Message 349131 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	cfactoid
Recipients	alex, cfactoid, christian.heimes, dstufft, janssen
Date	2019-08-06.19:49:52
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1565120992.49.0.0764506500298.issue37777@roundup.psfhosted.org>
In-reply-to

Content
OpenSSL 1.1.1 is an LTS release that will see long maintenance, and Ubuntu 18.04 LTS has now upgraded from 1.1.0 to 1.1.1. However, with this upgrade, TLS 1.3 allows email clients to require an SNI for the handshake to succeed. Because the 2.7 imap module does not enforce or provide SNI to the handshake, Python 2.7 with OpenSSL 1.1.1 will break if an email client requires the SNI hostname. Relevant 2.7 file: https://github.com/python/cpython/blob/2.7/Lib/imaplib.py Right now, the only email client that enforces an SNI header to connect is GMail, and this is why no SSL or imap tests would currently fail due to this issue. This issue was addressed in Python 3.4 but not backported as far as I've been able to tell: https://github.com/python/cpython/commit/7243b574e5fc6f9ae68dc5ebd8252047b8e78e3b With a few releases still planned for Python 2.7 before EOL according to Pep 373, while this is not directly a security issue it does block the use of the latest OpenSSL package and seems like a useful inclusion to the last few releases. Happy to submit a backport PR (in progress) if that's likely. Reproduce steps here: https://github.com/CaseyFaist/reproduceSNIcase

OpenSSL 1.1.1 is an LTS release that will see long maintenance, and Ubuntu 18.04 LTS has now upgraded from 1.1.0 to 1.1.1. However, with this upgrade, TLS 1.3 allows email clients to require an SNI for the handshake to succeed. Because the 2.7 imap module does not enforce or provide SNI to the handshake, Python 2.7 with OpenSSL 1.1.1 will break if an email client requires the SNI hostname.

Relevant 2.7 file:
https://github.com/python/cpython/blob/2.7/Lib/imaplib.py

Right now, the only email client that enforces an SNI header to connect is GMail, and this is why no SSL or imap tests would currently fail due to this issue. This issue was addressed in Python 3.4 but not backported as far as I've been able to tell:

https://github.com/python/cpython/commit/7243b574e5fc6f9ae68dc5ebd8252047b8e78e3b

With a few releases still planned for Python 2.7 before EOL according to Pep 373, while this is not directly a security issue it does block the use of the latest OpenSSL package and seems like a useful inclusion to the last few releases. Happy to submit a backport PR (in progress) if that's likely.

Reproduce steps here: 

https://github.com/CaseyFaist/reproduceSNIcase

History
Date	User	Action	Args
2019-08-06 19:49:52	cfactoid	set	recipients: + cfactoid, janssen, christian.heimes, alex, dstufft
2019-08-06 19:49:52	cfactoid	set	messageid: <1565120992.49.0.0764506500298.issue37777@roundup.psfhosted.org>
2019-08-06 19:49:52	cfactoid	link	issue37777 messages
2019-08-06 19:49:52	cfactoid	create