openssl/libssl1 in Debian now blocks offlineimap?
Nicolas Sebrecht
nicolas.s-dev at laposte.net
Fri Sep 1 00:41:38 BST 2017
On Thu, Aug 31, 2017 at 11:03:24PM +0100, ael wrote:
> On Thu, Aug 31, 2017 at 09:49:52PM +0300, Ilias Tsitsimpis wrote:
> > Hi ael, Nicolas,
> >
> > On Thu, Aug 31, 2017 at 06:01PM, Nicolas Sebrecht wrote:
> > > If we need to update offlineimap, I'm in favour to support this.
> > > However, it is all Debian specific so this might better be done in
> > > Debian. I don't know, I need to see more. Also, I'm not sure imaplib2
> > > would need to be updated, too.
> >
> > I have replied in the bug report:
> > https://bugs.debian.org/873824
> >
> > In a nutshell, offlineimap already supports the `ssl_version`
> > configuration parameter, and setting it to an appropriate value (i.e.,
> > tls1_1) should do the trick. I couldn't test this though, so I am
> > waiting for ael to comment here.
The comment is not clear enough:
"Instead of completly disabling TLS 1.0 and 1.1, just set the minimum
version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by
calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version()"
It's not explained how to call these functions. If this means that the
client must call new API entries, we are stuck. I hope it's possible to
re-enable the "deprecated" protocols only by requesting one explicitely
as expected.
> Will do ASAP - both here & in the bug report.
>
> I have to 1) get the particular machine configured properly,
> 2) refresh my memory about the config options; and 3) recall the
> opennssl magic testing tool to see which protocols are in use on
> a couple of servers.
>
> Should be in a day or so.
Thank you ael.
> It sounds as if all should work, but it will
> need documenting so that new users know what to do when they get
> failures.
I agree. I think the official website should be easy enough to
contribute to. ,-)
--
Nicolas Sebrecht
More information about the OfflineIMAP-project
mailing list