Support for TLS

Wed Jan 26 19:29:00 UTC 2011

On Wed, Jan 26, 2011 at 12:45:46PM -0500, Philippe LeCavalier wrote:
> On Wed, 2011-01-26 at 18:19 +0100, Sebastian Spaeth wrote:
> > But it would put more burden on the user to a question
> > which is not always obvious. "Does your server speak TLS or SSLv3 ?" ;-)
> I think most can 'telnet their.host.com 143' to get the min. supported
> options, no?

SSL and TLS use binary encoding, so telnet does not work.
(And the IMAPS port is usually 993.).  "openssl s_client"
would work but is too complicated for normal people.

The thing is that the TLS 1.0 spec contains SSL 3.0
backwards compatibility, so usually the client
would try TLSv1 and the server would downgrade it to SSLv3
it it can't do TLSv1.  See RFC 2246 appendix E.
But I think the Python ssl module prevents you from using
that, I guess if you specify PROTOCOL_TLSv1 it will fail
to connect ot a SSLv3 server.  So if you want to make it
automatically, you need to
- connect with TLSv1
- if that fails, close the socket and
- connect again with SSLv3

IMHO this is too much hassle.  A config file entry would be better.
Default to TLSv1, if connection fails print a message to instruct
the user to try SSLv3.

Johannes