SSL Problem pop3s handshake operation timed out
569 views
Skip to first unread message
Jan Vereecken
May 19, 2015, 8:05:43 AM5/19/15
to bots...@googlegroups.com
All of a sudden this process error popped up in our installation. This occurs when connecting to a pop3s mail server (more specifically pop.ibpmail.com).
SSLError: _ssl.c:489: The handshake operation timed out
I’ve searched the web for answers and the closest I got was that the ssl library uses an incorrect ssl_version to connect to the server which causes a timeout.
Depending on the client you use the command below works. For example for me on OSX 10.10 and Ubuntu 10.04 this works. On Ubuntu 12.04 and 14.04 this doesn’t work.
openssl s_client -connect pop.ibpmail.com:995
The command always works when you explicitly tell which SSL method to use.
openssl s_client -tls1 -connect pop.ibpmail.com:995
openssl s_client -ssl3 -connect pop.ibpmail.com:995
I’ve looked into the source code of bots, more specifically in the file communication.py, but it seems that poplib doesn’t allow you to specify the ssl version.
As a last resort I’ve “patched” the poplib module to force it to use TLSv1 when connecting to POP over SSL
sudo vim /usr/lib/python2.7/poplib.py
self.sslobj = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ssl_version=ssl.PROTOCOL_TLSv1)
Obviously this is less than ideal. Has somebody also experienced this issue and maybe found a better workaround.
What also is strange is that the error suddenly popped up, after the same setup has been working fine for a couple of months. Don’t you just love this :-s.
Gr, J
henk-jan ebbers
May 19, 2015, 8:50:17 AM5/19/15
to bots...@googlegroups.com
hi Jan,
I know the error.
only solution I know is similar to your (monkey-patch that pop3-ssl class.)
I never saw this for other pop3-servers, so it might be a typical ipmail problem.
kind regards,
henk-jan
> --
> You received this message because you are subscribed to the Google Groups "Bots Open Source EDI Translator" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to botsmail+u...@googlegroups.com <mailto:botsmail+u...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
I know the error.
only solution I know is similar to your (monkey-patch that pop3-ssl class.)
I never saw this for other pop3-servers, so it might be a typical ipmail problem.
kind regards,
henk-jan
> You received this message because you are subscribed to the Google Groups "Bots Open Source EDI Translator" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to botsmail+u...@googlegroups.com <mailto:botsmail+u...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Jan Vereecken
May 22, 2015, 5:11:29 AM5/22/15
to bots...@googlegroups.com
Hello Henk-Jan,
Like I mentioned, I've now changed the code on system level, but I guess this will be replaced every time python is upgraded on Debian/Ubuntu (no idea if this happens frequently with security patches).
- Bots? Where would you suggest to change this?
- Somewhere else?
Gr, J
Kurohai
May 22, 2015, 9:38:53 AM5/22/15
to bots...@googlegroups.com
Jan Vereecken,
Can you upgrade you version of openssl? I tested on Ubuntu 12.04.5 LTS with OpenSSL 1.0.1-4ubuntu5.20.
Can you upgrade you version of openssl? I tested on Ubuntu 12.04.5 LTS with OpenSSL 1.0.1-4ubuntu5.20.
$ openssl s_client -connect pop.ibpmail.com:995
...
...
+OK POP3 PROXY server ready <47D8CC3A10C0A6D1ED4103416411CEC941E9F4E5@login01.ibpmail.net>
Jan Vereecken
May 22, 2015, 10:13:41 AM5/22/15
to bots...@googlegroups.com
Hi Kurohai,
Thanks for helping out.
I found the root cause of the problem and even a way to fix it.
dpkg -l | grep 'openssl'
ii openssl 1.0.1-4ubuntu5.27 Secure Socket Layer (SSL) binary and related cryptographic tools
ii python-openssl 0.12-1ubuntu2.1 Python wrapper around the OpenSSL library
The dpkg log shows that this new version was recently installed (I auto install security patches) and this could very well explain why it suddenly stopped working.
