Bug#709170: no option to set the SSL protocol version?
On 2013-05-30 11:18, Charles Cazabon wrote: > If this does fix the issue, I'd really like to see Debian revert this broken > patch -- breaking existing configs and reducing compatibility with correct > servers is not a good tradeoff for trying to make MSexchange work. Well, the patch in only in Debian since 2013-05-17 and only in the "unstable" distribution. "unstable" is exactly for finding such problems and fixing them before the package reaches "testing". Anyway, I would love to see a fix for MSexChange compatibility with the new SSL library, that does not break other IMAP servers. To my regret, the MS product has still a very high market share, notwithstanding much better free alternatives exist. Do you think, one could make the SSL version an option, defaulting, of course, to the original value? And with a check for the Python version? Or maybe the problem can be solved in a totally different manner. I only came to this solution by "trial and error". (For Debian, versions before 2.7 are not relevant, because we target Debian "8.0" and maybe "7.0" via backports, which both have Python 2.7, even "6.0" had 2.6.) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#709170: no option to set the SSL protocol version?
jida...@jidanni.org wrote: > > Yup, works like a charm, > getmail version 4.41.0 In case that wasn't clear, that confirms this "showstopper" bug is a result of the patch included in the Debian package since ???. Osamu, it would be nice if you could remove that patch and upload a new version of the package to get this fix out to other folks that have been affected. Thanks, Jidanni. Charles -- -- Charles Cazabon Software, consulting, and services available at http://pyropus.ca/ -- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#709170: no option to set the SSL protocol version?
In fact you (Debian) guys can test it (your modified version), just try to connect to port 993 on m.jidanni.org. Yup, works like a charm, getmail version 4.41.0 Copyright (C) 1998-2012 Charles Cazabon. Licensed under the GNU GPL version 2. SimpleIMAPSSLRetriever:jidan...@m.jidanni.org:993: 0 messages (0 bytes) retrieved, 0 skipped I think the Debian guys should start adding "Modified by Debian" to the above message, by the way. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#709170: no option to set the SSL protocol version?
Osamu Aoki wrote: > > Excuse us to cause you a trouble possibly due to the Debian patch. That does seem likely. > There were Debian patch to address MS IMAP. > http://bugs.debian.org/701844 Jidanni: can you test getmail 4.41 *without* this Debian patch? I suspect that will fix the problem for you, though I'd like to hear the result either way. To test this, uninstall getmail from Debian (apt-get remove or similar), download the v4.41 tarball from my website and unpack it - no special installation step needed if you run it from within the unpacked directory (i.e. the one containing the `getmail` main script). If this does fix the issue, I'd really like to see Debian revert this broken patch -- breaking existing configs and reducing compatibility with correct servers is not a good tradeoff for trying to make MSexchange work. Charles -- -- Charles Cazabon Software, consulting, and services available at http://pyropus.ca/ -- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#709170: no option to set the SSL protocol version?
Hi Charles,
Excuse us to cause you a trouble possibly due to the Debian patch.
Your comment on this patch was:
> Unfortunately this functionality requires Python 2.6 or newer, at least as far
> as I can tell. Python 2.{3,4,5} only have socket.ssl(), not
> ssl.wrap_socket(), and socket.ssl() doesn't support specifying the SSL
> version.
This is very interesting comment. Thanks.
As for Debian, Debian has been using 2.6 with oldstable and 2.7 with
stable release. (Released every 2 years.) So this should be no problem
in Debian if the user follow standard operating procedure. (Mixing new
binary package into old release is No-No.)
On Wed, May 29, 2013 at 04:13:39PM -0600, Charles Cazabon wrote:
> Hi, Jidanni,
>
> > I don't think so, as I can turn the bug on and off by switching between
> > 4.32 and 4.40 with dpkg -i, and everything else not changing.
>
> This doesn't make a lot of sense to me. There's no difference in the
> IMAP(-SSL) connection code between those versions of getmail -- none at all.
Yes and no.
There were Debian patch to address MS IMAP.
http://bugs.debian.org/701844
This is the patch you rejected with a good reason as upstream.
> And if you're saying that 4.32.0 can connect to a given IMAP-SSL server, but
> 4.40.x cannot connect to that same server -- getmail has never specified an
> SSL version to connect with, because historically that wasn't supported by the
> Python stdlib. It sounds to me like there must be another difference between
> the two configurations -- something lower in the stack that affects which SSL
> version is chosen (if that's the problem here).
>
> Are the two using different Python interpreters? Maybe they've been compiled
> with different options, or linked against different SSL libs?
Not really. This package is in unstable/testing. That is 2.7.3 and it
is still the same as stable release one.
> Or perhaps, is one or both of those Debian packages patching my source? I
> can't make them behave differently here, but I don't know what server user(s)
> are having problems with either.
Patch attached here just to be sure.
> Some hints on how to reproduce the problem, and what the problem actually is,
> would be useful.
This is what we got from jidanni:
> WMB> jidanni: What kind of IMAP server is it?
