diff --git a/offlineimap.conf b/offlineimap.conf index 60285a8..90fe771 100644 --- a/offlineimap.conf +++ b/offlineimap.conf @@ -646,6 +646,17 @@ remotehost = examplehost #ssl_version = ssl23 +# This option stands in the [Repository RemoteExample] section. +# +# TLS support level (optional). +# +# Specify the level of support that should be allowed for this repository. +# Can be used to disallow insecure SSL versions. Supported values are: +# tls_secure, tls_no_ssl, tls_compat (the default). +# +#tls_level = tls_compat + + # This option stands in the [Repository RemoteExample] section. # # Specify the port. If not specified, use a default port. diff --git a/offlineimap/imapserver.py b/offlineimap/imapserver.py index 72da4cc..6cdbf26 100644 --- a/offlineimap/imapserver.py +++ b/offlineimap/imapserver.py @@ -92,6 +92,7 @@ class IMAPServer: self.__verifycert = None # disable cert verification self.fingerprint = repos.get_ssl_fingerprint() self.sslversion = repos.getsslversion() + self.tlslevel = repos.gettlslevel() self.oauth2_refresh_token = repos.getoauth2_refresh_token() self.oauth2_client_id = repos.getoauth2_client_id() @@ -478,6 +479,7 @@ class IMAPServer: timeout=socket.getdefaulttimeout(), fingerprint=self.fingerprint, use_socket=self.proxied_socket, + tls_level=self.tlslevel, ) else: self.ui.connecting(self.hostname, self.port) diff --git a/offlineimap/repository/IMAP.py b/offlineimap/repository/IMAP.py index fd2464f..167295a 100644 --- a/offlineimap/repository/IMAP.py +++ b/offlineimap/repository/IMAP.py @@ -246,6 +246,9 @@ class IMAPRepository(BaseRepository): raise OfflineImapError(reason, OfflineImapError.ERROR.REPO) return cacertfile + def gettlslevel(self): + return self.getconf('tls_level', 'tls_compat') + def getsslversion(self): return self.getconf('ssl_version', None)