From 5783e8f77740eef78d4c6c3ec94b58360f7a887b Mon Sep 17 00:00:00 2001 From: Nicolas Sebrecht Date: Wed, 8 Jun 2016 17:18:37 +0200 Subject: [PATCH] offlineimap.conf: fix and improve documentation about TLS/SSL ssl2 is not allowed by imaplib2. However, tls1_1 and tls1_2 might be available. Signed-off-by: Nicolas Sebrecht --- offlineimap.conf | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/offlineimap.conf b/offlineimap.conf index 646d4e7..541e14a 100644 --- a/offlineimap.conf +++ b/offlineimap.conf @@ -688,13 +688,20 @@ remotehost = examplehost # # It is best to leave this unset, in which case the correct version will be # automatically detected. In rare cases, it may be necessary to specify a -# particular version from: tls1, ssl2, ssl3, ssl23. +# particular version from: tls1, tls1_1, tls_1_2, ssl3, ssl23. # -# ssl23 is the highest protocol version that both the client and server support. -# Despite the name, this option can select “TLS” protocols as well as “SSL”. +# tls1_1 and tls1_2 are available with OpenSSL since v1.0.1. # -# See the configuration option tls_level to automatically disable insecure -# protocols. +# ssl23 automatically selects the highest protocol version that both the client +# and server support. Despite the name, this option can select “TLS” protocols +# as well as “SSL”. +# +# Be aware that a MITM attack can consist in downgrading the protocol version +# which is used upon client/server agreement. So, they might fallback to the +# less secure available protocol. Hence, it is considered more safe to manually +# define the protocol version. +# +# See the configuration option tls_level to disable insecure protocols. # #ssl_version = ssl23 @@ -704,11 +711,23 @@ remotehost = examplehost # TLS support level (optional). # # Specify the level of support that should be allowed for this repository. -# Can be used to disallow insecure SSL versions as defined by IETF -# (see https://tools.ietf.org/html/rfc6176). +# Can be used to enable insecure SSL versions as defined by imaplib2. +# See, IETF https://tools.ietf.org/html/rfc6176 to know more. # # Supported values are: -# tls_secure, tls_no_ssl, tls_compat (the default). +# tls_secure, tls_no_ssl, tls_compat (default). +# +# Current mapping: +# - tls_secure: +# - tls1_1 +# - tls1_2 +# - tls_no_ssl: +# - all tls_secure +# - tls1 (less desirable than tls1_1 or higher) +# - tls_compat +# - all tls_no_ssl +# - ssl3 (less desirable than tls1) +# - ssl23 (can fallback up to ssl3) # #tls_level = tls_compat