Allow setting IMAP servers' SSL version
We now allow setting the SSL version used when connecting to IMAPS servers, and do so via the `ssl_version` configuration option. We default to the current practice (letting python's "ssl" library automatically detect the correct version). There are however rare cases where one must specify the version to use. Signed-off-by: Ryan Kavanagh <rak@debian.org>
This commit is contained in:
parent
611f6e89c0
commit
2bacdb7fa3
@ -325,6 +325,13 @@ ssl = yes
|
|||||||
|
|
||||||
#cert_fingerprint = <SHA1_of_server_certificate_here>
|
#cert_fingerprint = <SHA1_of_server_certificate_here>
|
||||||
|
|
||||||
|
# SSL version (optional)
|
||||||
|
# It is best to leave this unset, in which case the correct version will be
|
||||||
|
# automatically detected. In rare cases, it may be necessary to specify a
|
||||||
|
# particular version from: tls1, ssl2, ssl3, ssl23 (SSLv2 or SSLv3)
|
||||||
|
|
||||||
|
# sslversion = ssl23
|
||||||
|
|
||||||
# Specify the port. If not specified, use a default port.
|
# Specify the port. If not specified, use a default port.
|
||||||
# remoteport = 993
|
# remoteport = 993
|
||||||
|
|
||||||
|
@ -39,7 +39,8 @@ Timeout handling further improved by Ethan Glasser-Camp <glasse@cs.rpi.edu> Dece
|
|||||||
Time2Internaldate() patch to match RFC2060 specification of English month names from bugs.python.org/issue11024 March 2011.
|
Time2Internaldate() patch to match RFC2060 specification of English month names from bugs.python.org/issue11024 March 2011.
|
||||||
starttls() bug fixed with the help of Sebastian Spaeth <sebastian@sspaeth.de> April 2011.
|
starttls() bug fixed with the help of Sebastian Spaeth <sebastian@sspaeth.de> April 2011.
|
||||||
Threads now set the "daemon" flag (suggested by offlineimap-project) April 2011.
|
Threads now set the "daemon" flag (suggested by offlineimap-project) April 2011.
|
||||||
Single quoting introduced with the help of Vladimir Marek <vladimir.marek@oracle.com> August 2011."""
|
Single quoting introduced with the help of Vladimir Marek <vladimir.marek@oracle.com> August 2011.
|
||||||
|
Support for specifying SSL version by Ryan Kavanagh <rak@debian.org> July 2013."""
|
||||||
__author__ = "Piers Lauder <piers@janeelix.com>"
|
__author__ = "Piers Lauder <piers@janeelix.com>"
|
||||||
__URL__ = "http://imaplib2.sourceforge.net"
|
__URL__ = "http://imaplib2.sourceforge.net"
|
||||||
__license__ = "Python License"
|
__license__ = "Python License"
|
||||||
@ -460,7 +461,20 @@ class IMAP4(object):
|
|||||||
cert_reqs = ssl.CERT_REQUIRED
|
cert_reqs = ssl.CERT_REQUIRED
|
||||||
else:
|
else:
|
||||||
cert_reqs = ssl.CERT_NONE
|
cert_reqs = ssl.CERT_NONE
|
||||||
self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs)
|
|
||||||
|
if self.ssl_version == "tls1":
|
||||||
|
ssl_version = ssl.PROTOCOL_TLSv1
|
||||||
|
elif self.ssl_version == "ssl2":
|
||||||
|
ssl_version = ssl.PROTOCOL_SSLv2
|
||||||
|
elif self.ssl_version == "ssl3":
|
||||||
|
ssl_version = ssl.PROTOCOL_SSLv3
|
||||||
|
elif self.ssl_version == "ssl23" or self.ssl_version is None:
|
||||||
|
ssl_version = ssl.PROTOCOL_SSLv23
|
||||||
|
else:
|
||||||
|
raise socket.sslerror("Invalid SSL version requested: %s",
|
||||||
|
self.ssl_version)
|
||||||
|
|
||||||
|
self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs, ssl_version=ssl_version)
|
||||||
ssl_exc = ssl.SSLError
|
ssl_exc = ssl.SSLError
|
||||||
self.read_fd = self.sock.fileno()
|
self.read_fd = self.sock.fileno()
|
||||||
except ImportError:
|
except ImportError:
|
||||||
@ -1040,8 +1054,8 @@ class IMAP4(object):
|
|||||||
return self._simple_command(name, sort_criteria, charset, *search_criteria, **kw)
|
return self._simple_command(name, sort_criteria, charset, *search_criteria, **kw)
|
||||||
|
|
||||||
|
|
||||||
def starttls(self, keyfile=None, certfile=None, ca_certs=None, cert_verify_cb=None, **kw):
|
def starttls(self, keyfile=None, certfile=None, ca_certs=None, cert_verify_cb=None, ssl_version="ssl23", **kw):
|
||||||
"""(typ, [data]) = starttls(keyfile=None, certfile=None, ca_certs=None, cert_verify_cb=None)
|
"""(typ, [data]) = starttls(keyfile=None, certfile=None, ca_certs=None, cert_verify_cb=None, ssl_version="ssl23")
|
||||||
Start TLS negotiation as per RFC 2595."""
|
Start TLS negotiation as per RFC 2595."""
