From 6e26cfb34ae96f2dbef3660afd1857b31bd6ea5c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 10 Mar 2020 12:54:50 -0400
Subject: imap-dl: Allow specifying ssl_ciphers

In my case, this allows supporting servers which have unacceptably (for
systemwide OpenSSL) small DH sizes by requesting non-DH ciphers.
Specifically, hardcoding AES256-GCM-SHA384 prevents this traceback:

    Traceback (most recent call last):
      File "/usr/bin/imap-dl", line 273, in <module>
        scan_msgs(confname, args.verbose)
      File "/usr/bin/imap-dl", line 133, in scan_msgs
        ssl_context=ctx) as imap:
      File "/usr/lib/python3.7/imaplib.py", line 1288, in __init__
        IMAP4.__init__(self, host, port)
      File "/usr/lib/python3.7/imaplib.py", line 198, in __init__
        self.open(host, port)
      File "/usr/lib/python3.7/imaplib.py", line 1301, in open
        IMAP4.open(self, host, port)
      File "/usr/lib/python3.7/imaplib.py", line 299, in open
        self.sock = self._create_socket()
      File "/usr/lib/python3.7/imaplib.py", line 1293, in _create_socket
        server_hostname=self.host)
      File "/usr/lib/python3.7/ssl.py", line 423, in wrap_socket
        session=session
      File "/usr/lib/python3.7/ssl.py", line 870, in _create
        self.do_handshake()
      File "/usr/lib/python3.7/ssl.py", line 1139, in do_handshake
        self._sslobj.do_handshake()
    ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1076)

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Acked-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
 imap-dl       | 4 ++++
 imap-dl.1.pod | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/imap-dl b/imap-dl
index de6be60..a1c2329 100755
--- a/imap-dl
+++ b/imap-dl
@@ -116,6 +116,10 @@ def scan_msgs(configfile:str, verbose:bool) -> None:
                         '(found "{on_size_mismatch_str}")')
 
     ctx = ssl.create_default_context(cafile=ca_certs)
+    ssl_ciphers = conf.get('retriever', 'ssl_ciphers', fallback=None)
+    if ssl_ciphers:
+        ctx.set_ciphers(ssl_ciphers)
+
     server:str = conf.get('retriever', 'server')
     with imaplib.IMAP4_SSL(host=server, #type: ignore
                            port=int(conf.get('retriever', 'port', fallback=993)),
diff --git a/imap-dl.1.pod b/imap-dl.1.pod
index 901c7e8..7998d3a 100644
--- a/imap-dl.1.pod
+++ b/imap-dl.1.pod
@@ -48,6 +48,10 @@ B<retriever.username> is the username of the IMAP account.
 B<retriever.password> is the password for the IMAP account when using
 plaintext passwords.
 
+B<retriever.ssl_ciphers> is an OpenSSL cipher string to use instead of the
+defaults.  (The defaults are good; this should be avoided except to work
+around bugs.)
+
 B<destination.path> is the location of the target maildir.
 
 B<options.delete> is a boolean, whether to delete the messages that
-- 
cgit v1.2.3