openssl/libssl1 in Debian now blocks offlineimap?

ael law_ence.dev at ntlworld.com
Mon Aug 14 20:09:38 BST 2017


I updated one of my Debian testing machines earlier today, and now 
offlineimap cannot connect to at least two imap servers.
I appears to be a problem with libssl1.1 and openssl.1.0f-4 which have
*disabled* (!) TLS 1.0 and 1.1 : no possibility to switch then back on
as far as I know.

To quote part of the changelog:-

[ Kurt Roeckx ]
  * Disable TLS 1.0 and 1.1, leaving 1.2 as the only supported SSL/TLS
    version. This will likely break things, but the hope is that by
    the release of Buster everything will speak at least TLS 1.2. This will be
    reconsidered before the Buster release.

 -- Kurt Roeckx <kurt at roeckx.be>  Mon, 07 Aug 2017 01:08:45 +0200

Can someone else confirm that this is a correct diagnosis? Here is a
sample crash:

 *** Processing account xxxx
 Establishing connection to imap.nexus.somewhere:993
 ERROR: Unknown SSL protocol connecting to host 'imap.nexus.somewhere' for repository 'oRe
mote'. OpenSSL responded:
[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661)
 *** Finished account 'xxxx' in 0:00
ERROR: Exceptions occurred during the run!
ERROR: Unknown SSL protocol connecting to host 'imap.nexus.somwhere' for repository 'oRemo
te'. OpenSSL responded:
[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661)

Traceback:
  File "/usr/local/lib/python2.7/dist-packages/offlineimap/accounts.py", line 273, in sync
runner
    self.__sync()
  File "/usr/local/lib/python2.7/dist-packages/offlineimap/accounts.py", line 336, in __sy
nc
    remoterepos.getfolders()
  File "/usr/local/lib/python2.7/dist-packages/offlineimap/repository/IMAP.py", line 413, 
in getfolders
    imapobj = self.imapserver.acquireconnection()
  File "/usr/local/lib/python2.7/dist-packages/offlineimap/imapserver.py", line 592, in ac
quireconnection
    exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/offlineimap/imapserver.py", line 508, in ac
quireconnection
    af=self.af,
  File "/usr/local/lib/python2.7/dist-packages/offlineimap/imaplibutil.py", line 193, in _
_init__
    super(WrappedIMAP4_SSL, self).__init__(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/offlineimap/bundled_imaplib2.py", line 2135
, in __init__
    IMAP4.__init__(self, host, port, debug, debug_file, identifier, timeout, debug_buf_lvl
)
  File "/usr/local/lib/python2.7/dist-packages/offlineimap/bundled_imaplib2.py", line 357,
in __init__
    self.open(host, port)
  File "/usr/local/lib/python2.7/dist-packages/offlineimap/imaplibutil.py", line 201, in open
    super(WrappedIMAP4_SSL, self).open(host, port)
  File "/usr/local/lib/python2.7/dist-packages/offlineimap/bundled_imaplib2.py", line 2148, in open
    self.ssl_wrap_socket()
  File "/usr/local/lib/python2.7/dist-packages/offlineimap/bundled_imaplib2.py", line 522, in ssl_wrap_socket
    self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs, ssl_version=ssl_version)
  File "/usr/lib/python2.7/ssl.py", line 943, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib/python2.7/ssl.py", line 611, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 840, in do_handshake
    self._sslobj.do_handshake()


Here is an extract from /var/log/dpkg:-
2017-08-14 16:45:48 configure libssl1.1:i386 1.1.0f-4 <none>
2017-08-14 16:45:48 status triggers-pending libc-bin:i386 2.24-12
2017-08-14 16:45:48 status unpacked libssl1.1:i386 1.1.0f-4
2017-08-14 16:45:48 status half-configured libssl1.1:i386 1.1.0f-4
2017-08-14 16:45:50 status installed libssl1.1:i386 1.1.0f-4
 ...
2017-08-14 16:45:50 configure openssl:i386 1.1.0f-4 <none>
2017-08-14 16:45:50 status unpacked openssl:i386 1.1.0f-4
2017-08-14 16:45:50 status unpacked openssl:i386 1.1.0f-4
2017-08-14 16:45:50 status half-configured openssl:i386 1.1.0f-4
2017-08-14 16:45:50 status installed openssl:i386 1.1.0f-4

-----------------------------------------------------------------------

How are we supposed to read our email when we have no control over
the imap servers? I imagine that many are configured to handle "legacy"
systems.

I also wonder how we are supposed to communicate with devices where we 
have no access to firmware which also only support older versions?

Or have I misunderstood what is happening?

ael







More information about the OfflineIMAP-project mailing list