skip to Main Content

I have trying to login to my protonmail account from python via proton bridge.
The initial project is to get a count of new messages for an account.

When I try and run it from
Kernel: 5.19.0-76051900-generic x86_64 bits: 64 compiler: N/A Desktop: Cinnamon 5.2.7
Distro: Pop!_OS 22.04 LTS base: Ubuntu 22.04 LTS Jammy

I receive an error

ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:997)

Any thoughts on what is causing the error and how to resolve it?

TIA

#!/usr/bin/python3                                                                                                                                                                                                 
import imaplib
import ssl

usern="username"
passw="password"
bridge_certificate="cert.pem"


sslctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
sslctx.options &= ~ssl.OP_NO_SSLv3
sslctx.load_verify_locations(cafile=bridge_certificate)
sslctx.verify_mode = ssl.CERT_OPTIONAL
sslctx.check_hostname = False

count = 0
imap = imaplib.IMAP4_SSL("localhost", 1143, ssl_context=sslctx)
imap.login(usern, passw)
imap.select('INBOX')
status, response = imap.search(None, '(UNSEEN)')
if status == 'OK':
    for num in response[0].split():
        count=count+1
print(count)
imap.close()
imap.logout()

see the syxtax above for what I have tried.

2

Answers


  1. remove this
    sslctx.options &= ~ssl.OP_NO_SSLv3 it is not supported by ProtonMail: Reference

    add ssl.OP_NO_TLSv1 and ssl.OP_NO_TLSv1_1 options to the SSLContext to disable support for TLS 1.0 and TLS 1.1

    Login or Signup to reply.
  2. There are two ways of doing SSL with IMAP:

    • immediate upgrade to TLS directly after the TCP connect
    • TLS upgrade of a plain TCP connection after the STARTTLS command

    As can be seen from the documentation, proton bridge uses the second option (STARTTLS).

    But imaplib.IMAP4_SSL uses the first option (immediate TLS after TCP connect). This means the SSL stack in Python is sending a TLS ClientHello directly after the TCP connect and is expecting a TLS ServerHello back. But – the server side (proton bridge) instead sends the plain IMAP welcome message on connect, since it is expecting TLS only after STARTTLS. This IMAP welcome message then gets misinterpreted as TLS ServerHello, which results in the SSL: WRONG_VERSION_NUMBER error you see.

    The fix is not to use imaplib.IMAP4_SSL but instead imaplib.IMAP4 together with starttls, i.e. something like this:

    imap = imaplib.IMAP4("localhost", 1143)
    imap.starttls(ssl_context=sslctx)
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search