intermittent SSL problems

Lorenzo Grespan lorenzo.grespan at gmail.com
Mon Jun 30 22:20:44 BST 2014


Hi all,

I'm having issues with offlineimap on a BSD system.

Premise: I copied my (working) offlineimap from my OSX machine to a newly
installed openBSD. After some fiddling I got it to work yesterday. In a
nutshell, these are the relevant lines that I changed in the config file:

[...]
type = Gmail
ssl=yes
#sslcacertfile=~/Mail/certs.pem
sslcacertfile=/etc/ssl/cert.pem
cert_fingerprint=89091347184d41768bfc0da9fad94bfe882dd358

Basically, on OSX I had to download the certificates locally (into
~/Mail/certs.pem) for host verification as I could not [be bothered to]
find the host-wide SSL certificates. On the BSD system I used the
system-wide installed certificates, but I had to specify a fingerprint. The
uncommented lines show my progress in this direction.

Today, without touching the configuration, I got the following error:

ERROR: Unknown SSL protocol connecting to host 'imap.gmail.com'
forrepository 'XXX-remote'. OpenSSL responded:
[Errno 1] _ssl.c:507: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ERROR: While attempting to sync account 'XXX'
  Prompting for a password is not supported in this UI backend.

After a random interval (minutes, in the order of 10-20) I tried again and
this time it worked fine. I can't pinpoint the exact problem: seems like a
SSL issue, but I don't understand why it fails asking for a password. I
doubt anyone is playing man-in-the-middle, but one of the earlier fault I
did not capture was a complain that the fingerprint does not match the
certificate.

There is one further piece to the puzzle: since I did not want to put my
password in cleartext, I saved the 'application' password for my gmail
account in a GPG-encrypted file and I wrote a python wrapper to load it
from offlineimap. I'll be more than happy to share the code if anyone is
interested.

Nevertheless, what I found puzzling is that when everything works, I am
asked the GPG password. Otherwise, it fails with a SSL error. My gut
feeling is that there is some sort of random SSL timeout that prevents
offlineimap from invoking the python wrapper. But I'm new here, hence my
ask for help.

My best regards,

Lorenzo

-- 
:Lorenzo Grespan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20140630/3a6e32e9/attachment-0002.html>


More information about the OfflineIMAP-project mailing list