diff --git a/offlineimap.conf b/offlineimap.conf index 646d4e7..541e14a 100644 --- a/offlineimap.conf +++ b/offlineimap.conf @@ -688,13 +688,20 @@ remotehost = examplehost # # It is best to leave this unset, in which case the correct version will be # automatically detected. In rare cases, it may be necessary to specify a -# particular version from: tls1, ssl2, ssl3, ssl23. +# particular version from: tls1, tls1_1, tls_1_2, ssl3, ssl23. # -# ssl23 is the highest protocol version that both the client and server support. -# Despite the name, this option can select “TLS” protocols as well as “SSL”. +# tls1_1 and tls1_2 are available with OpenSSL since v1.0.1. # -# See the configuration option tls_level to automatically disable insecure -# protocols. +# ssl23 automatically selects the highest protocol version that both the client +# and server support. Despite the name, this option can select “TLS” protocols +# as well as “SSL”. +# +# Be aware that a MITM attack can consist in downgrading the protocol version +# which is used upon client/server agreement. So, they might fallback to the +# less secure available protocol. Hence, it is considered more safe to manually +# define the protocol version. +# +# See the configuration option tls_level to disable insecure protocols. # #ssl_version = ssl23 @@ -704,11 +711,23 @@ remotehost = examplehost # TLS support level (optional). # # Specify the level of support that should be allowed for this repository. -# Can be used to disallow insecure SSL versions as defined by IETF -# (see https://tools.ietf.org/html/rfc6176). +# Can be used to enable insecure SSL versions as defined by imaplib2. +# See, IETF https://tools.ietf.org/html/rfc6176 to know more. # # Supported values are: -# tls_secure, tls_no_ssl, tls_compat (the default). +# tls_secure, tls_no_ssl, tls_compat (default). +# +# Current mapping: +# - tls_secure: +# - tls1_1 +# - tls1_2 +# - tls_no_ssl: +# - all tls_secure +# - tls1 (less desirable than tls1_1 or higher) +# - tls_compat +# - all tls_no_ssl +# - ssl3 (less desirable than tls1) +# - ssl23 (can fallback up to ssl3) # #tls_level = tls_compat