The changelog states that something was reenabled concerning TLSv1.2
By setting the environment variable mentioned in the changelog, I was able to fix my problem.
export OPENSSL_NO_CLIENT_TLS1_2=
Now the command works again and I think that the problem is in fact with the supplier being not compliant with the most recent versions of the protocol (as suggested by the change).
Gr, Jan
--
You received this message because you are subscribed to a topic in the Google Groups "Bots Open Source EDI Translator" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/botsmail/MRyj37Q8UqU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to botsmail+u...@googlegroups.com.
Kurohai
May 22, 2015, 10:37:41 AM5/22/15
to bots...@googlegroups.com
I wrote up a quick subclass if you still need it. It doesn't modify poplib directly, so it won't break anything else.
https://gist.github.com/kurohai/719770fc9ce38f41a992
And a patch to communication.py to use it.
https://gist.github.com/kurohai/526be80567fd50bdf8c8
https://gist.github.com/kurohai/719770fc9ce38f41a992
And a patch to communication.py to use it.
https://gist.github.com/kurohai/526be80567fd50bdf8c8
Jan Vereecken
May 22, 2015, 10:42:19 AM5/22/15
to bots...@googlegroups.com
Thanks for the effort! This could certainly come in handy.
henk-jan ebbers
May 22, 2015, 11:25:54 AM5/22/15
to bots...@googlegroups.com
hi Jan,
that is great!
but I am not good in this type of thing.
how would I use this (in linux)?
kind regards,
henk-jan
On 05/22/2015 04:13 PM, Jan Vereecken wrote:
> Hi Kurohai,
>
> Thanks for helping out.
>
> I found the root cause of the problem and even a way to fix it.
>
> It seems my version of openssl is even more recent
>
> dpkg -l | grep 'openssl'
> ii openssl 1.0.1-4ubuntu5.27 Secure Socket Layer (SSL) binary and related cryptographic tools
> ii python-openssl 0.12-1ubuntu2.1 Python wrapper around the OpenSSL library
>
> The dpkg log shows that this new version was recently installed (I auto install security patches) and this could very well explain why it suddenly stopped working.
>
> The changelog states that something was reenabled concerning TLSv1.2
> https://launchpad.net/ubuntu/precise/+source/openssl/+changelog
>
> By setting the environment variable mentioned in the changelog, I was able to fix my problem.
>
> export OPENSSL_NO_CLIENT_TLS1_2=
>
> Now the command works again and I think that the problem is in fact with the supplier being not compliant with the most recent versions of the protocol (as suggested by the change).
>
> Gr, Jan
>
> * Somewhere else?
> > openssl s_client -ssl3 -connect pop.ibpmail.com:995 <http://pop.ibpmail.com:995>
that is great!
but I am not good in this type of thing.
how would I use this (in linux)?
kind regards,
henk-jan
On 05/22/2015 04:13 PM, Jan Vereecken wrote:
> Hi Kurohai,
>
> Thanks for helping out.
>
> I found the root cause of the problem and even a way to fix it.
>
> It seems my version of openssl is even more recent
>
> dpkg -l | grep 'openssl'
> ii openssl 1.0.1-4ubuntu5.27 Secure Socket Layer (SSL) binary and related cryptographic tools
> ii python-openssl 0.12-1ubuntu2.1 Python wrapper around the OpenSSL library
>
> The dpkg log shows that this new version was recently installed (I auto install security patches) and this could very well explain why it suddenly stopped working.
>
> The changelog states that something was reenabled concerning TLSv1.2
> https://launchpad.net/ubuntu/precise/+source/openssl/+changelog
>
> By setting the environment variable mentioned in the changelog, I was able to fix my problem.
>
> export OPENSSL_NO_CLIENT_TLS1_2=
>
> Now the command works again and I think that the problem is in fact with the supplier being not compliant with the most recent versions of the protocol (as suggested by the change).
>
> Gr, Jan
>
> On Fri, May 22, 2015 at 3:38 PM, Kurohai <kur...@gmail.com <mailto:kur...@gmail.com>> wrote:
>
> Jan Vereecken,
>
> Can you upgrade you version of openssl? I tested on Ubuntu 12.04.5 LTS with OpenSSL 1.0.1-4ubuntu5.20.
