Self signed certificate exceptions

[dsanghan]

With Python 3.6+ and latest imapclient, certain servers that use self-signed certificates are causing exceptions.

I've used an ssl context as outlined in your guide:

ssl_context = ssl.create_default_context()
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE

and verified that it does work with some self-signed configurations. With others, there's exceptions:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.6/ssl.py", line 1223, in get_server_certificate
    with context.wrap_socket(sock) as sslsock:
  File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib/python3.6/ssl.py", line 814, in __init__
    self.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 1068, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
OSError: [Errno 0] Error

For this particular ssl certificate, even a basic ssl.get_server_certificate faces the same error. This seems to be a python ssl issue, since I am able to fetch the cert using openssl s_client -showcerts -connect mail.mani.pt:993:

CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1528460816
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Any suggestions would be welcome. Thanks!

[dsanghan]

To follow up,

Seems like a pythonic issue. I've opened a bug with them.

Output from Python3.5 with OpenSSL 1.0.2g: ssl.get_server_certificate(('mail.mani.pt', 993), ssl.PROTOCOL_TLSv1)

-----BEGIN CERTIFICATE-----\nMIIDdDCCAlygAwIBAgIILeR0neMYiyUwDQYJKoZIhvcNAQEFBQAwSzELMAkGA1UE\nBhMCUFQxJTAjBgNVBAoTHE1BTkkgSU5kdXN0cmlhcyBQbGFzdGljYXMgU0ExFTAT\nBgNVBAMTDG1haWwubWFuaS5wdDAeFw0xODAxMjIxNDA3MDVaFw0yMjAxMjMxNDA3\nMDVaMEsxCzAJBgNVBAYTAlBUMSUwIwYDVQQKExxNQU5JIElOZHVzdHJpYXMgUGxh\nc3RpY2FzIFNBMRUwEwYDVQQDEwxtYWlsLm1hbmkucHQwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDdSCNqjELZGKgjPf0NAwHmmR6ZUzDpt2HOwA+97DOP\nWwJ5NOYGeJzhM/yw+P/yAWKB8HzJO6CKCfwe4ilEVxcikK7Gj/rVqfzRb+hWTWC9\nr8lPzWCa3siNdf/rieONz2LR0d/Qf8Uml5NFJ3UkJAo5TZbWizjcLO4/mPrVysau\n5S4yE9pW8dkhENs/IVLce5cjn0WwMQvFntX1x303tAlyC362JEInHePxPmGmDDMo\n3sgBYziv90LlsOviJIbpju5/A1P9r0uXzDQmudZZPqlFHjqNXcdprfVyTgg/C4xQ\nE1UbSL8uIW0CVj9TxXp4njaIC/sr97ptJU/86isFveKBAgMBAAGjXDBaMB0GA1Ud\nDgQWBBSt1Z9m+CaYG+nf39Ty0TqabcaE4TALBgNVHQ8EBAMCArwwEwYDVR0lBAww\nCgYIKwYBBQUHAwEwFwYDVR0RBBAwDoIMbWFpbC5tYW5pLnB0MA0GCSqGSIb3DQEB\nBQUAA4IBAQBk7DQ/+1pYE+0yoHNChFVztjjJASQSas6DaPx9FOFYrPhh9lU5NmBy\nHIzMUHTlkgw/OE713+mPRlxegZWceA7akirhaWocQcOCXzeIQKNouMZ/4ktXIoqY\nmdcYVOS2Et+FBBT1+rAA6OMTDftCRPH/19stA7IcwWo+6GVLWIqCk/2lBNNYrZ0V\nMvwxQeeHcCz5HdU2o0ypROvkhG8Er5qGVeHAv+JCj+Q4EERMoDwocwS8eedwqqPe\nLVCWwSqS8SEizDRNZZfOoXT4AJ/L10RLrnz8wtSffoxS2pZMbhHEBr3WhA72v94L\nCDU+vO9t1YN3WpXeRZfKWLw/qEE8b65H\n-----END CERTIFICATE-----\n

Output from Python3.6 with OpenSSL 1.1.0: ssl.get_server_certificate(('mail.mani.pt', 993), ssl.PROTOCOL_TLSv1)

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.6/ssl.py", line 1223, in get_server_certificate
    with context.wrap_socket(sock) as sslsock:
  File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib/python3.6/ssl.py", line 814, in __init__
    self.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 1068, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
OSError: [Errno 0] Error