Not using SNI

[iliastsi]

Using the latest openssl (version 1.1.1), which supports TLS 1.3, imaplib2 fails to connect to (at least) GMail:

>>> import imaplib2                                                                       
>>> imaplib2.IMAP4_SSL(host="imap.gmail.com", ca_certs="/etc/ssl/certs/ca-certificates.crt")                                                                                         
Traceback (most recent call last):                                                        
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 2182, in __init__             
    IMAP4.__init__(self, host, port, debug, debug_file, identifier, timeout, debug_buf_lvl)
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 360, in __init__
    self.open(host, port)
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 2195, in open
    self.ssl_wrap_socket()
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 547, in ssl_wrap_socket
    self.sock = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ca_certs=self.ca_certs, cert_reqs=cert_reqs, ssl_version=ssl_version)
  File "/usr/lib/python2.7/ssl.py", line 949, in wrap_socket                              
    ciphers=ciphers)                                                                      
  File "/usr/lib/python2.7/ssl.py", line 617, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 846, in do_handshake
    self._sslobj.do_handshake()                                                           
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)     

This is because imaplib2 does not support SNI, and Google returns an invalid certificate in that case. Copying from here:

Some sites want to encourage the use of SNI and configure a default certificate that fails WebPKI authentication when the client supports TLS 1.3.

Forcing TLS 1.2 works as expected:

>>> import imaplib2
>>> imaplib2.IMAP4_SSL(host="imap.gmail.com", ca_certs="/etc/ssl/certs/ca-certificates.crt", ssl_version="tls1_2")                                                                   
<imaplib2.IMAP4_SSL object at 0x7f1865dec290>                                   

[davidben]

@jcristau, I noticed you wrote a fix in a7ce7da. Were you planning on making a pull request? (I can also put a fix together, but it seemed like you already did it.)

[jcristau]

@davidben I haven't had a chance to test this yet, hence the lack of PR

[jcristau]

Now tested to the extent that i = imaplib2.IMAP4_SSL(host="imap.gmail.com", ca_certs="/etc/ssl/certs/ca-certificates.crt") no longer fails, and i.sock._sslobj.peer_certificate() (py2) or i.sock._sslobj.getpeercert() (py3) looks right.

[davidben]

Ah, okay. :-) I also got confirmation that your patch fixed someone's offlineimap issue.

[davidben]

Any luck?

[davidben]

(Oops, missed that you already opened a PR.)

[StoppingBuck]

Guys, it seems like we've run into a bit of a conundrum: Judging from the commit log, imaplib2 is completely abandoned, with the last commit being a year ago...

[edmorley]

This is starting to become a bigger issue, since OpenSSL 1.1.1 has now been backported to Ubuntu 18.04. Is there anyone who can help us get PR #6 merged and into Python patch releases? :-)

[nicolas33]

Please, read this comment.
The changes are in the 'next' branch so they will likely be included in the next release of offlineimap.