Summary: | dev-python/imapclient with dev-lang/python-3.9.5_p2 - ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Helmut Jarausch <jarausch> |
Component: | Current packages | Assignee: | Python Gentoo Team <python> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | CC: | aklhfex, mgorny, sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Helmut Jarausch
2021-06-02 12:14:29 UTC
IIRC TLS 1.2 is now required. What server are you connecting to? What protocols does it support? Not just TLS 1.2 but a restricted list of ciphers. https://github.com/python/cpython/commit/9ad46f9ec1ca757050ed4095925cdf5f4e8ef9fc My recipe (for info, not suggesting this is a good idea - clearly they have been restricted for a reason): 1) Confirm IMAP server TLS v1.2 support and find the supported cipher: openssl s_client -connect <IMAP server>:993 2) Get the OpenSSL cipher list format for that cipher from: openssl ciphers -v <cipher> 3) Add that to default context: ctx = create_default_context() ctx.set_ciphers("<openssl list format>") I've just added py3.10 to imapclient. If possible, please test it on py3.10 to make sure I didn't screw something up when backporting these changes. To correct the record, this is not needed: > 2) Get the OpenSSL cipher list format for that cipher from: > > openssl ciphers -v <cipher> A cipher (its OpenSSL suite name) on its own is a valid list format https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-LIST-FORMAT Confused by the out of date link in Python docs, raised: https://bugs.python.org/issue44314 Tested with dev-lang/python-3.10.0_beta2 and imaplib.IMAP4_SSL() (direct, not via imapclient), same result as dev-lang/python-3.9.5_p2. Also: python -c "import ssl; print(len(ssl.create_default_context().get_ciphers()))" outputs: python-3.9.4_p1: 30 python-3.9.5_p2: 17 python-3.10.0_beta2: 17 (In reply to Chris Mayo from comment #3) > Not just TLS 1.2 but a restricted list of ciphers. > > https://github.com/python/cpython/commit/ > 9ad46f9ec1ca757050ed4095925cdf5f4e8ef9fc > > > My recipe (for info, not suggesting this is a good idea - clearly they have > been restricted for a reason): > > 1) Confirm IMAP server TLS v1.2 support and find the supported cipher: > > openssl s_client -connect <IMAP server>:993 > > 2) Get the OpenSSL cipher list format for that cipher from: > > openssl ciphers -v <cipher> > > 3) Add that to default context: > > ctx = create_default_context() > ctx.set_ciphers("<openssl list format>") I need some help here. openssl s_client -connect imap.skynet.be:993 gives New, SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Then I tried import ssl ssl_context = ssl.create_default_context() # skynet ssl_context.set_ciphers("AES256-SHA256") from imapclient import IMAPClient HOST = 'imap.skynet.be' server = IMAPClient(HOST, ssl_context= ssl_context, use_uid=True, ssl=ssl) I get (even for Python-3.9.5_p1) : File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure What am I missing. Many thanks for a hint. P.S. It's some hard that a local patch makes it impossible to me to fetch my email. Helmut I don't really get that openssl output. Why is it saying SSLv3 first, then TLS-1.2? > openssl s_client -connect imap.skynet.be:993 gives > New, SSLv3, Cipher is AES256-SHA Haven't tried this, if that really is SSLv3 then need to enable SSLv3 as well: If you still wish to continue to use this function but still allow SSL 3.0 connections you can re-enable them using: ctx = ssl.create_default_context(Purpose.CLIENT_AUTH) ctx.options &= ~ssl.OP_NO_SSLv3 https://docs.python.org/3.10/library/ssl.html#ssl.create_default_context Thanks! import ssl ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) ssl_context.options &= ~ssl.OP_NO_SSLv3 from imapclient import IMAPClient HOST = 'imap.skynet.be' server = IMAPClient(HOST, ssl_context= ssl_context, use_uid=True, ssl=ssl) works for Python-3.9.5_p1 but NOT for Python-3.9.5_p2 It seems to be the cipher list and not SSLv3 after all. Try this: import ssl from imapclient import IMAPClient ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) ssl_context.set_ciphers('AES256-SHA') HOST = 'imap.skynet.be' server = IMAPClient(HOST, ssl_context=ssl_context, use_uid=True, ssl=ssl) (In reply to Michał Górny from comment #11) > It seems to be the cipher list and not SSLv3 after all. > > Try this: > > import ssl > from imapclient import IMAPClient > > ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) > ssl_context.set_ciphers('AES256-SHA') > HOST = 'imap.skynet.be' > server = IMAPClient(HOST, ssl_context=ssl_context, use_uid=True, ssl=ssl) Many thanks! This works with Python-3.9.5_p1 as well as with Python-3.9.5_p2 Unfortunately imapclient is broken with Python 3.10 The following script works just fine with Python 3.9 but fails with Python 3.10 import ssl from imapclient import IMAPClient ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) ssl_context.set_ciphers('AES256-SHA') HOST = 'imap.skynet.be' server = IMAPClient(HOST, ssl_context=ssl_context, use_uid=True, ssl=ssl) fails with Traceback (most recent call last): File "/home/jarausch/Python_My/Email3/Gorny", line 7, in <module> server = IMAPClient(HOST, ssl_context=ssl_context, use_uid=True, ssl=ssl) File "/usr/lib/python3.10/site-packages/imapclient/imapclient.py", line 284, in __init__ self._imap = self._create_IMAP4() File "/usr/lib/python3.10/site-packages/imapclient/imapclient.py", line 321, in _create_IMAP4 return tls.IMAP4_TLS( File "/usr/lib/python3.10/site-packages/imapclient/tls.py", line 44, in __init__ imaplib.IMAP4.__init__(self, host, port) File "/usr/lib/python3.10/imaplib.py", line 202, in __init__ self.open(host, port, timeout) File "/usr/lib/python3.10/site-packages/imapclient/tls.py", line 52, in open self.sock = wrap_socket(sock, self.ssl_context, host) File "/usr/lib/python3.10/site-packages/imapclient/tls.py", line 32, in wrap_socket return ssl_context.wrap_socket(sock, server_hostname=host) File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket return self.sslsocket_class._create( File "/usr/lib/python3.10/ssl.py", line 1061, in _create self._sslobj = self._context._wrap_socket( ssl.SSLError: Cannot create a client socket with a PROTOCOL_TLS_SERVER context (_ssl.c:805) Many thanks for a hint, Helmut |