>
> |
>
> $ openssl s_client -connect pop.ibpmail.com:995
> ...
> ...
> +OK POP3 PROXY server ready <47D8CC3A10C0A6D1ED41...@login01.ibpmail.net>
>
> Jan Vereecken,
>
> Can you upgrade you version of openssl? I tested on Ubuntu 12.04.5 LTS with OpenSSL 1.0.1-4ubuntu5.20.
>
> |
>
> $ openssl s_client -connect pop.ibpmail.com:995
> ...
> ...
>
> |
>
>
>
>
>
> On Friday, May 22, 2015 at 4:11:29 AM UTC-5, Jan Vereecken wrote:
>
> Hello Henk-Jan,
>
> Like I mentioned, I've now changed the code on system level, but I guess this will be replaced every time python is upgraded on Debian/Ubuntu (no idea if this happens frequently with
> security patches).
>
> Where do you think is the best place to monkey-patch this?
>
> * Bots? Where would you suggest to change this?
> |
>
>
>
>
>
> On Friday, May 22, 2015 at 4:11:29 AM UTC-5, Jan Vereecken wrote:
>
> Hello Henk-Jan,
>
> Like I mentioned, I've now changed the code on system level, but I guess this will be replaced every time python is upgraded on Debian/Ubuntu (no idea if this happens frequently with
> security patches).
>
> Where do you think is the best place to monkey-patch this?
>
> * Somewhere else?
>
> Gr, J
>
> On Tuesday, May 19, 2015 at 2:50:17 PM UTC+2, eppye wrote:
>
> hi Jan,
>
> I know the error.
> only solution I know is similar to your (monkey-patch that pop3-ssl class.)
> I never saw this for other pop3-servers, so it might be a typical ipmail problem.
>
> kind regards,
> henk-jan
>
>
> On 05/19/2015 02:05 PM, Jan Vereecken wrote:
> > All of a sudden this process error popped up in our installation. This occurs when connecting to a pop3s mail server (more specifically pop.ibpmail.com <http://pop.ibpmail.com>).
> Gr, J
>
> On Tuesday, May 19, 2015 at 2:50:17 PM UTC+2, eppye wrote:
>
> hi Jan,
>
> I know the error.
> only solution I know is similar to your (monkey-patch that pop3-ssl class.)
> I never saw this for other pop3-servers, so it might be a typical ipmail problem.
>
> kind regards,
> henk-jan
>
>
> On 05/19/2015 02:05 PM, Jan Vereecken wrote:
> >
> > SSLError: _ssl.c:489: The handshake operation timed out
> >
> > I’ve searched the web for answers and the closest I got was that the ssl library uses an incorrect ssl_version to connect to the server which causes a timeout.
> >
> > Depending on the client you use the command below works. For example for me on OSX 10.10 and Ubuntu 10.04 this works. On Ubuntu 12.04 and 14.04 this doesn’t work.
> >
> > openssl s_client -connect pop.ibpmail.com:995 <http://pop.ibpmail.com:995>
> > SSLError: _ssl.c:489: The handshake operation timed out
> >
> > I’ve searched the web for answers and the closest I got was that the ssl library uses an incorrect ssl_version to connect to the server which causes a timeout.
> >
> > Depending on the client you use the command below works. For example for me on OSX 10.10 and Ubuntu 10.04 this works. On Ubuntu 12.04 and 14.04 this doesn’t work.
> >
> >
> > The command always works when you explicitly tell which SSL method to use.
> >
> > openssl s_client -tls1 -connect pop.ibpmail.com:995 <http://pop.ibpmail.com:995>
> > The command always works when you explicitly tell which SSL method to use.
> >
> > openssl s_client -ssl3 -connect pop.ibpmail.com:995 <http://pop.ibpmail.com:995>
> >
> > I’ve looked into the source code of bots, more specifically in the file communication.py, but it seems that poplib doesn’t allow you to specify the ssl version.
