SSL certificate setup

Sebastian Spaeth Sebastian at sspaeth.de
Thu Jan 6 10:29:46 GMT 2011


On Thu, 6 Jan 2011 01:28:08 +0800, h2oz7v <h2oz7v at gmail.com> wrote:
> On Thu, Jan 6, 2011 at 12:28 AM, Sebastian Spaeth <Sebastian at sspaeth.de> wrote:
> > It belongs into the [Repository ...] section, this is what mine looks
> > like:
> 
> Thanks. Could we also have it as a general property? Would save some verbosity.

That would certainly be good. Having that as a [general] entry which can
be overridden by entries in the specific [Repository xxx] section.
 
> The typo in the [example config][1] also threw me off:
>     s/sslcacertcertfile/sslcacertfile/

Ooops, that is my bad and I will send a patch that fixes that.
 
> Also, could you help with this error:
> > WARNING: Error occured attempting to sync account cath: SSL Certificate host name mismatch: certificate is for outlook.com
> Relevant part of config:
> 
>     [Repository cath-remote]
>     type = IMAP
>     remotehost = pod51002.outlook.com
> 
> Seems to fail because the host is a sub-domain.

Right, that is an error because the certificate is for outlook.com and
you want to connect to a subdomain. So it rightly fails.

So technically speaking do you not have a valid CA cert :). (My
dreamhost provided cert covers e.g. *.mail.dreamhost which works
fine). What we would need to do is to provide a configure option to
accept a cacert even if the hostname doesn't match, I guess. The best
way to handle this should be discussed and agreed on first though.

You can comment out the hostnamecheck for now.

in imaplibutil.py line 139 remove/comment out these 4 lines:
   else:
            error = self._verifycert(self.sslobj.getpeercert(), host)
            if error:
                raise ssl.SSLError("SSL Certificate host name mismatch: %s" % error)

Sebastian

P.S. The archive is not showing the 6 mails that I sent to the list
yesterday while they certainly go out in general. Is that a problem with
the archive (gmane is also not showing things), or is the list broken?
http://lists.alioth.debian.org/pipermail/offlineimap-project/2011-January/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20110106/fe86cbfa/attachment-0001.sig>


More information about the OfflineIMAP-project mailing list