Weird ssl error - sync working ~10% of the time

Nicolas Sebrecht nicolas.s-dev at laposte.net
Sat Jan 26 16:55:44 GMT 2013 

Resending the mail for the recent call for patches.

I guess it is small enough to write it manually again with the
approppriate credits, if good enough to be applied. ,-)

On Sat, Oct 13, 2012 at 11:13:31PM +0200, Jan Frederick Eick wrote:
> Hey, it's me again ;)
> 
> I could reproduce the error with a simple script:
> [SNIP]
> import ssl
> import socket
> 
> for res in socket.getaddrinfo("mailgate.uni-weimar.de", 993, socket.AF_UNSPEC, socket.SOCK_STREAM):
>     af, socktype, proto, canonname, sa = res
>     s = socket.socket(af, socktype, proto)
> s.connect(sa)
> s = ssl.wrap_socket(s, ca_certs='/home/ike/.cert/cert.pem', cert_reqs=ssl.CERT_REQUIRED)
> [/SNIP]
> 
> The solution was to add a parameter to ssl.wrap_socket() - namely: ssl_version=ssl.PROTOCOL_SSLv3
> 
> The default value ssl_version=ssl.PROTOCOL_SSLv23 always fails.
> I have no idea if this is an issue with the implementation of python's ssl module, but I wrote a quick fix for it.
> 
> [SNAP]
> --- imaplib2.py	2012-10-13 23:07:20.376331838 +0200
> +++ /usr/lib/python2.7/site-packages/offlineimap/imaplib2.py	2012-10-13 23:11:37.342986785 +0200
> @@ -460,7 +460,7 @@
>                  cert_reqs = ssl.CERT_REQUIRED
>              else:
>                  cert_reqs = ssl.CERT_NONE
> -            self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs)
> +            self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs, ssl_version=ssl.PROTOCOL_SSLv3)
>              ssl_exc = ssl.SSLError
>              self.read_fd = self.sock.fileno()
>          except ImportError:
> [/SNIP]
> 
> Shouldn't SSLv2 be banned from the universe till now? :)
> 
> Cheers
> 
> Jan Frederick
> 
> 
> -------- Original-Message --------
> > Date: Sat, 13 Oct 2012 20:45:19 +0200
> > From: "Jan Frederick Eick" <j.f.eick at gmx.de>
> > To: offlineimap-project at lists.alioth.debian.org
> > Subject: Weird ssl error - sync working ~10% of the time
> 
> > Hi there!
> > 
> > This is my last hope, I'm having trouble configuring my university
> > account for a more than a week.
> > 
> > The relevant section of my .offlineimaprc is:
> > [Repository Uni-Remote]
> > remotehost = mailgate.uni-weimar.de 
> > port = 993
> > ssl = true
> > sslcacertfile = ~/.cert/cert.pem
> > cert_fingerprint = 5489eefeb62...
> > remoteuser = User
> > remotepass = Pass
> > realdelete = no
> > maxconnection = 1
> > 
> > ---
> > 
> > I can't really remember when or where I found out the cert_fingerprint,
> > but it doesn't matter if I include it in my .offlineimaprc or not, the result
> > is the same. I generated ~/.cert/cert.pem by myself, cat'ing all required
> > pems for the cert chain (including the root ca which is located in
> > /etc/ssl/certs). Syncing my account only works in about 10% of the time.
> > 
> > Mostly I get this: 
> > 
> > $ offlineimap -u ttyui -a Uni -d all
> > OfflineIMAP 6.5.4
> >   Licensed under the GNU GPL v2+ (v2 or any later version)
> > Now debugging for imap: IMAP protocol debugging
> > Now debugging for maildir: Maildir repository debugging
> > Now debugging for thread: Threading debugging
> > Now debugging for : Other offlineimap related sync messages
> > Account sync Uni:
> >  [thread]: Register new thread 'Account sync Uni' (account 'Uni')
> >  [maildir]: MaildirRepository initialized, sep is '.'
> >  *** Processing account Uni
> >  Establishing connection to mailgate.uni-weimar.de:993
> >  [imap]:   41:16.14 Account sync Uni imaplib2 version 2.33
> >  [imap]:   41:16.14 Account sync Uni imaplib2 debug level 5, buffer level
> > 3
> >  ERROR: Unknown SSL protocol connecting to host 'mailgate.uni-weimar.de'
> > forrepository 'Uni-Remote'. OpenSSL responded:
> > [Errno 1] _ssl.c:504: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3
> > alert bad record mac
> >  ['  File "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line
> > 234, in syncrunner\n    self.sync()\n', '  File
> > "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line 290, in sync\n   
> > remoterepos.getfolders()\n', '  File
> > "/usr/lib/python2.7/site-packages/offlineimap/repository/IMAP.py", line 268, in getfolders\n    imapobj =
> > self.imapserver.acquireconnection()\n', '  File
> > "/usr/lib/python2.7/site-packages/offlineimap/imapserver.py", line 333, in acquireconnection\n    raise
> > OfflineImapError(reason, severity)\n']
> >  *** Finished account 'Uni' in 0:00
> > [thread]: Unregister thread 'Account sync Uni'
> > ERROR: Exceptions occurred during the run!
> > ERROR: Unknown SSL protocol connecting to host 'mailgate.uni-weimar.de'
> > forrepository 'Uni-Remote'. OpenSSL responded:
> > [Errno 1] _ssl.c:504: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3
> > alert bad record mac
> > 
> > Traceback:
> >   File "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line
> > 234, in syncrunner
> >     self.sync()
> >   File "/usr/lib/python2.7/site-packages/offlineimap/accounts.py", line
> > 290, in sync
> >     remoterepos.getfolders()
> >   File "/usr/lib/python2.7/site-packages/offlineimap/repository/IMAP.py",
> > line 268, in getfolders
> >     imapobj = self.imapserver.acquireconnection()
> >   File "/usr/lib/python2.7/site-packages/offlineimap/imapserver.py", line
> > 333, in acquireconnection
> >     raise OfflineImapError(reason, severity)
> > 
> > -----
> > 
> > I'm very sure the cert-file is right - because running
> > openssl s_client -connect mailgate.uni-weimar.de:993 -CAfile
> > ~/.cert/cert.pem gives me:
> > [...]
> > SSL-Session:
> > [...]
> >     Compression: 1 (zlib compression)
> >     Start Time: 1350153781
> >     Timeout   : 300 (sec)
> >     Verify return code: 0 (ok)
> > ---
> > 
> > Can someone give me hint what's wrong with my setup?
> > Or any hint how I could further debug this issue?
> > 
> > 
> > _______________________________________________
> > OfflineIMAP-project mailing list
> > OfflineIMAP-project at lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project
> > 
> > OfflineIMAP homepage: http://software.complete.org/offlineimap
> 
> _______________________________________________
> OfflineIMAP-project mailing list
> OfflineIMAP-project at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project
> 
> OfflineIMAP homepage: http://software.complete.org/offlineimap

-- 
Nicolas Sebrecht

More information about the OfflineIMAP-project mailing list