oss-sec mailing list archives

Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol

From: Johannes Stezenbach <js () sig21 net>
Date: Thu, 23 Dec 2010 20:26:03 +0100

On Thu, Dec 23, 2010 at 07:55:50PM +0100, Nicolas Sebrecht wrote:

On Thu, Dec 23, 2010 at 03:43:40PM +0100, Jan Lieskovsky wrote:


  II), Allows SSLv2 protocol

...

  [6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606962


Please note that I reported this issue for the python2.6
package and not for the offlineimap package.  While I
noticed it with offlineimap, I think the bug is either
in Python or in openssl.  According to Python documentation
it should default to use SSLv3.

OTOH it wouldn't hurt if offlineimap would allow the user
to specify the protocol version (TLSv1, SSLv3, SSLv2).


Thanks
Johannes

Current thread:

CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Jan Lieskovsky (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol dave b (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol John Goerzen (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Nicolas Sebrecht (Dec 23)
  - Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Johannes Stezenbach (Dec 23)