> >
> > As a last resort I’ve “patched” the poplib module to force it to use TLSv1 when connecting to POP over SSL
> >
> > sudo vim /usr/lib/python2.7/poplib.py
> >
> > self.sslobj = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ssl_version=ssl.PROTOCOL_TLSv1)
> >
> > Obviously this is less than ideal. Has somebody also experienced this issue and maybe found a better workaround.
> >
> > What also is strange is that the error suddenly popped up, after the same setup has been working fine for a couple of months. Don’t you just love this :-s.
> >
> > Gr, J
> > --
> > You received this message because you are subscribed to the Google Groups "Bots Open Source EDI Translator" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to botsmail+u...@googlegroups.com <mailto:botsmail+u...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Bots Open Source EDI Translator" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/botsmail/MRyj37Q8UqU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to botsmail+u...@googlegroups.com <mailto:botsmail+u...@googlegroups.com>.
> > I’ve looked into the source code of bots, more specifically in the file communication.py, but it seems that poplib doesn’t allow you to specify the ssl version.
> >
> > As a last resort I’ve “patched” the poplib module to force it to use TLSv1 when connecting to POP over SSL
> >
> > sudo vim /usr/lib/python2.7/poplib.py
> >
> > self.sslobj = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ssl_version=ssl.PROTOCOL_TLSv1)
> >
> > Obviously this is less than ideal. Has somebody also experienced this issue and maybe found a better workaround.
> >
> > What also is strange is that the error suddenly popped up, after the same setup has been working fine for a couple of months. Don’t you just love this :-s.
> >
> > Gr, J
> > --
> > You received this message because you are subscribed to the Google Groups "Bots Open Source EDI Translator" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to botsmail+u...@googlegroups.com <mailto:botsmail+u...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Bots Open Source EDI Translator" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/botsmail/MRyj37Q8UqU/unsubscribe.
Jan Vereecken
May 22, 2015, 11:32:42 AM5/22/15
to bots...@googlegroups.com
Henk-Jan,
If you are using Debian/Ubuntu like me, you create a new file /etc/profile.d/openssl.sh that contains the line
export OPENSSL_NO_CLIENT_TLS1_2=
Depending on the distro you use (centos,fedora,etc) your milage can vary, but Google should sort you out on how to initialize environment variables globally for every variation.
Hope this helps.
To unsubscribe from this group and all its topics, send an email to botsmail+u...@googlegroups.com.
henk-jan ebbers
Jun 12, 2016, 8:40:07 AM6/12/16
to bots...@googlegroups.com
problem occurs:
- on linux (not windows)
- pop3s connection to server that uses only older SS?/TLS version. Eg ipmail, a product of btinfo-net. IPmail 'bridges' x400 to smpt/pop3.
- error: "SSLError: _ssl.c:495: The handshake operation timed out"
for me, best solution is to use communication scripting - as that does not require changes in python libraries or bots source code.
this works (name of file should be same as the channel, as for all communication-scripts.
see attachment or:
import ssl
import socket
import poplib
'''
in linux there are problems with older SSL versions, as used by BT infonet (ipmail).
In linux the openSSL library is updated better.
ip mail insist on ssl.PROTOCOL_TLSv1 - but this is considered less safe -> so updated in linux, only used if explictly indicated.
