openssl/libssl1 in Debian now blocks offlineimap?

Nicolas Sebrecht nicolas.s-dev at
Fri Sep 1 00:41:38 BST 2017

On Thu, Aug 31, 2017 at 11:03:24PM +0100, ael wrote:
> On Thu, Aug 31, 2017 at 09:49:52PM +0300, Ilias Tsitsimpis wrote:
> > Hi ael, Nicolas,
> > 
> > On Thu, Aug 31, 2017 at 06:01PM, Nicolas Sebrecht wrote:
> > > If we need to update offlineimap, I'm in favour to support this.
> > > However, it is all Debian specific so this might better be done in
> > > Debian. I don't know, I need to see more. Also, I'm not sure imaplib2
> > > would need to be updated, too.
> > 
> > I have replied in the bug report:
> >
> > 
> > In a nutshell, offlineimap already supports the `ssl_version`
> > configuration parameter, and setting it to an appropriate value (i.e.,
> > tls1_1) should do the trick. I couldn't test this though, so I am
> > waiting for ael to comment here.

The comment is not clear enough:

 "Instead of completly disabling TLS 1.0 and 1.1, just set the minimum
 version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by
 calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version()"

It's not explained how to call these functions. If this means that the
client must call new API entries, we are stuck. I hope it's possible to
re-enable the "deprecated" protocols only by requesting one explicitely
as expected.

> Will do ASAP - both here & in the bug report.
> I have to 1) get the particular machine configured properly,
> 2) refresh my memory about the config options; and 3) recall the
> opennssl magic testing tool to see which protocols are in use on 
> a couple of servers.
> Should be in a day or so.

Thank you ael.

>                           It sounds as if all should work, but it will
> need documenting so that new users know what to do when they get
> failures.

I agree. I think the official website should be easy enough to
contribute to. ,-)

Nicolas Sebrecht

More information about the OfflineIMAP-project mailing list