[PATCH] ssl: ensure the cert is parsable with a dict to check the hostname

Nicolas Sebrecht nicolas.s-dev at laposte.net
Mon Jan 17 18:32:45 GMT 2011

The SSL library gives choice between DER-encoded/binary data and a dict format.
Explicitly ask for a dict to parse it.


Reported-by: Anonymous <swell.k at gmail.com>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev at laposte.net>

Thanks for reporting this issue.
Could you please test this patch (against master)?

As a side note, I feel bad with the Anonymous field in the "Reported-by" line.
If you don't give your real name, I would remove it.

 offlineimap/imaplibutil.py |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py
index ba6a5bb..cb2de7e 100644
--- a/offlineimap/imaplibutil.py
+++ b/offlineimap/imaplibutil.py
@@ -136,7 +136,7 @@ class WrappedIMAP4_SSL(IMAP4_SSL):
             #ssl.wrap_socket worked and cert is verified, now check
             #that hostnames also match.
-            error = self._verifycert(self.sslobj.getpeercert(), host)
+            error = self._verifycert(self.sslobj.getpeercert(binary_form=False), host)
             if error:
                 raise ssl.SSLError("SSL Certificate host name mismatch: %s" % error)

More information about the OfflineIMAP-project mailing list