[PATCH] Re: Don't allow SSLv2 connections

Nicolas Sebrecht nicolas.s-dev at laposte.net
Fri Jan 28 18:31:22 GMT 2011


On Fri, Jan 28, 2011 at 09:46:16AM +0100, Sebastian Spaeth wrote:
> On Thu, 27 Jan 2011 16:51:15 +0100, Johannes Stezenbach <js at sig21.net> wrote:
> > I'm not sure this will work since the server might have closed
> > the socket already.  You'd need a new self.sock.
> 
> One might think so. Unfortunately the python SSL documentation is sourly
> lacking. However, I have tried this patch by first trying SSLv2 (which
> my mail server refuses) and then trying SSLv3 as fallback (which my
> server allows) and the code as in that patch worked just fine.
> 
> This is certainly no proof that it will work with all servers and all
> versions of openssl, but it does work here.

It's a nice method. But we should think the approach a bit differently.

What would it costs to restart a socket in this case? What would we
gain?  The advantage is to make sure we won't hurt servers and perhaps
some crappy implementations of them. So, it's much more sure. The price
may be a bit of performance while initiating a sync.

I'm in favor of the stability, here.

-- 
Nicolas Sebrecht




More information about the OfflineIMAP-project mailing list