Opened 8 years ago

Closed 8 years ago

#26759 closed Bug (wontfix)

TLSv1-only SMTP servers not supported under Django 1.9.7 / Python 3.4.4 (win32) / OpenSSL 1.0.2d

Reported by: Rudolf Cardinal Owned by: nobody
Component: Core (Mail) Version: 1.9
Severity: Normal Keywords: email SMTP TLS SSL SSLEOFError TLSv1
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Connecting to a Microsoft (E)SMTP mail server with the Django default e-mail backend (django.core.mail.backends.smtp.EmailBackend) and TLS can fail with the following error:

ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:600)

This appears to occur with some (more recent) versions of Python's smtplib, ssl (and underlying OpenSSL) with servers that only support TLSv1. There is no option in Django to force the TLS protocol version that I can see.

The simplest illustration of failure is with:

import smtplib
s = smtplib.SMTP(host, port) # port typically 587
s.ehlo()
s.starttls() # fails with ssl.SSLEOFError as above

which succeeds (with such servers) with a small modification to force TLSv1:

import smtplib
import ssl
s = smtplib.SMTP(host, port)
c = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
s.ehlo()
s.starttls(context=c) # works

There is a suggestion of a dependence on exact OpenSSL version in the docs at https://docs.python.org/3.4/library/ssl.html ("Which connections succeed will vary depending on the version of OpenSSL...").

Therefore, a proposed framework alternative backend is one that enforces TLSv1 when required, e.g. as attached. This can be selected with Django's EMAIL_BACKEND setting, so can be added by users, but I'd have thought that continuing to support such servers is important for the Django core project as well.

Test software: Django 1.9.7; Python 3.4.4 (win32) using OpenSSL 1.0.2d (from ssl.OPENSSL_VERSION). Test server: Microsoft SMTP Server id 8.3.83.0 (from resulting e-mail headers).

Attachments (1)

smtp_email_backend_tls1.py (1.7 KB ) - added by Rudolf Cardinal 8 years ago.
New e-mail backend forcing TLSv1

Download all attachments as: .zip

Change History (2)

by Rudolf Cardinal, 8 years ago

Attachment: smtp_email_backend_tls1.py added

New e-mail backend forcing TLSv1

comment:1 by Tim Graham, 8 years ago

Resolution: wontfix
Status: newclosed

This is the first I've heard of the problem, so I can't say myself that supporting old protocols is critically important for Django core. Feel free to raise it on the DevelopersMailingList. If there's consensus there to make a change in Django, we can reopen the ticket.

Note: See TracTickets for help on using tickets.
Back to Top