Bug#873824: offlineimap: Offlineimap needs to call SSL_set_min_proto_version() for openssl
On Wed, Sep 06, 2017 at 06:38:06PM +0300, Ilias Tsitsimpis wrote: > > Glad it worked out! > > > I do find the documentation about the tls/ssl options in > > /usr/share/doc/offlineimap/examples/offlineimap.conf.gz > > pretty confusing, and had tried various configurations that I thought > > should have worked. > > The documentation reads: > > Set SSL version to use (optional). > > It is best to leave this unset, in which case the correct version will be `> automatically detected. In rare cases, it may be necessary to specify a > particular version from: tls1, tls1_1, tls1_2, ssl3, ssl23. > Well, the statement that the "correct" version will be automatically detected is misleading in the present case? The "rare" cases probably need a bit more explanation. How would a non-expert realise what they need to do and which option needs changing? I also found the large number of ssl/tls options and how they interact confusing. This is probably because I only have a sketchy grasp of the details of ssl/tls protocols. I will try to find time to look at the file again to highlight where I was unclear. I didn't want to make suggestions about changes myself, precisely because I felt unsure and because of the risks of misdocumenting security critical features. Thanks for your work on offlineimap. ael
Bug#873824: offlineimap: Offlineimap needs to call SSL_set_min_proto_version() for openssl
Control: notfound 873824 offlineimap/7.1.2+dfsg1-2 On Mon, Sep 04, 2017 at 07:56PM, ael wrote: > On Thu, Aug 31, 2017 at 06:38:46PM +0300, Ilias Tsitsimpis wrote: > [...] > > If I understand correctly, you tested the above with the latest openssl > > (1.1.0f-5), is that right? If so, could you please try and set the > > `ssl_version` in offlineimap.conf file to tls1_1 or tls1, accordingly? > > This should force offlineimap to use the specified version. > > Sorry for the delay. Yes, those options worked. Thank you. Glad it worked out! > I do find the documentation about the tls/ssl options in > /usr/share/doc/offlineimap/examples/offlineimap.conf.gz > pretty confusing, and had tried various configurations that I thought > should have worked. The documentation reads: Set SSL version to use (optional). It is best to leave this unset, in which case the correct version will be automatically detected. In rare cases, it may be necessary to specify a particular version from: tls1, tls1_1, tls1_2, ssl3, ssl23. I find the above to be quite easy to understand. Could you please elaborate on what confuses you so that we can improve the wording? -- Ilias
Bug#873824: offlineimap: Offlineimap needs to call SSL_set_min_proto_version() for openssl
On Thu, Aug 31, 2017 at 06:38:46PM +0300, Ilias Tsitsimpis wrote: > Hi, > > > OpenSSL responded: > > [SSL: VERSION_TOO_LOW] version too low (_ssl.c:661) > > *** Finished account 'ntlspam' in 0:00 > > If I understand correctly, you tested the above with the latest openssl > (1.1.0f-5), is that right? If so, could you please try and set the > `ssl_version` in offlineimap.conf file to tls1_1 or tls1, accordingly? > This should force offlineimap to use the specified version. Sorry for the delay. Yes, those options worked. Thank you. I do find the documentation about the tls/ssl options in /usr/share/doc/offlineimap/examples/offlineimap.conf.gz pretty confusing, and had tried various configurations that I thought should have worked. But both ssl_version = tls1 and tls1_1 both worked on my tests on imap.ntlworld.com. For information: $ openssl s_client -connect imap.ntlworld.com:imaps CONNECTED(0003) --- Certificate chain 0 s:/C=GB/OU=Domain Control Validated/CN=imap.ntlworld.com i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA --- Server certificate -BEGIN CERTIFICATE- MIIHUzCCBjugAwIBAgIMcUncDtUF6SBWgudAMA0GCSqGSIb3DQEBCwUAMEwxCzAJ --[snip]-- -END CERTIFICATE- subject=/C=GB/OU=Domain Control Validated/CN=imap.ntlworld.com issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 --- No client certificate CA names sent Server Temp Key: DH, 2048 bits --- SSL handshake has read 3958 bytes and written 518 bytes Verification: OK --- New, SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher: DHE-RSA-AES256-SHA Session-ID: AF2CBF5AFAB05F8023146EACFC3389D060A82228599CF734500D9A77B1AF53CC Session-ID-ctx: Master-Key: 3F9357B6BD33C8C09122855A66F7CEC6F65F9CFA0EA6FED7B9D8C695912BBC8A0184CDB1CBF983DA396D9CDB27997651 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1504551118 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- * OK Virgin Media IMAP4 server ready [ e4c558782NTL ] Thanks again.
Bug#873824: offlineimap: Offlineimap needs to call SSL_set_min_proto_version() for openssl
Hi, On Thu, Aug 31, 2017 at 12:47PM, ael wrote: > As reported on the mailing list, offlineimap can no longer > connect to the large number of insecure imap servers which still > use TLS 1.0 or TLS 1.2, over which users have no control. > This was the result of Kurt Roecke disabling those protocols > in the Debian openssl packages. > > He has now released version openssl (1.1.0f-5) which now allows > those protocols to be used in restricted circumstances. From the > changelog comment: > > "Instead of completly disabling TLS 1.0 and 1.1, just set the minimum > version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by > calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version()" > > So the Debian package must now call those procedures to enable > connection to many imap servers. > > As far as I have seen, Kurt did not comment about this on the > offlineimap thread, so this is my interpretation of what is required. > In any case, offlineiamp 7.1.2+dfsg1-2 is currently failing to connect > with the message as before > > OpenSSL responded: > [SSL: VERSION_TOO_LOW] version too low (_ssl.c:661) > *** Finished account 'ntlspam' in 0:00 If I understand correctly, you tested the above with the latest openssl (1.1.0f-5), is that right? If so, could you please try and set the `ssl_version` in offlineimap.conf file to tls1_1 or tls1, accordingly? This should force offlineimap to use the specified version. -- Ilias
Bug#873824: offlineimap: Offlineimap needs to call SSL_set_min_proto_version() for openssl
Package: offlineimap Version: 7.1.2+dfsg1-2 Severity: important As reported on the mailing list, offlineimap can no longer connect to the large number of insecure imap servers which still use TLS 1.0 or TLS 1.2, over which users have no control. This was the result of Kurt Roecke disabling those protocols in the Debian openssl packages. He has now released version openssl (1.1.0f-5) which now allows those protocols to be used in restricted circumstances. From the changelog comment: "Instead of completly disabling TLS 1.0 and 1.1, just set the minimum version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version()" So the Debian package must now call those procedures to enable connection to many imap servers. As far as I have seen, Kurt did not comment about this on the offlineimap thread, so this is my interpretation of what is required. In any case, offlineiamp 7.1.2+dfsg1-2 is currently failing to connect with the message as before OpenSSL responded: [SSL: VERSION_TOO_LOW] version too low (_ssl.c:661) *** Finished account 'ntlspam' in 0:00 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 4.11.0-1-686-pae (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages offlineimap depends on: ii python 2.7.13-2 ii python-imaplib2 2.57-1 ii python-six 1.10.0-4 Versions of packages offlineimap recommends: ii python-socks 1.6.5-1 Versions of packages offlineimap suggests: pn python-kerberos -- no debconf information