improve error message when ssl_version must be set due to the tls_level

Improve the ssl documentation. Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2016-07-25 03:20:53 +02:00 · 2016-07-25 03:20:53 +02:00 · 03859e89c3
commit 03859e89c3
parent c992f58530
3 changed files with 21 additions and 12 deletions
--- a/offlineimap.conf
+++ b/offlineimap.conf
@ -753,6 +753,9 @@ remotehost = examplehost
 #   - ssl3 (less desirable than tls1)
 #   - ssl23 (can fallback up to ssl3)
 #
+# When tls_level is not set to tls_compat, the ssl_version configuration option
+# must be explicitly set.
+#
 #tls_level = tls_compat


--- a/offlineimap/imaplibutil.py
+++ b/offlineimap/imaplibutil.py
@ -22,10 +22,11 @@ import threading
 import socket
 import errno
 import zlib
-import six
 from sys import exc_info
 from hashlib import sha1

+import six
+
 from offlineimap import OfflineImapError
 from offlineimap.ui import getglobalui
 from offlineimap.virtual_imaplib2 import IMAP4, IMAP4_SSL, InternalDate, Mon2num
--- a/offlineimap/imapserver.py
+++ b/offlineimap/imapserver.py
@ -20,15 +20,16 @@ import socket
 import base64
 import json
 import urllib
-import socket
 import time
 import errno
-import six
-from sys import exc_info
+import socket
 from socket import gaierror
+from sys import exc_info
 from ssl import SSLError, cert_time_to_seconds
 from threading import Lock, BoundedSemaphore, Thread, Event, currentThread

+import six
+
 import offlineimap.accounts
 from offlineimap import imaplibutil, imaputil, threadutil, OfflineImapError
 from offlineimap.ui import getglobalui
@ -102,10 +103,14 @@ class IMAPServer(object):
        if self.sslcacertfile is None:
            self.__verifycert = None # disable cert verification
        self.fingerprint = repos.get_ssl_fingerprint()
-        self.sslversion = repos.getsslversion()
        self.tlslevel = repos.gettlslevel()
+        self.sslversion = repos.getsslversion()
        self.starttls = repos.getstarttls()

+        if self.tlslevel is not "tls_compat" and self.sslversion is None:
+            raise Exception("When 'tls_version' is not 'tls_compat' "
+                "the 'ssl_version' must be set explicitly.")
+
        self.oauth2_refresh_token = repos.getoauth2_refresh_token()
        self.oauth2_access_token = repos.getoauth2_access_token()
        self.oauth2_client_id = repos.getoauth2_client_id()
@ -494,13 +499,13 @@ class IMAPServer(object):
                elif self.usessl:
                    self.ui.connecting(self.hostname, self.port)
                    imapobj = imaplibutil.WrappedIMAP4_SSL(
-                        self.hostname,
-                        self.port,
-                        self.sslclientkey,
-                        self.sslclientcert,
-                        self.sslcacertfile,
-                        self.__verifycert,
-                        self.sslversion,
+                        host=self.hostname,
+                        port=self.port,
+                        keyfile=self.sslclientkey,
+                        certfile=self.sslclientcert,
+                        ca_certs=self.sslcacertfile,
+                        cert_verify_cb=self.__verifycert,
+                        ssl_version=self.sslversion,
                        timeout=socket.getdefaulttimeout(),
                        fingerprint=self.fingerprint,
                        use_socket=self.proxied_socket,