[Imaplib2-devel] Re: STARTTLS and certificates Re:[ANNOUNCE] OfflineIMAP v6.3.4-rc3 released

Mon Jul 11 18:14:26 BST 2011

Hi,

On Mon, Jul 11, 2011 at 06:31:19PM +0200, Nicolas Sebrecht wrote:
> [ Re-adding people in cc. ]
> 
> On Mon, Jul 11, 2011 at 11:27:28AM +1000, Piers Lauder wrote:
> 
> > Hi Nicholas,
> > 
> > New version checked in.
> > Had to make a cople of minor changes
> > - can you test that it works as advertised?
> > 
> > Incidentally, I assume the call-back function is explicitly supposed to
> > check that the hostname in the certificate matches the passed hostsname,
> > right? In which case I'll document that.
> > 
> > Thanks,
> > Piers.
> 
> Sorry, I don't know the details enough to answer or test it out.
> 
> Also, I guess the current change in imaplib2 is not sufficient to fix
> our main STARTTLS security issue and OfflineIMAP may need some
> improvements.

The imaplib2 change I proposed is supposed to allow to use the
existing offlineimap/imaplibutil.py WrappedIMAP4_SSL._verifycert()
method.  Thus, supposedly the call in offlineimap/imapserver.py
imapobj.starttls() would add

   imapobj.starttls(self.sslclientkey, self.sslclientcert,
                    ca_certs=self.sslcacertfile,
                    cert_reqs=ssl.CERT_REQUIRED,
                    cert_verify_cb=imapobj._verifycert)

and now that I write it it's obvious cert_reqs shouldn't be
a parameter, but instead imaplib2 should do
    if ca_certs is not None:
        cert_reqs = ssl.CERT_REQUIRED
    else
        cert_reqs = ssl.CERT_NONE

Anywqy, I have no idea who else uses imaplib2, so I don't know
if this API is good enough.  It is just the minimal change
to support what offlineimap needs.

Johannes