I have trying to login to my protonmail account from python via proton bridge.
The initial project is to get a count of new messages for an account.
When I try and run it from
Kernel: 5.19.0-76051900-generic x86_64 bits: 64 compiler: N/A Desktop: Cinnamon 5.2.7
Distro: Pop!_OS 22.04 LTS base: Ubuntu 22.04 LTS Jammy
I receive an error
ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:997)
Any thoughts on what is causing the error and how to resolve it?
TIA
#!/usr/bin/python3
import imaplib
import ssl
usern="username"
passw="password"
bridge_certificate="cert.pem"
sslctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
sslctx.options &= ~ssl.OP_NO_SSLv3
sslctx.load_verify_locations(cafile=bridge_certificate)
sslctx.verify_mode = ssl.CERT_OPTIONAL
sslctx.check_hostname = False
count = 0
imap = imaplib.IMAP4_SSL("localhost", 1143, ssl_context=sslctx)
imap.login(usern, passw)
imap.select('INBOX')
status, response = imap.search(None, '(UNSEEN)')
if status == 'OK':
for num in response[0].split():
count=count+1
print(count)
imap.close()
imap.logout()
see the syxtax above for what I have tried.
2
Answers
remove this
sslctx.options &= ~ssl.OP_NO_SSLv3it is not supported by ProtonMail: Referenceadd
ssl.OP_NO_TLSv1andssl.OP_NO_TLSv1_1options to the SSLContext to disable support for TLS 1.0 and TLS 1.1There are two ways of doing SSL with IMAP:
As can be seen from the documentation, proton bridge uses the second option (STARTTLS).
But
imaplib.IMAP4_SSLuses the first option (immediate TLS after TCP connect). This means the SSL stack in Python is sending a TLS ClientHello directly after the TCP connect and is expecting a TLS ServerHello back. But – the server side (proton bridge) instead sends the plain IMAP welcome message on connect, since it is expecting TLS only after STARTTLS. This IMAP welcome message then gets misinterpreted as TLS ServerHello, which results in theSSL: WRONG_VERSION_NUMBERerror you see.The fix is not to use
imaplib.IMAP4_SSLbut insteadimaplib.IMAP4together withstarttls, i.e. something like this: