Weird ssl error - sync working ~10% of the time

Jan Frederick Eick j.f.eick at gmx.de
Sat Oct 13 22:13:31 BST 2012 

Hey, it's me again ;)

I could reproduce the error with a simple script:
[SNIP]
import ssl
import socket

for res in socket.getaddrinfo("mailgate.uni-weimar.de", 993, socket.AF_UNSPEC, socket.SOCK_STREAM):
    af, socktype, proto, canonname, sa = res
    s = socket.socket(af, socktype, proto)
s.connect(sa)
s = ssl.wrap_socket(s, ca_certs='/home/ike/.cert/cert.pem', cert_reqs=ssl.CERT_REQUIRED)
[/SNIP]

The solution was to add a parameter to ssl.wrap_socket() - namely: ssl_version=ssl.PROTOCOL_SSLv3

The default value ssl_version=ssl.PROTOCOL_SSLv23 always fails.
I have no idea if this is an issue with the implementation of python's ssl module, but I wrote a quick fix for it.

[SNAP]
--- imaplib2.py	2012-10-13 23:07:20.376331838 +0200
+++ /usr/lib/python2.7/site-packages/offlineimap/imaplib2.py	2012-10-13 23:11:37.342986785 +0200
@@ -460,7 +460,7 @@
                 cert_reqs = ssl.CERT_REQUIRED
             else:
                 cert_reqs = ssl.CERT_NONE
-            self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs)
+            self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs, ssl_version=ssl.PROTOCOL_SSLv3)
             ssl_exc = ssl.SSLError
             self.read_fd = self.sock.fileno()
         except ImportError:
[/SNIP]

Shouldn't SSLv2 be banned from the universe till now? :)

Cheers

Jan Frederick


-------- Original-Message --------
> Date: Sat, 13 Oct 2012 20:45:19 +0200
> From: "Jan Frederick Eick" <j.f.eick at gmx.de>
> To: offlineimap-project at lists.alioth.debian.org
> Subject: Weird ssl error - sync working ~10% of the time

> Hi there!
> 
> This is my last hope, I'm having trouble configuring my university
> account for a more than a week.
> 
> The relevant section of my .offlineimaprc is:
> [Repository Uni-Remote]
> remotehost = mailgate.uni-weimar.de 
> port = 993
> ssl = true
> sslcacertfile = ~/.cert/cert.pem
> cert_fingerprint = 5489eefeb62...
> remoteuser = User
> remotepass = Pass
> realdelete = no
> maxconnection = 1
> 
> ---
> 
> I can't really remember when or where I found out the cert_fingerprint,
> but it doesn't matter if I include it in my .offlineimaprc or not, the result
> is the same. I generated ~/.cert/cert.pem by myself, cat'ing all required
> pems for the cert chain (including the root ca which is located in
> /etc/ssl/certs). Syncing my account only works in about 10% of the time.
> 
> Mostly I get this: 
> 
> $ offlineimap -u ttyui -a Uni -d all
> OfflineIMAP 6.5.4
>   Licensed under the GNU GPL v2+ (v2 or any later version)
> Now debugging for imap: IMAP protocol debugging
> Now debugging for maildir: Maildir repository debugging
> Now debugging for thread: Threading debugging
> Now debugging for : Other offlineimap related sync messages
> Account sync Uni:
>  [thread]: Register new thread 'Account sync Uni' (account 'Uni')
>  [maildir]: MaildirRepository initialized, sep is '.'
>  *** Processing account Uni
>  Establishing connection to mailgate.uni-weimar.de:993
>  [imap]:   41:16.14 Account sync Uni imaplib2 version 2.33
>  [imap]:   41:16.14 Account sync Uni imaplib2 debug level 5, buffer level
> 3
>  ERROR: Unknown SSL protocol connecting to host 'mailgate.uni-weimar.de'
> forrepository 'Uni-Remote'. OpenSSL responded:
> [Errno 1] _ssl.c:504: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad record mac
>  ['  File "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line
> 234, in syncrunner\n    self.sync()\n', '  File
> "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line 290, in sync\n   
> remoterepos.getfolders()\n', '  File
> "/usr/lib/python2.7/site-packages/offlineimap/repository/IMAP.py", line 268, in getfolders\n    imapobj =
> self.imapserver.acquireconnection()\n', '  File
> "/usr/lib/python2.7/site-packages/offlineimap/imapserver.py", line 333, in acquireconnection\n    raise
> OfflineImapError(reason, severity)\n']
>  *** Finished account 'Uni' in 0:00
> [thread]: Unregister thread 'Account sync Uni'
> ERROR: Exceptions occurred during the run!
> ERROR: Unknown SSL protocol connecting to host 'mailgate.uni-weimar.de'
> forrepository 'Uni-Remote'. OpenSSL responded:
> [Errno 1] _ssl.c:504: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad record mac
> 
> Traceback:
>   File "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line
> 234, in syncrunner
>     self.sync()
>   File "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line
> 290, in sync
>     remoterepos.getfolders()
>   File "/usr/lib/python2.7/site-packages/offlineimap/repository/IMAP.py",
> line 268, in getfolders
>     imapobj = self.imapserver.acquireconnection()
>   File "/usr/lib/python2.7/site-packages/offlineimap/imapserver.py", line
> 333, in acquireconnection
>     raise OfflineImapError(reason, severity)
> 
> -----
> 
> I'm very sure the cert-file is right - because running
> openssl s_client -connect mailgate.uni-weimar.de:993 -CAfile
> ~/.cert/cert.pem gives me:
> [...]
> SSL-Session:
> [...]
>     Compression: 1 (zlib compression)
>     Start Time: 1350153781
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> 
> Can someone give me hint what's wrong with my setup?
> Or any hint how I could further debug this issue?
> 
> 
> _______________________________________________
> OfflineIMAP-project mailing list
> OfflineIMAP-project at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project
> 
> OfflineIMAP homepage: http://software.complete.org/offlineimap

More information about the OfflineIMAP-project mailing list