oss-sec mailing list archives
Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol
From: Johannes Stezenbach <js () sig21 net>
Date: Thu, 23 Dec 2010 20:26:03 +0100
On Thu, Dec 23, 2010 at 07:55:50PM +0100, Nicolas Sebrecht wrote:
On Thu, Dec 23, 2010 at 03:43:40PM +0100, Jan Lieskovsky wrote:II), Allows SSLv2 protocol
...
[6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606962
Please note that I reported this issue for the python2.6 package and not for the offlineimap package. While I noticed it with offlineimap, I think the bug is either in Python or in openssl. According to Python documentation it should default to use SSLv3. OTOH it wouldn't hurt if offlineimap would allow the user to specify the protocol version (TLSv1, SSLv3, SSLv2). Thanks Johannes
Current thread:
- CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Jan Lieskovsky (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol dave b (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol John Goerzen (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Nicolas Sebrecht (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Johannes Stezenbach (Dec 23)