STARTTLS and certificates Re: [ANNOUNCE] OfflineIMAP v6.3.4-rc3 released

Sebastian Spaeth Sebastian at
Fri Jul 8 11:06:37 BST 2011

On Thu, 7 Jul 2011 22:15:47 +0200, Johannes Stezenbach <js at> wrote:
> > Modus ponens: it doesn't verify the peer's identity in STARTTLS mode.
> > Thanks for the information!

Yep, that's correct.
> Which makes it completely useless.  

That's a bit harsh. It prevents eavesdroppers from getting your
passwords and your mail contents if they are able to wiretap a connection. It
won't prevent man-in-the-middle attacks, that is true. And it is why I
still prefer a "real" ssl connection to my server.

> I remarked about this
> TODO already in April:

The thing, is that this is something that probably best belongs into
imaplib2 itself, which sets up the ssl socket. Otherwise we have to
override/extend/modify quite some functions in imaplib2 to trick it into
verifying connections.

> However, I'm too lame to send a patch myself..

Getting imaplib2 to even pass in a CA certfile when setting up an ssl
connection would mean overriding the startty() function and do the
stuff ourselves which means we would have to fudge deeply with the inner
workings of imaplib2. Which is something I'd like to avoid. So this
would require us to work together with upstream imaplib2 to get it done
in a reasonable way.

What we probably could and should do is to document the lack of CA Cert
verification in the starttls case in offlineimap.conf. 


P.S. I still don't get why python/openssl don't strictly disable the
SSLv2 by default, and why there is no convenient method to disable SSLv2
before python 3.2. I did sent some patches some months back that achieved
this though.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <>

More information about the OfflineIMAP-project mailing list