Bug#873824: offlineimap: Offlineimap needs to call SSL_set_min_proto_version() for openssl

ael law_ence.dev at ntlworld.com
Mon Sep 4 19:56:39 BST 2017 

On Thu, Aug 31, 2017 at 06:38:46PM +0300, Ilias Tsitsimpis wrote:
> Hi,
> 
> > OpenSSL responded:
> > [SSL: VERSION_TOO_LOW] version too low (_ssl.c:661)
> >  *** Finished account 'ntlspam' in 0:00
> 
> If I understand correctly, you tested the above with the latest openssl
> (1.1.0f-5), is that right? If so, could you please try and set the
> `ssl_version` in offlineimap.conf file to tls1_1 or tls1, accordingly?
> This should force offlineimap to use the specified version.

Sorry for the delay. Yes, those options worked. Thank you.

I do find the documentation about the tls/ssl options in
/usr/share/doc/offlineimap/examples/offlineimap.conf.gz
pretty confusing, and had tried various configurations that I thought
should have worked.

But both ssl_version = tls1 and tls1_1 both worked on my tests on
imap.ntlworld.com.

For information:
$ openssl s_client -connect imap.ntlworld.com:imaps

CONNECTED(00000003)
---
Certificate chain
 0 s:/C=GB/OU=Domain Control Validated/CN=imap.ntlworld.com
   i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHUzCCBjugAwIBAgIMcUncDtUF6SBWgudAMA0GCSqGSIb3DQEBCwUAMEwxCzAJ
  --[snip]--
-----END CERTIFICATE-----
subject=/C=GB/OU=Domain Control Validated/CN=imap.ntlworld.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
---
No client certificate CA names sent
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 3958 bytes and written 518 bytes
Verification: OK
---
New, SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: AF2CBF5AFAB05F8023146EACFC3389D060A82228599CF734500D9A77B1AF53CC
    Session-ID-ctx: 
    Master-Key: 3F9357B6BD33C8C09122855A66F7CEC6F65F9CFA0EA6FED7B9D8C695912BBC8A0184CDB1CBF983DA396D9CDB27997651
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1504551118
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
* OK Virgin Media IMAP4 server ready [ e4c558782NTL ]
--------------------------------------------------------------------------------

Thanks again.

More information about the OfflineIMAP-project mailing list