[PATCH v2 2/3] Re: Implement SSL certificate checking

Nicolas Sebrecht nicolas.s-dev at laposte.net
Thu Dec 16 18:13:43 UTC 2010


On Thu, Dec 16, 2010 at 12:43:47PM +0000, Sebastian wrote:
> 
> Previously, we did not check at all the authenticy and validity of
> the SSL server we connected to. This is bad as it allows
> man-in-the-middle attacks etc. This patch remedies the situation
> somewhat.
> 
> If we specify a sslcacertfile= setting in the Repository section,
> validate the server cert (on python>=2.6 or abort with python<=2.5).
> 
> As before, no certificate check is performed without that option.

I think the certificate check should be the default option.

> In the future, the hostname check should be made optional and also
> a mutt-lick "accept this certificate forever" thing should be
> implemented.
> 
> Signed-off-By: Sebastian Spaeth <Sebastian at SSpaeth.de>

Your Signed-off-by usually has weird characters case. This causes me to
do extra work. Use the '-s' option of 'git commit' to not have to sign
manually your patches every time. You can use 'git commit --amend -s' to
sign an already commited patch.

The topic looks good; merged. Thanks.

-- 
Nicolas Sebrecht



More information about the OfflineIMAP-project mailing list