'''
class pop3_set_tls_version(poplib.POP3_SSL):
''' subclass poplib.POP3_SSL (for secure pop3)
overrule __init__ because in the ssl.wrap_socket a explicit ssl version is needed
'''
def __init__(self, host, port = poplib.POP3_SSL_PORT, keyfile = None, certfile = None):
self.host = host
self.port = port
self.keyfile = keyfile
self.certfile = certfile
self.buffer = ""
msg = "getaddrinfo returns an empty list"
self.sock = None
for res in socket.getaddrinfo(self.host, self.port, 0, socket.SOCK_STREAM):
af, socktype, proto, canonname, sa = res
try:
self.sock = socket.socket(af, socktype, proto)
self.sock.connect(sa)
except socket.error, msg:
if self.sock:
self.sock.close()
self.sock = None
continue
break
if not self.sock:
raise socket.error, msg
self.file = self.sock.makefile('rb')
#CHANGE start
self._debugging = 0
self.welcome = self._getresp()
import bots.botsglobal as botsglobal
import bots.communication as communication
class pop3s(communication.pop3s):
''' subclass communication.pop3s
we need to use class pop3_set_tls_version instead of poplib.POP3_SSL
'''
def connect(self):
if self.userscript and hasattr(self.userscript,'keyfile'):
keyfile, certfile = botslib.runscript(self.userscript,self.scriptname,'keyfile',channeldict=self.channeldict)
elif self.channeldict['keyfile']:
keyfile = self.channeldict['keyfile']
certfile = self.channeldict['certfile']
else:
keyfile = certfile = None
#CHANGE start
self.session = pop3_set_tls_version(host=self.channeldict['host'],port=int(self.channeldict['port']),keyfile=keyfile,certfile=certfile)
#CHANGE end
self.session.set_debuglevel(botsglobal.ini.getint('settings','pop3debug',0)) #if used, gives information about session (on screen), for debugging pop3
self.session.user(self.channeldict['username'])
self.session.pass_(self.channeldict['secret'])
kind regards,
henk-jan ebbers
On 05/22/2015 05:32 PM, Jan Vereecken wrote:
> Henk-Jan,
>
> If you are using Debian/Ubuntu like me, you create a new file /etc/profile.d/openssl.sh that contains the line
>
> export OPENSSL_NO_CLIENT_TLS1_2=
>
> Depending on the distro you use (centos,fedora,etc) your milage can vary, but Google should sort you out on how to initialize environment variables globally for every variation.
>
> Hope this helps.
>
> Jan Vereecken
> Clubit bvba
> janver...@clubit.be <mailto:janver...@clubit.be>
> ...
> ...
> +OK POP3 PROXY server ready <47D8CC3A10C0A6D1ED41...@login01.ibpmail.net <mailto:47D8CC3A10C0A6D1ED41...@login01.ibpmail.net>>
> > openssl s_client -ssl3 -connect pop.ibpmail.com:995 <http://pop.ibpmail.com:995> <http://pop.ibpmail.com:995>
> <mailto:botsmail+u...@googlegroups.com <mailto:botsmail%2Bu...@googlegroups.com>>.
> <mailto:botsmail+u...@googlegroups.com <mailto:botsmail%2Bunsu...@googlegroups.com>>.
> <mailto:botsmail+u...@googlegroups.com <mailto:botsmail%2Bunsu...@googlegroups.com>>.
- on linux (not windows)
- pop3s connection to server that uses only older SS?/TLS version. Eg ipmail, a product of btinfo-net. IPmail 'bridges' x400 to smpt/pop3.
- error: "SSLError: _ssl.c:495: The handshake operation timed out"
for me, best solution is to use communication scripting - as that does not require changes in python libraries or bots source code.
this works (name of file should be same as the channel, as for all communication-scripts.
see attachment or:
import ssl
import socket
import poplib
'''
in linux there are problems with older SSL versions, as used by BT infonet (ipmail).
In linux the openSSL library is updated better.
ip mail insist on ssl.PROTOCOL_TLSv1 - but this is considered less safe -> so updated in linux, only used if explictly indicated.