|
||||||
|
|
||||||
name = 'STARTTLS'
|
name = 'STARTTLS'
|
||||||
@ -1076,6 +1090,7 @@ class IMAP4(object):
|
|||||||
self.certfile = certfile
|
self.certfile = certfile
|
||||||
self.ca_certs = ca_certs
|
self.ca_certs = ca_certs
|
||||||
self.cert_verify_cb = cert_verify_cb
|
self.cert_verify_cb = cert_verify_cb
|
||||||
|
self.ssl_version = ssl_version
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.ssl_wrap_socket()
|
self.ssl_wrap_socket()
|
||||||
@ -1972,7 +1987,7 @@ class IMAP4_SSL(IMAP4):
|
|||||||
"""IMAP4 client class over SSL connection
|
"""IMAP4 client class over SSL connection
|
||||||
|
|
||||||
Instantiate with:
|
Instantiate with:
|
||||||
IMAP4_SSL(host=None, port=None, keyfile=None, certfile=None, debug=None, debug_file=None, identifier=None, timeout=None)
|
IMAP4_SSL(host=None, port=None, keyfile=None, certfile=None, ssl_version="ssl23", debug=None, debug_file=None, identifier=None, timeout=None)
|
||||||
|
|
||||||
host - host's name (default: localhost);
|
host - host's name (default: localhost);
|
||||||
port - port number (default: standard IMAP4 SSL port);
|
port - port number (default: standard IMAP4 SSL port);
|
||||||
@ -1980,6 +1995,7 @@ class IMAP4_SSL(IMAP4):
|
|||||||
certfile - PEM formatted certificate chain file (default: None);
|
certfile - PEM formatted certificate chain file (default: None);
|
||||||
ca_certs - PEM formatted certificate chain file used to validate server certificates (default: None);
|
ca_certs - PEM formatted certificate chain file used to validate server certificates (default: None);
|
||||||
cert_verify_cb - function to verify authenticity of server certificates (default: None);
|
cert_verify_cb - function to verify authenticity of server certificates (default: None);
|
||||||
|
ssl_version - SSL version to use (default: "ssl23", choose from: "tls1","ssl2","ssl3","ssl23");
|
||||||
debug - debug level (default: 0 - no debug);
|
debug - debug level (default: 0 - no debug);
|
||||||
debug_file - debug stream (default: sys.stderr);
|
debug_file - debug stream (default: sys.stderr);
|
||||||
identifier - thread identifier prefix (default: host);
|
identifier - thread identifier prefix (default: host);
|
||||||
@ -1990,11 +2006,12 @@ class IMAP4_SSL(IMAP4):
|
|||||||
"""
|
"""
|
||||||
|
|
||||||
|
|
||||||
def __init__(self, host=None, port=None, keyfile=None, certfile=None, ca_certs=None, cert_verify_cb=None, debug=None, debug_file=None, identifier=None, timeout=None, debug_buf_lvl=None):
|
def __init__(self, host=None, port=None, keyfile=None, certfile=None, ca_certs=None, cert_verify_cb=None, ssl_version="ssl23", debug=None, debug_file=None, identifier=None, timeout=None, debug_buf_lvl=None):
|
||||||
self.keyfile = keyfile
|
self.keyfile = keyfile
|
||||||
self.certfile = certfile
|
self.certfile = certfile
|
||||||
self.ca_certs = ca_certs
|
self.ca_certs = ca_certs
|
||||||
self.cert_verify_cb = cert_verify_cb
|
self.cert_verify_cb = cert_verify_cb
|
||||||
|
self.ssl_version = ssl_version
|
||||||
IMAP4.__init__(self, host, port, debug, debug_file, identifier, timeout, debug_buf_lvl)
|
IMAP4.__init__(self, host, port, debug, debug_file, identifier, timeout, debug_buf_lvl)
|
||||||
|
|
||||||
|
|
||||||
|
@ -65,6 +65,7 @@ class IMAPServer:
|
|||||||
self.sslclientcert = repos.getsslclientcert()
|
self.sslclientcert = repos.getsslclientcert()
|
||||||
self.sslclientkey = repos.getsslclientkey()
|
self.sslclientkey = repos.getsslclientkey()
|
||||||
self.sslcacertfile = repos.getsslcacertfile()
|
self.sslcacertfile = repos.getsslcacertfile()
|
||||||
|
self.sslversion = repos.getsslversion()
|
||||||
if self.sslcacertfile is None:
|
if self.sslcacertfile is None:
|
||||||
self.verifycert = None # disable cert verification
|
self.verifycert = None # disable cert verification
|
||||||
self.delim = None
|
self.delim = None
|
||||||
@ -211,6 +212,7 @@ class IMAPServer:
|
|||||||
self.sslclientcert,
|
self.sslclientcert,
|
||||||
self.sslcacertfile,
|
self.sslcacertfile,
|
||||||
self.verifycert,
|
self.verifycert,
|
||||||
|
self.sslversion,
|
||||||
timeout=socket.getdefaulttimeout(),
|
timeout=socket.getdefaulttimeout(),
|
||||||
fingerprint=fingerprint
|
fingerprint=fingerprint
|
||||||
)
|
)
|
||||||
|
@ -172,6 +172,9 @@ class IMAPRepository(BaseRepository):
|
|||||||
% (self.name, cacertfile))
|
% (self.name, cacertfile))
|
||||||
return cacertfile
|
return cacertfile
|
||||||
|
|
||||||
|
def getsslversion(self):
|
||||||
|
return self.getconf('ssl_version', None)
|
||||||
|
|
||||||
def get_ssl_fingerprint(self):
|
def get_ssl_fingerprint(self):
|
||||||
return self.getconf('cert_fingerprint', None)
|
return self.getconf('cert_fingerprint', None)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user