From 7baa12cf522f4816faf07bf2944b621d6f581f38 Mon Sep 17 00:00:00 2001
From: Julien Cabillot <gitlab@cabillot.eu>
Date: Tue, 17 Mar 2026 19:16:06 -0400
Subject: [PATCH] feat: bump alpine 3.23

---
 Dockerfile    | 9 ++++++---
 entrypoint.sh | 6 +++---
 offlineimaprc | 1 +
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index cb0da55..934af95 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,11 +1,14 @@
-FROM "alpine:3.7"
+FROM "alpine:3.23"
 LABEL maintainer="Cabillot Julien <dockerimages@cabillot.eu>"
 
 COPY entrypoint.sh /entrypoint.sh
 
 RUN apk add --no-cache offlineimap openssl && \
-    adduser -D offlineimap
-COPY offlineimaprc /home/offlineimap/.offlineimaprc
+    adduser -D offlineimap && \
+    # Force SECLEVEL=1 in imaplib2 to allow connecting to servers with weak DH keys (DH_KEY_TOO_SMALL)
+    # This is required because OpenSSL 3.x in Alpine 3.23 defaults to SECLEVEL=2
+    sed -i 's/ctx = ssl.SSLContext(ssl_version)/ctx = ssl.SSLContext(ssl_version)\n                ctx.set_ciphers("DEFAULT:@SECLEVEL=1")/' /usr/lib/python3.*/site-packages/imaplib2/imaplib2.py
+COPY --chown=offlineimap offlineimaprc /home/offlineimap/.offlineimaprc
 
 # Add Tini
 #ENV "TINI_VERSION" "v0.16.1"
diff --git a/entrypoint.sh b/entrypoint.sh
index b726f36..3044ddf 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -2,9 +2,9 @@
 
 set -o pipefail -o nounset -o errexit
 
-# Récupère le certificat fourni par le serveur
-IMAP_CERT="$(openssl s_client -connect "${IMAP_SRV}:993" </dev/null 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -fingerprint -sha1 -inform pem | cut -d'=' -f2 | sed 's/://g')"
+# Récupère le fingerprint SHA1 du certificat fourni par le serveur
+IMAP_CERT="$(echo | (openssl s_client -connect "${IMAP_SRV}:993" 2>/dev/null || true) | openssl x509 -fingerprint -sha1 -noout | cut -d'=' -f2 | sed 's/://g')"
 
 sed -i'' "s/XXX_REPLACE_USER_XXX/${IMAP_USER}/g;s/XXX_REPLACE_PASS_XXX/${IMAP_PASS}/g;s/XXX_REPLACE_SRV_XXX/${IMAP_SRV}/g;s/XXX_REPLACE_FINGERPRINT_XXX/${IMAP_CERT}/g" "/home/offlineimap/.offlineimaprc"
 
-exec offlineimap -c "/home/offlineimap/.offlineimaprc" 2>/dev/null
+exec offlineimap -c "/home/offlineimap/.offlineimaprc"
diff --git a/offlineimaprc b/offlineimaprc
index 1334b3c..eab71c4 100644
--- a/offlineimaprc
+++ b/offlineimaprc
@@ -16,4 +16,5 @@ remoteuser = XXX_REPLACE_USER_XXX
 remotepass = XXX_REPLACE_PASS_XXX
 remotehost = XXX_REPLACE_SRV_XXX
 cert_fingerprint = XXX_REPLACE_FINGERPRINT_XXX
+ssl_version = tls1_2
 readonly=true