Support for TLS

Sebastian Spaeth Sebastian at
Thu Jan 27 15:28:02 GMT 2011

On Tue, 25 Jan 2011 21:58:38 +0100, Johannes Stezenbach <js at> wrote:
> I'm not sure how this is supposed to work in openssl either.  All
> I know is that the IMAP server I use was upgraded and the new
> version immediately disconnects when it sees an SSLv2 client hello.
> That's how I found out offlineimap was trying to connect using SSLv2.

By default, python uses SSLv23 which is supposed to be able to negotiate
SSLv2, SSLv3, and TLSv1 connections. SSLv3 can only do SSLv3 (no TLS).

But somehow that negotiation doesn't seem to work in the above case, and
it would still allow insecure SSlv2 connections.

Python3.2 introduces support for SSLv3 and TLSv1 connections preventing
SSLv2, but earlier versions cannot. So here comes my patch that first
tries TLSv1 and then SSLv3, bailing out if both fail. Unfortunately the
SSLError Exceptions don't really allow to differentiate a lot *why* some
connection failed, at least in python 2.6.

If a connection doesn't work it fails so quickly that I think there is
no harm in trying first one and then the other. Much easier than forcing
users to fiddle with their configuration files.

> SSLv2 is broken, no one should use it.

Right, so this patch allows us to just do that.

Patch comes as reply to this mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <>

More information about the OfflineIMAP-project mailing list