'''
class pop3_set_tls_version(poplib.POP3_SSL):
''' subclass poplib.POP3_SSL (for secure pop3)
overrule __init__ because in the ssl.wrap_socket a explicit ssl version is needed
'''
def __init__(self, host, port = poplib.POP3_SSL_PORT, keyfile = None, certfile = None):
self.host = host
self.port = port
self.keyfile = keyfile
self.certfile = certfile
self.buffer = ""
msg = "getaddrinfo returns an empty list"
self.sock = None
for res in socket.getaddrinfo(self.host, self.port, 0, socket.SOCK_STREAM):
af, socktype, proto, canonname, sa = res
try:
self.sock = socket.socket(af, socktype, proto)
self.sock.connect(sa)
except socket.error, msg:
if self.sock:
self.sock.close()
self.sock = None
continue
break
if not self.sock:
raise socket.error, msg
self.file = self.sock.makefile('rb')
#CHANGE start
self.sslobj = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ssl_version=ssl.PROTOCOL_TLSv1)
#CHANGE end
self._debugging = 0
self.welcome = self._getresp()
import bots.botsglobal as botsglobal
import bots.communication as communication
class pop3s(communication.pop3s):
''' subclass communication.pop3s
we need to use class pop3_set_tls_version instead of poplib.POP3_SSL
'''
def connect(self):
if self.userscript and hasattr(self.userscript,'keyfile'):
keyfile, certfile = botslib.runscript(self.userscript,self.scriptname,'keyfile',channeldict=self.channeldict)
elif self.channeldict['keyfile']:
keyfile = self.channeldict['keyfile']
certfile = self.channeldict['certfile']
else:
keyfile = certfile = None
#CHANGE start
self.session = pop3_set_tls_version(host=self.channeldict['host'],port=int(self.channeldict['port']),keyfile=keyfile,certfile=certfile)
#CHANGE end
self.session.set_debuglevel(botsglobal.ini.getint('settings','pop3debug',0)) #if used, gives information about session (on screen), for debugging pop3
self.session.user(self.channeldict['username'])
self.session.pass_(self.channeldict['secret'])
kind regards,
henk-jan ebbers
On 05/22/2015 05:32 PM, Jan Vereecken wrote:
> Henk-Jan,
>
> If you are using Debian/Ubuntu like me, you create a new file /etc/profile.d/openssl.sh that contains the line
>
> export OPENSSL_NO_CLIENT_TLS1_2=
>
> Depending on the distro you use (centos,fedora,etc) your milage can vary, but Google should sort you out on how to initialize environment variables globally for every variation.
>
> Hope this helps.
>
> Jan Vereecken
> Clubit bvba
>
> On Fri, May 22, 2015 at 5:25 PM, henk-jan ebbers <eppye...@gmail.com <mailto:eppye...@gmail.com>> wrote:
>
> hi Jan,
>
> that is great!
>
> but I am not good in this type of thing.
> how would I use this (in linux)?
>
>
> kind regards,
> henk-jan
>
> On 05/22/2015 04:13 PM, Jan Vereecken wrote:
>
> Hi Kurohai,
>
> Thanks for helping out.
>
> I found the root cause of the problem and even a way to fix it.
>
> It seems my version of openssl is even more recent
>
> dpkg -l | grep 'openssl'
> ii openssl 1.0.1-4ubuntu5.27 Secure Socket Layer (SSL) binary and related cryptographic tools
> ii python-openssl 0.12-1ubuntu2.1 Python wrapper around the OpenSSL library
>
> The dpkg log shows that this new version was recently installed (I auto install security patches) and this could very well explain why it suddenly stopped working.
>
> The changelog states that something was reenabled concerning TLSv1.2
> https://launchpad.net/ubuntu/precise/+source/openssl/+changelog
>
> By setting the environment variable mentioned in the changelog, I was able to fix my problem.
>
> export OPENSSL_NO_CLIENT_TLS1_2=
>
> Now the command works again and I think that the problem is in fact with the supplier being not compliant with the most recent versions of the protocol (as suggested by the change).
>
> Gr, Jan
>
> On Fri, May 22, 2015 at 5:25 PM, henk-jan ebbers <eppye...@gmail.com <mailto:eppye...@gmail.com>> wrote:
>
> hi Jan,
>
> that is great!
>
> but I am not good in this type of thing.
> how would I use this (in linux)?
>
>
> kind regards,
> henk-jan
>
> On 05/22/2015 04:13 PM, Jan Vereecken wrote:
>
> Hi Kurohai,
>
> Thanks for helping out.
>
> I found the root cause of the problem and even a way to fix it.
>
> It seems my version of openssl is even more recent
>
> dpkg -l | grep 'openssl'
> ii openssl 1.0.1-4ubuntu5.27 Secure Socket Layer (SSL) binary and related cryptographic tools
> ii python-openssl 0.12-1ubuntu2.1 Python wrapper around the OpenSSL library
>
> The dpkg log shows that this new version was recently installed (I auto install security patches) and this could very well explain why it suddenly stopped working.
