Radicale IMAP Auth on Debian 9 (Stretch)

Radicale 2.1 CalDAV may fail with the following error messages logged:

radicale.log:

[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:720)

syslog:

... rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed ...
... imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking

This looks like an incompatibility between OpenSSL and Python urllib regarding SSL connections. SSLv3 is disabled in Dovecot IMAP.

To work around the issue force radicale_imap to use TLSv1_2:
(TLSv1_3 is not a valid option)

/usr/lib/python3/dist-packages/radicale_imap/__init__.py:

...
# Upgrade connection to StartTLS
#context = ssl.create_default_context()
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
...

/etc/radicale/config:

[auth]
type = radicale_imap
imap_host = 127.0.0.1:143
imap_secure = True