>
> $ imapd --version
> Courier 0.53.3 (Courier-IMAP 4.1.1)/x86_64-unknown-linux-gnu/Tue Feb 13
> 10:08:52 UTC 2007
>
> $ netcat m.jidanni.org 143
> * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE STARTTLS]
> Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See
> COPYING for distribution information.
Martin, any thought?
Osamu
From: "W. Martin Borgert" , Ana Beatriz Guerrero Lopez
Description: Microsoft Exchange Server 2003 compatibilty enhancement
With changing from squeeze to wheezy, I could not get emails from an
Microsoft Exchange Server 2003 anymore with getmail4. This is caused by
changed default in the OpenSSL library. Linking Python against libssl
from squeeze "solves" the problem in fact, but of course, this is not an
option. The correct solution seems to be to set the right SSL protocol
version when connecting, but unfortunately, Python before 3.3.0 does not
allow to set the SSL version for the IMAP4_SSL class, which is used by
getmail4. One can, however, monkey patch it, which should greatly
improve compatibility. Given that MSexChange is regrettably widespread,
I took the liberty to set the severity to important. The patch needs a
review desperately, but it works for me.
--- a/getmailcore/compatibility.py
+++ b/getmailcore/compatibility.py
@@ -10,6 +10,8 @@
import sys
import imaplib
import new
+import socket
+import ssl
if sys.version_info < (2, 4, 0):
@@ -76,3 +78,23 @@
imaplib.IMAP4_SSL.read = new.instancemethod(fixed_read, None,
imaplib.IMAP4_SSL)
+
+if sys.version_info < (3, 3, 0):
+# enhance compatibility, e.g. for Microsoft Exchange Server 2003:
+# IMAP4_SSL class uses ssl.PROTOCOL_SSLv23, which is the best choice
+# for servers, but the Python documentation states, that for clients
+# ssl.PROTOCOL_SSLv3 is the most compatible SSL variant. This monkey
+# patch should be removed for Python >= 3.3.0 and the ssl.SSLContext
+# should be used instead.
+def IMAP4_SSL_open(self, host = '', port = imaplib.IMAP4_SSL_PORT):
+self.host = host
+self.port = port
+self.sock = socket.create_connection((host, port))
+self.sslobj = ssl.wrap_socket(self.sock, self.keyfile, self.certfile,
+ ssl_version=ssl.PROTOCOL_SSLv3)
+self.file = self.sslobj.makefile('rb')
+
+imaplib.IMAP4_SSL.open = new.instancemethod(IMAP4_SSL_open, None,
+imaplib.IMAP4_SSL)
+else:
+raise DeprecationWarning("better use ssl.SSLContext now")
Bug#709170: no option to set the SSL protocol version?
You can see what they changed in http://ftp.de.debian.org/debian/pool/main/g/getmail4/getmail4_4.40.3-2.debian.tar.gz vs. http://ftp.de.debian.org/debian/pool/main/g/getmail4/getmail4_4.32.0-2.debian.tar.gz In the former I see an extremely suspicious 'From: "W. Martin Borgert" , Ana Beatriz Guerrero Lopez Description: Microsoft Exchange Server 2003 compatibilty enhancement With changing from squeeze to wheezy, I could not get emails from an...' But all I know how to do is dpkg -i so don't know how to test... -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#709170: no option to set the SSL protocol version?
Hi, Jidanni, > I don't think so, as I can turn the bug on and off by switching between > 4.32 and 4.40 with dpkg -i, and everything else not changing. This doesn't make a lot of sense to me. There's no difference in the IMAP(-SSL) connection code between those versions of getmail -- none at all. And if you're saying that 4.32.0 can connect to a given IMAP-SSL server, but 4.40.x cannot connect to that same server -- getmail has never specified an SSL version to connect with, because historically that wasn't supported by the Python stdlib. It sounds to me like there must be another difference between the two configurations -- something lower in the stack that affects which SSL version is chosen (if that's the problem here). Are the two using different Python interpreters? Maybe they've been compiled with different options, or linked against different SSL libs? Or perhaps, is one or both of those Debian packages patching my source? I can't make them behave differently here, but I don't know what server user(s) are having problems with either. Some hints on how to reproduce the problem, and what the problem actually is, would be useful. Thanks, Charles -- -- Charles Cazabon Software, consulting, and services available at http://pyropus.ca/ -- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#709170: no option to set the SSL protocol version?
> "CC" == Charles Cazabon writes: CC> Hi, Jidanni, >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709170 >> is a show stopper. CC> First I've heard of it. I was pointed to #701844 a few days ago, which CC> appears to be the same issue. I don't think so, as I can turn the bug on and off by switching between 4.32 and 4.40 with dpkg -i, and everything else not changing. CC> There isn't a lot of detail in this report -- at least in the messages I can CC> see. It's unable to connect to some particular IMAP server over SSL, yes? CC> What version of Python is involved here? ii python 2.7.3-13 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#709170: no option to set the SSL protocol version?
Charles, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709170 is a show stopper. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
