STARTTLS and certificates Re:[ANNOUNCE] OfflineIMAP v6.3.4-rc3 released
Nicolas Sebrecht
nicolas.s-dev at laposte.net
Sun Jul 10 14:46:39 BST 2011
On Sun, Jul 10, 2011 at 12:31:23PM +0200, Johannes Stezenbach wrote:
> Well, cert verification is already implemented in imaplibutil.py,
> and both imaplibutil.py and imaplib2.py eventually call
> ssl.wrap_socket(). At the minimum imaplib2's starttls()
> method should pass the ca_certs and cert_reqs arguments,
> and a callback function for cert verification.
> But maybe the imapliib2 maintainer should absorb all the
> code from WrappedIMAP4_SSL into imaplib? It seems
> every imaplib2 user would need this, not just offlineimap.
Thank you much. I'm relaying this to the imaplib2 project. This is very
interesting stuff, I think.
Piers, what do you think of this?
> diff --git a/offlineimap/imaplib2.py b/offlineimap/imaplib2.py
> index ec6cd0d..e98c216 100644
> --- a/offlineimap/imaplib2.py
> +++ b/offlineimap/imaplib2.py
> @@ -999,7 +999,8 @@ class IMAP4(object):
> return self._simple_command(name, sort_criteria, charset, *search_criteria, **kw)
>
>
> - def starttls(self, keyfile=None, certfile=None, **kw):
> + def starttls(self, keyfile=None, certfile=None,
> + ca_certs=None, cert_reqs=None, cert_verify_cb=None, **kw):
> """(typ, [data]) = starttls(keyfile=None, certfile=None)
> Start TLS negotiation as per RFC 2595."""
>
> @@ -1034,10 +1035,15 @@ class IMAP4(object):
> try:
> try:
> import ssl
> - self.sock = ssl.wrap_socket(self.sock, keyfile, certfile)
> + self.sock = ssl.wrap_socket(self.sock, keyfile, certfile,
> + ca_certs=ca_certs, cert_reqs=cert_reqs)
> except ImportError:
> self.sock = socket.ssl(self.sock, keyfile, certfile)
>
> + if cert_verify_cb is not None:
> + error = cert_verify_cb(self.sock, self.host)
> + if error:
> + raise ssl.SSLError("SSL Certificate host name mismatch: %s" % error)
> self.read_fd = self.sock.fileno()
> finally:
> # Restart reader thread
>
> Johannes
--
Nicolas Sebrecht
More information about the OfflineIMAP-project
mailing list