>
> The changelog states that something was reenabled concerning TLSv1.2
> https://launchpad.net/ubuntu/precise/+source/openssl/+changelog
>
> By setting the environment variable mentioned in the changelog, I was able to fix my problem.
>
> export OPENSSL_NO_CLIENT_TLS1_2=
>
> Now the command works again and I think that the problem is in fact with the supplier being not compliant with the most recent versions of the protocol (as suggested by the change).
>
> Gr, Jan
>
> On Fri, May 22, 2015 at 3:38 PM, Kurohai <kur...@gmail.com <mailto:kur...@gmail.com> <mailto:kur...@gmail.com <mailto:kur...@gmail.com>>> wrote:
>
> Jan Vereecken,
>
> Can you upgrade you version of openssl? I tested on Ubuntu 12.04.5 LTS with OpenSSL 1.0.1-4ubuntu5.20.
>
> |
>
> $ openssl s_client -connect pop.ibpmail.com:995 <http://pop.ibpmail.com:995>
>
> Jan Vereecken,
>
> Can you upgrade you version of openssl? I tested on Ubuntu 12.04.5 LTS with OpenSSL 1.0.1-4ubuntu5.20.
>
> |
>
> ...
> ...
> +OK POP3 PROXY server ready <47D8CC3A10C0A6D1ED41...@login01.ibpmail.net <mailto:47D8CC3A10C0A6D1ED41...@login01.ibpmail.net>>
>
> |
>
>
>
>
>
> On Friday, May 22, 2015 at 4:11:29 AM UTC-5, Jan Vereecken wrote:
>
> Hello Henk-Jan,
>
> Like I mentioned, I've now changed the code on system level, but I guess this will be replaced every time python is upgraded on Debian/Ubuntu (no idea if this happens frequently with
> security patches).
>
> Where do you think is the best place to monkey-patch this?
>
> * Bots? Where would you suggest to change this?
> * Somewhere else?
>
> Gr, J
>
> On Tuesday, May 19, 2015 at 2:50:17 PM UTC+2, eppye wrote:
>
> hi Jan,
>
> I know the error.
> only solution I know is similar to your (monkey-patch that pop3-ssl class.)
> I never saw this for other pop3-servers, so it might be a typical ipmail problem.
>
> kind regards,
> henk-jan
>
>
> On 05/19/2015 02:05 PM, Jan Vereecken wrote:
> > All of a sudden this process error popped up in our installation. This occurs when connecting to a pop3s mail server (more specifically pop.ibpmail.com <http://pop.ibpmail.com>
> <http://pop.ibpmail.com>).
> >
> > SSLError: _ssl.c:489: The handshake operation timed out
> >
> > I’ve searched the web for answers and the closest I got was that the ssl library uses an incorrect ssl_version to connect to the server which causes a timeout.
> >
> > Depending on the client you use the command below works. For example for me on OSX 10.10 and Ubuntu 10.04 this works. On Ubuntu 12.04 and 14.04 this doesn’t work.
> >
> > openssl s_client -connect pop.ibpmail.com:995 <http://pop.ibpmail.com:995> <http://pop.ibpmail.com:995>
> |
>
>
>
>
>
> On Friday, May 22, 2015 at 4:11:29 AM UTC-5, Jan Vereecken wrote:
>
> Hello Henk-Jan,
>
> Like I mentioned, I've now changed the code on system level, but I guess this will be replaced every time python is upgraded on Debian/Ubuntu (no idea if this happens frequently with
> security patches).
>
> Where do you think is the best place to monkey-patch this?
>
> * Bots? Where would you suggest to change this?
> * Somewhere else?
>
> Gr, J
>
> On Tuesday, May 19, 2015 at 2:50:17 PM UTC+2, eppye wrote:
>
> hi Jan,
>
> I know the error.
> only solution I know is similar to your (monkey-patch that pop3-ssl class.)
> I never saw this for other pop3-servers, so it might be a typical ipmail problem.
>
> kind regards,
> henk-jan
>
>
> On 05/19/2015 02:05 PM, Jan Vereecken wrote:
> > All of a sudden this process error popped up in our installation. This occurs when connecting to a pop3s mail server (more specifically pop.ibpmail.com <http://pop.ibpmail.com>
> <http://pop.ibpmail.com>).
