[PATCH] Only verify hostname if we actually use CA certs
Sebastian Spaeth
Sebastian at SSpaeth.de
Tue Jan 18 10:25:49 GMT 2011
The current code path checked the CA cert host name, even if we did not
specify a CA cert file to use. Make the host name check dependent on a
CA cert file.
Signed-off-by: Sebastian Spaeth <Sebastian at SSpaeth.de>
---
This is against current master and fixes the blunder that I made.
Of course we only want to check the host name if we are using a CA cert.
This should be the "proper" patch that fixes the symptoms reported.
offlineimap/imaplibutil.py | 11 ++++++-----
1 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py
index ba6a5bb..6ff946b 100644
--- a/offlineimap/imaplibutil.py
+++ b/offlineimap/imaplibutil.py
@@ -134,11 +134,12 @@ class WrappedIMAP4_SSL(IMAP4_SSL):
self.certfile)
else:
- #ssl.wrap_socket worked and cert is verified, now check
- #that hostnames also match.
- error = self._verifycert(self.sslobj.getpeercert(), host)
- if error:
- raise ssl.SSLError("SSL Certificate host name mismatch: %s" % error)
+ #ssl.wrap_socket worked and cert is verified (if configured),
+ #now check that hostnames also match if we have a CA cert.
+ if self._cacertfile:
+ error = self._verifycert(self.sslobj.getpeercert(), host)
+ if error:
+ raise ssl.SSLError("SSL Certificate host name mismatch: %s" % error)
#TODO: Done for now. We should implement a mutt-like behavior
#that offers the users to accept a certificate (presenting a
--
1.7.1
More information about the OfflineIMAP-project
mailing list