Support for TLS

Sebastian Spaeth Sebastian at SSpaeth.de
Mon Jan 24 08:06:40 GMT 2011


On Sat, 22 Jan 2011 21:59:53 +0100, Johannes Stezenbach <js at sig21.net> wrote:
> On Sat, Jan 22, 2011 at 06:44:16PM +0100, Eshat Cakar wrote:
> > WARNING: Error occured attempting to sync account remote: [Errno 1] _ssl.c:490: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> > Other combination do not work either.
> > Since TLS is the new default (according to RFC) I would be happy if you could
> > implement support for it.

> For TLS, I guess you need to add ssl_version=ssl.PROTOCOL_TLSv1 to the
> ssl.wrap_socket() arguments.  See the Debian bug below for

Right, looking at
http://docs.python.org/dev/library/ssl.html

it seems that the protocol version being used is negotiated by the local
openssl library and the server, so I am a bit surprised that they are
not doing the right thing by default (e.g. choosing v3 rather than v2 by
default, and using TLS if needed).

I am a bit hesitant to introduce yet another config option that only
experts can set, I am rather a fan of having apps find out and do the
right thing themselves.

So would the right thing here be to first try with
ssl.PROTOCOL_TLSv1 and if that fails, to fall back to
ssl.PROTOCOL_SSLv3 ?

We should probably not even offer SSLv2 anymore? Or do some servers
still require it. It's not safe, as far as I know though, right?

Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20110124/08086c5b/attachment-0001.sig>


More information about the OfflineIMAP-project mailing list