Weird ssl error - sync working ~10% of the time
Jan Frederick Eick
j.f.eick at gmx.de
Sat Oct 13 22:13:31 BST 2012
Hey, it's me again ;)
I could reproduce the error with a simple script:
[SNIP]
import ssl
import socket
for res in socket.getaddrinfo("mailgate.uni-weimar.de", 993, socket.AF_UNSPEC, socket.SOCK_STREAM):
af, socktype, proto, canonname, sa = res
s = socket.socket(af, socktype, proto)
s.connect(sa)
s = ssl.wrap_socket(s, ca_certs='/home/ike/.cert/cert.pem', cert_reqs=ssl.CERT_REQUIRED)
[/SNIP]
The solution was to add a parameter to ssl.wrap_socket() - namely: ssl_version=ssl.PROTOCOL_SSLv3
The default value ssl_version=ssl.PROTOCOL_SSLv23 always fails.
I have no idea if this is an issue with the implementation of python's ssl module, but I wrote a quick fix for it.
[SNAP]
--- imaplib2.py 2012-10-13 23:07:20.376331838 +0200
+++ /usr/lib/python2.7/site-packages/offlineimap/imaplib2.py 2012-10-13 23:11:37.342986785 +0200
@@ -460,7 +460,7 @@
cert_reqs = ssl.CERT_REQUIRED
else:
cert_reqs = ssl.CERT_NONE
- self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs)
+ self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs, ssl_version=ssl.PROTOCOL_SSLv3)
ssl_exc = ssl.SSLError
self.read_fd = self.sock.fileno()
except ImportError:
[/SNIP]
Shouldn't SSLv2 be banned from the universe till now? :)
Cheers
Jan Frederick
-------- Original-Message --------
> Date: Sat, 13 Oct 2012 20:45:19 +0200
> From: "Jan Frederick Eick" <j.f.eick at gmx.de>
> To: offlineimap-project at lists.alioth.debian.org
> Subject: Weird ssl error - sync working ~10% of the time
> Hi there!
>
> This is my last hope, I'm having trouble configuring my university
> account for a more than a week.
>
> The relevant section of my .offlineimaprc is:
> [Repository Uni-Remote]
> remotehost = mailgate.uni-weimar.de
> port = 993
> ssl = true
> sslcacertfile = ~/.cert/cert.pem
> cert_fingerprint = 5489eefeb62...
> remoteuser = User
> remotepass = Pass
> realdelete = no
> maxconnection = 1
>
> ---
>
> I can't really remember when or where I found out the cert_fingerprint,
> but it doesn't matter if I include it in my .offlineimaprc or not, the result
> is the same. I generated ~/.cert/cert.pem by myself, cat'ing all required
> pems for the cert chain (including the root ca which is located in
> /etc/ssl/certs). Syncing my account only works in about 10% of the time.
>
> Mostly I get this:
>
> $ offlineimap -u ttyui -a Uni -d all
> OfflineIMAP 6.5.4
> Licensed under the GNU GPL v2+ (v2 or any later version)
> Now debugging for imap: IMAP protocol debugging
> Now debugging for maildir: Maildir repository debugging
> Now debugging for thread: Threading debugging
> Now debugging for : Other offlineimap related sync messages
> Account sync Uni:
> [thread]: Register new thread 'Account sync Uni' (account 'Uni')
> [maildir]: MaildirRepository initialized, sep is '.'
> *** Processing account Uni
> Establishing connection to mailgate.uni-weimar.de:993
> [imap]: 41:16.14 Account sync Uni imaplib2 version 2.33
> [imap]: 41:16.14 Account sync Uni imaplib2 debug level 5, buffer level
> 3
> ERROR: Unknown SSL protocol connecting to host 'mailgate.uni-weimar.de'
> forrepository 'Uni-Remote'. OpenSSL responded:
> [Errno 1] _ssl.c:504: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad record mac
> [' File "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line
> 234, in syncrunner\n self.sync()\n', ' File
> "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line 290, in sync\n
> remoterepos.getfolders()\n', ' File
> "/usr/lib/python2.7/site-packages/offlineimap/repository/IMAP.py", line 268, in getfolders\n imapobj =
> self.imapserver.acquireconnection()\n', ' File
> "/usr/lib/python2.7/site-packages/offlineimap/imapserver.py", line 333, in acquireconnection\n raise
> OfflineImapError(reason, severity)\n']
> *** Finished account 'Uni' in 0:00
> [thread]: Unregister thread 'Account sync Uni'
> ERROR: Exceptions occurred during the run!
> ERROR: Unknown SSL protocol connecting to host 'mailgate.uni-weimar.de'
> forrepository 'Uni-Remote'. OpenSSL responded:
> [Errno 1] _ssl.c:504: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad record mac
>
> Traceback:
> File "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line
> 234, in syncrunner
> self.sync()
> File "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line
> 290, in sync
> remoterepos.getfolders()
> File "/usr/lib/python2.7/site-packages/offlineimap/repository/IMAP.py",
> line 268, in getfolders
> imapobj = self.imapserver.acquireconnection()
> File "/usr/lib/python2.7/site-packages/offlineimap/imapserver.py", line
> 333, in acquireconnection
> raise OfflineImapError(reason, severity)
>
> -----
>
> I'm very sure the cert-file is right - because running
> openssl s_client -connect mailgate.uni-weimar.de:993 -CAfile
> ~/.cert/cert.pem gives me:
> [...]
> SSL-Session:
> [...]
> Compression: 1 (zlib compression)
> Start Time: 1350153781
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
> Can someone give me hint what's wrong with my setup?
> Or any hint how I could further debug this issue?
>
>
> _______________________________________________
> OfflineIMAP-project mailing list
> OfflineIMAP-project at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project
>
> OfflineIMAP homepage: http://software.complete.org/offlineimap
More information about the OfflineIMAP-project
mailing list