feat: bump alpine 3.23

Dockerfile

@@ -1,11 +1,14 @@
-FROM "alpine:3.7"
+FROM "alpine:3.23"
 LABEL maintainer="Cabillot Julien <dockerimages@cabillot.eu>"
 
 COPY entrypoint.sh /entrypoint.sh
 
 RUN apk add --no-cache offlineimap openssl && \
-    adduser -D offlineimap
+    adduser -D offlineimap && \
-COPY offlineimaprc /home/offlineimap/.offlineimaprc
+    # Force SECLEVEL=1 in imaplib2 to allow connecting to servers with weak DH keys (DH_KEY_TOO_SMALL)
+    # This is required because OpenSSL 3.x in Alpine 3.23 defaults to SECLEVEL=2
+    sed -i 's/ctx = ssl.SSLContext(ssl_version)/ctx = ssl.SSLContext(ssl_version)\n                ctx.set_ciphers("DEFAULT:@SECLEVEL=1")/' /usr/lib/python3.*/site-packages/imaplib2/imaplib2.py
+COPY --chown=offlineimap offlineimaprc /home/offlineimap/.offlineimaprc
 
 # Add Tini
 #ENV "TINI_VERSION" "v0.16.1"

entrypoint.sh

@@ -2,9 +2,9 @@
 
 set -o pipefail -o nounset -o errexit
 
-# Récupère le certificat fourni par le serveur
+# Récupère le fingerprint SHA1 du certificat fourni par le serveur
-IMAP_CERT="$(openssl s_client -connect "${IMAP_SRV}:993" </dev/null 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -fingerprint -sha1 -inform pem | cut -d'=' -f2 | sed 's/://g')"
+IMAP_CERT="$(echo | (openssl s_client -connect "${IMAP_SRV}:993" 2>/dev/null || true) | openssl x509 -fingerprint -sha1 -noout | cut -d'=' -f2 | sed 's/://g')"
 
 sed -i'' "s/XXX_REPLACE_USER_XXX/${IMAP_USER}/g;s/XXX_REPLACE_PASS_XXX/${IMAP_PASS}/g;s/XXX_REPLACE_SRV_XXX/${IMAP_SRV}/g;s/XXX_REPLACE_FINGERPRINT_XXX/${IMAP_CERT}/g" "/home/offlineimap/.offlineimaprc"
 
-exec offlineimap -c "/home/offlineimap/.offlineimaprc" 2>/dev/null
+exec offlineimap -c "/home/offlineimap/.offlineimaprc"

offlineimaprc

@@ -16,4 +16,5 @@ remoteuser = XXX_REPLACE_USER_XXX
 remotepass = XXX_REPLACE_PASS_XXX
 remotehost = XXX_REPLACE_SRV_XXX
 cert_fingerprint = XXX_REPLACE_FINGERPRINT_XXX
+ssl_version = tls1_2
 readonly=true