Your message dated Sat, 9 Sep 2017 17:48:50 +0300
with message-id <[email protected]>
and subject line Re: Bug#873824: offlineimap: Offlineimap needs to call 
SSL_set_min_proto_version() for openssl
has caused the Debian Bug report #873824,
regarding offlineimap: Offlineimap needs to call SSL_set_min_proto_version() 
for openssl
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
873824: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873824
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: offlineimap
Version: 7.1.2+dfsg1-2
Severity: important

As reported on the mailing list, offlineimap can no longer
connect to the large number of insecure imap servers which still
use TLS 1.0 or TLS 1.2, over which users have no control.
This was the result of Kurt Roecke disabling those protocols
in the Debian openssl packages.

He has now released version openssl (1.1.0f-5) which now allows
those protocols to be used in restricted circumstances. From the 
changelog comment:

"Instead of completly disabling TLS 1.0 and 1.1, just set the minimum
version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by
calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version()"

So the Debian package must now call those procedures to enable
connection to many imap servers.

As far as I have seen, Kurt did not comment about this on the 
offlineimap thread, so this is my interpretation of what is required.
In any case, offlineiamp 7.1.2+dfsg1-2 is currently failing to connect 
with the message as before

OpenSSL responded:
[SSL: VERSION_TOO_LOW] version too low (_ssl.c:661)
 *** Finished account 'ntlspam' in 0:00


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 4.11.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages offlineimap depends on:
ii  python           2.7.13-2
ii  python-imaplib2  2.57-1
ii  python-six       1.10.0-4

Versions of packages offlineimap recommends:
ii  python-socks  1.6.5-1

Versions of packages offlineimap suggests:
pn  python-kerberos  <none>

-- no debconf information

--- End Message ---
--- Begin Message ---
Hi again, and sorry for the late reply.

On Wed, Sep 06, 2017 at 05:26PM, ael wrote:
> Well, the statement that the "correct" version will be automatically
> detected is misleading in the present case? 

This statement still holds. The "correct" version here is one supported
by both the server and your client. Since the latest version of openssl
does not support proto versions smaller than TLS 1.2 and the server
supports up to TLS 1.1, there is no "correct" version that can be
automatically used. You have to force openssl to use TLS 1.1.

> The "rare" cases probably need a bit more explanation. How would a
> non-expert realise what they need to do and which option needs changing?
> 
> I also found the large number of ssl/tls options and how they interact
> confusing. This is probably because I only have a sketchy grasp of the
> details of ssl/tls protocols.

Agreed, but unfortunately one cannot document every case in the
configuration file. In such cases, turning to other people for help
seems to be the way to go :)

> I will try to find time to look at the file again to highlight where I
> was unclear. I didn't want to make suggestions about changes myself,
> precisely because I felt unsure and because of the risks of
> misdocumenting security critical features.

Please do! This will most certainly help others too.

> Thanks for your work on offlineimap.

I am closing this bug report, since OfflineIMAP provides the necessary
configuration options to work with the latest version of openssl. If you
feel there's anything missing, I would be more than happy to help.

-- 
Ilias

--- End Message ---

Reply via email to