imapserver: add a tls_level option

Allow the user to block usage of known-bad versions of SSL and TLS.

Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>

offlineimap.conf

@@ -646,6 +646,17 @@ remotehost = examplehost
 #ssl_version = ssl23
 
 
+# This option stands in the [Repository RemoteExample] section.
+#
+# TLS support level (optional).
+#
+# Specify the level of support that should be allowed for this repository.
+# Can be used to disallow insecure SSL versions. Supported values are:
+# tls_secure, tls_no_ssl, tls_compat (the default).
+#
+#tls_level = tls_compat
+
+
 # This option stands in the [Repository RemoteExample] section.
 #
 # Specify the port.  If not specified, use a default port.

offlineimap/imapserver.py

@@ -92,6 +92,7 @@ class IMAPServer:
             self.__verifycert = None # disable cert verification
         self.fingerprint = repos.get_ssl_fingerprint()
         self.sslversion = repos.getsslversion()
+        self.tlslevel = repos.gettlslevel()
 
         self.oauth2_refresh_token = repos.getoauth2_refresh_token()
         self.oauth2_client_id = repos.getoauth2_client_id()
@@ -478,6 +479,7 @@ class IMAPServer:
                         timeout=socket.getdefaulttimeout(),
                         fingerprint=self.fingerprint,
                         use_socket=self.proxied_socket,
+                        tls_level=self.tlslevel,
                         )
                 else:
                     self.ui.connecting(self.hostname, self.port)

offlineimap/repository/IMAP.py

@@ -246,6 +246,9 @@ class IMAPRepository(BaseRepository):
             raise OfflineImapError(reason, OfflineImapError.ERROR.REPO)
         return cacertfile
 
+    def gettlslevel(self):
+        return self.getconf('tls_level', 'tls_compat')
+
     def getsslversion(self):
         return self.getconf('ssl_version', None)