[Piers Lauder] Re: imaplib2 support for starttls

Johannes Stezenbach js at sig21.net
Tue Apr 12 23:46:20 BST 2011


On Tue, Apr 12, 2011 at 10:11:11PM +0200, Sebastian Spaeth wrote:
> On Tue, 12 Apr 2011 17:43:03 +0200, dtk <d.t.k at gmx.de> wrote:
> > 
> > Excerpts from Sebastian Spaeth's message of Tue Apr 12 17:16:14 +0200 2011:
> > > And here is a patch. Could someone who can test STARTTLS see if it works?
> > weeeeell. It changes *something* ;P
> >     error: command LIST illegal in state NONAUTH
> Yep, that is to be expected, given that my first patch to integrate
> starttls() skipped the login() part. It's good to hear that it gets
> further though.

Using the quick commandline test shows it works.
Wireshark dump also looks good, client and server agree to
use protocol version TLSv1.  However, the client starts
with a SSLv2 Client Hello packet with the version field set
to TLS 1.0 (0x0301).  That should be OK except that the
IMAP server I use rejects it with a version error.
I have to add "ssl_version=ssl.PROTOCOL_TLSv1" to the
ssl.wrap_socket() call to make it work.
(Debian Courier-IMAP)
But the same issue exists for plain imaps connects, that's
why I suggested to add a SSL version config option to offlineimap.
(RFC2246 "TLSv1" appendix E. "Backward Compatibility With SSL"
says the SSLv2 handshake should be "phased out with all due haste",
and that was written in 1999!)

But e.g. gmx.net is OK:

>>> import imaplib2
>>> s=imaplib2.IMAP4("imap.gmx.net", debug=1)
  43:57.61 MainThread imaplib2 version 2.23
  43:57.61 MainThread imaplib2 debug level True
  43:57.67 MainThread connected to imap.gmx.net on port 143
  43:57.67 imap.gmx.net writer starting
  43:57.67 imap.gmx.net reader starting using poll
  43:57.77 imap.gmx.net handler starting
  43:57.78 MainThread state => NONAUTH
  43:57.78 MainThread [async] CAPABILITY ()
>>> s.starttls()
  44:01.72 MainThread [sync] STARTTLS ()
  44:01.78 imap.gmx.net reader finished
  44:01.93 imap.gmx.net reader starting using poll
  44:01.93 MainThread [async] CAPABILITY ()
('OK', [None])

And of course the next step is then to add the same certificate checks
which were added to offlineimap's imaplibutil.py before...

BTW, I wonder if the imaplib2 threads should set the daemon flag
to not prevent python from exiting w/o clean IMAP2.logout()?


More information about the OfflineIMAP-project mailing list