[Piers Lauder] Re: imaplib2 support for starttls
js at sig21.net
Tue Apr 12 23:46:20 BST 2011
On Tue, Apr 12, 2011 at 10:11:11PM +0200, Sebastian Spaeth wrote:
> On Tue, 12 Apr 2011 17:43:03 +0200, dtk <d.t.k at gmx.de> wrote:
> > Excerpts from Sebastian Spaeth's message of Tue Apr 12 17:16:14 +0200 2011:
> > > And here is a patch. Could someone who can test STARTTLS see if it works?
> > weeeeell. It changes *something* ;P
> > error: command LIST illegal in state NONAUTH
> Yep, that is to be expected, given that my first patch to integrate
> starttls() skipped the login() part. It's good to hear that it gets
> further though.
Using the quick commandline test shows it works.
Wireshark dump also looks good, client and server agree to
use protocol version TLSv1. However, the client starts
with a SSLv2 Client Hello packet with the version field set
to TLS 1.0 (0x0301). That should be OK except that the
IMAP server I use rejects it with a version error.
I have to add "ssl_version=ssl.PROTOCOL_TLSv1" to the
ssl.wrap_socket() call to make it work.
But the same issue exists for plain imaps connects, that's
why I suggested to add a SSL version config option to offlineimap.
(RFC2246 "TLSv1" appendix E. "Backward Compatibility With SSL"
says the SSLv2 handshake should be "phased out with all due haste",
and that was written in 1999!)
But e.g. gmx.net is OK:
>>> import imaplib2
>>> s=imaplib2.IMAP4("imap.gmx.net", debug=1)
43:57.61 MainThread imaplib2 version 2.23
43:57.61 MainThread imaplib2 debug level True
43:57.67 MainThread connected to imap.gmx.net on port 143
43:57.67 imap.gmx.net writer starting
43:57.67 imap.gmx.net reader starting using poll
43:57.77 imap.gmx.net handler starting
43:57.78 MainThread state => NONAUTH
43:57.78 MainThread [async] CAPABILITY ()
43:57.84 MainThread CAPABILITY: ('IMAP4REV1', 'CHILDREN', 'ENABLE', 'ID', 'IDLE', 'LITERAL+', 'NAMESPACE', 'SORT', 'THREAD=ORDEREDSUBJECT', 'UIDPLUS', 'UNSELECT', 'WITHIN', 'STARTTLS', 'AUTH=LOGIN', 'AUTH=PLAIN')
44:01.72 MainThread [sync] STARTTLS ()
44:01.78 imap.gmx.net reader finished
44:01.93 imap.gmx.net reader starting using poll
44:01.93 MainThread [async] CAPABILITY ()
And of course the next step is then to add the same certificate checks
which were added to offlineimap's imaplibutil.py before...
BTW, I wonder if the imaplib2 threads should set the daemon flag
to not prevent python from exiting w/o clean IMAP2.logout()?
More information about the OfflineIMAP-project