Python ssl
> > > support is buggy.  Maybe you can try with a different Python and/or
> > > openssl version.
> > hmm, maybe tomorrow at work.
> hmm, same problem here with python 2.6.5 and openssl 0.9.8k[0]
> I obviously have to admit though that those versions aren't too different :/
> building python 2.7

What puzzles me is that Python documentation says about ssl_version:
  "If not specified, for client-side operation, the default SSL version is SSLv3"

Yet in your pcap it sends TLSv1 in the Client Hello.  Thus I suspected
your openssl library defaults to TLSv1 while Python's ssl wrapper
thinks it requested SSLv3.  But then your test with
ssl_version=ssl.PROTOCOL_TLSv1 should have worked.

Anyway, looking at python2.6.6/Modules/_ssl.c it seems Python
does not do any version checking itself, i.e. it fails inside openssl.

I'm not sure how to debug, but updating openssl might be a good idea:


More information about the OfflineIMAP-project mailing list