> >
> > SSLError: _ssl.c:489: The handshake operation timed out
> >
> > I’ve searched the web for answers and the closest I got was that the ssl library uses an incorrect ssl_version to connect to the server which causes a timeout.
> >
> > Depending on the client you use the command below works. For example for me on OSX 10.10 and Ubuntu 10.04 this works. On Ubuntu 12.04 and 14.04 this doesn’t work.
> >
> >
> > The command always works when you explicitly tell which SSL method to use.
> >
> > openssl s_client -tls1 -connect pop.ibpmail.com:995 <http://pop.ibpmail.com:995> <http://pop.ibpmail.com:995>
> > The command always works when you explicitly tell which SSL method to use.
> >
> > openssl s_client -ssl3 -connect pop.ibpmail.com:995 <http://pop.ibpmail.com:995> <http://pop.ibpmail.com:995>
> >
> > I’ve looked into the source code of bots, more specifically in the file communication.py, but it seems that poplib doesn’t allow you to specify the ssl version.
> >
> > As a last resort I’ve “patched” the poplib module to force it to use TLSv1 when connecting to POP over SSL
> >
> > sudo vim /usr/lib/python2.7/poplib.py
> >
> > self.sslobj = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ssl_version=ssl.PROTOCOL_TLSv1)
> >
> > Obviously this is less than ideal. Has somebody also experienced this issue and maybe found a better workaround.
> >
> > What also is strange is that the error suddenly popped up, after the same setup has been working fine for a couple of months. Don’t you just love this :-s.
> >
> > Gr, J
> > --
> > You received this message because you are subscribed to the Google Groups "Bots Open Source EDI Translator" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to botsmail+u...@googlegroups.com <mailto:botsmail%2Bu...@googlegroups.com>
> > I’ve looked into the source code of bots, more specifically in the file communication.py, but it seems that poplib doesn’t allow you to specify the ssl version.
> >
> > As a last resort I’ve “patched” the poplib module to force it to use TLSv1 when connecting to POP over SSL
> >
> > sudo vim /usr/lib/python2.7/poplib.py
> >
> > self.sslobj = ssl.wrap_socket(self.sock, self.keyfile, self.certfile, ssl_version=ssl.PROTOCOL_TLSv1)
> >
> > Obviously this is less than ideal. Has somebody also experienced this issue and maybe found a better workaround.
> >
> > What also is strange is that the error suddenly popped up, after the same setup has been working fine for a couple of months. Don’t you just love this :-s.
> >
> > Gr, J
> > --
> > You received this message because you are subscribed to the Google Groups "Bots Open Source EDI Translator" group.
> <mailto:botsmail+u...@googlegroups.com <mailto:botsmail%2Bu...@googlegroups.com>>.
> > For more options, visit https://groups.google.com/d/optout.
>
> -- You received this message because you are subscribed to a topic in the Google Groups "Bots Open Source EDI Translator" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/botsmail/MRyj37Q8UqU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to botsmail+u...@googlegroups.com <mailto:botsmail%2Bunsu...@googlegroups.com>
>
> -- You received this message because you are subscribed to a topic in the Google Groups "Bots Open Source EDI Translator" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/botsmail/MRyj37Q8UqU/unsubscribe.
> <mailto:botsmail+u...@googlegroups.com <mailto:botsmail%2Bunsu...@googlegroups.com>>.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups "Bots Open Source EDI Translator" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to botsmail+u...@googlegroups.com <mailto:botsmail%2Bunsu...@googlegroups.com>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Bots Open Source EDI Translator" group.
> <mailto:botsmail+u...@googlegroups.com <mailto:botsmail%2Bunsu...@googlegroups.com>>.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Bots Open Source EDI Translator" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/botsmail/MRyj37Q8UqU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to botsmail+u...@googlegroups.com <mailto:botsmail%2Bunsu...@googlegroups.com>.
>
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Bots Open Source EDI Translator" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/botsmail/MRyj37Q8UqU/unsubscribe.
Reply all
Reply to author
Forward
0 new messages