[Imaplib2-devel] Re: STARTTLS and certificates Re:[ANNOUNCE] OfflineIMAP v6.3.4-rc3 released

Johannes Stezenbach js at sig21.net
Tue Jul 12 08:46:45 BST 2011

On Tue, Jul 12, 2011 at 11:10:28AM +1000, Piers Lauder wrote:
> On Mon, 11 Jul 2011 19:14:26 +0200, Johannes Stezenbach wrote:
> 	...
>                 imapobj.starttls(self.sslclientkey, self.sslclientcert,
>                     ca_certs=self.sslcacertfile,
>                     cert_reqs=ssl.CERT_REQUIRED,
>                     cert_verify_cb=imapobj._verifycert)
> 	...
> Just to clarify what "cert_verify_cb" is for :-
> If the "ca_certs" value is a PEM formatted file containing certificates
> used to validate certificates passed from the other end of the connection,
> what added protection does the callback provide?

Well, I guess openssl does not check every attribute of the cert,
to give users some flexibility in what they consider a valid cert.
So it's left for the openssl user to check the hostname and expiration.
I'm not 100% sure myself what else might be needed, if I would do in-depth
research on this topic I would look at Mercurial (because I trust
the Mercurial maintainer to get it right).


More information about the OfflineIMAP-project mailing list