Package: python2.6 Version: 2.6.6-8 Severity: important Tags: upstream (Severity: important because of possible security relevance)
The Python ssl module documentation says: http://docs.python.org/release/2.6.6/library/ssl.html "If not specified, for client-side operation, the default SSL version is SSLv3" and "Warning: SSL version 2 is insecure. Its use is highly discouraged" I noticed because offlineimap stopped working for me today, debugging showed the IMAP server now has SSLv2 disabled while wireshark showed that offlineimap tried to connect via SSLv2. I use the following hack which forces offlineimap to use SSLv3 as a workaround: --- offlineimap/imaplibutil.py.orig 2010-10-04 12:21:26.000000000 +0200 +++ offlineimap/imaplibutil.py 2010-12-13 11:33:23.000000000 +0100 @@ -171,7 +171,7 @@ def new_open_ssl(self, host = '', port = if last_error != 0: # FIXME raise socket.error(last_error) - self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile) + self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile, ssl_version=ssl.PROTOCOL_SSLv3) self.sslobj = sslwrapper(self.sslobj) mustquote = re.compile(r"[^\w!#$%&'+,.:;<=>?^`|~-]") But it seems the bug is either in upstream Python's Lib/ssl.py which passes PROTOCOL_SSLv23 for both server and client, contradicting the documentation. Or openssl is supposed to do the right thing when passing PROTOCOL_SSLv23 but it isn't. I'm not sure. Thanks, Johannes -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 2.6.36.2 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE.utf-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages python2.6 depends on: ii libbz2-1.0 1.0.5-6 high-quality block-sorting file co ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib ii libdb4.8 4.8.30-3 Berkeley v4.8 Database Libraries [ ii libexpat1 2.0.1-7 XML parsing C library - runtime li ii libncursesw5 5.7+20100313-4 shared libraries for terminal hand ii libreadline6 6.1-3 GNU readline and history libraries ii libsqlite3-0 3.7.4-1 SQLite 3 shared library ii mime-support 3.51-1 MIME files 'mime.types' & 'mailcap ii python2.6-minimal 2.6.6-8 A minimal subset of the Python lan python2.6 recommends no packages. Versions of packages python2.6 suggests: ii binutils 2.20.1-15 The GNU assembler, linker and bina ii python2.6-doc 2.6.6-8 Documentation for the high-level o pn python2.6-profiler <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
