[Imaplib2-devel] Re: STARTTLS and certificates Re:[ANNOUNCE] OfflineIMAP v6.3.4-rc3 released
Johannes Stezenbach
js at sig21.net
Tue Jul 12 08:46:45 BST 2011
On Tue, Jul 12, 2011 at 11:10:28AM +1000, Piers Lauder wrote:
> On Mon, 11 Jul 2011 19:14:26 +0200, Johannes Stezenbach wrote:
>
> ...
> imapobj.starttls(self.sslclientkey, self.sslclientcert,
> ca_certs=self.sslcacertfile,
> cert_reqs=ssl.CERT_REQUIRED,
> cert_verify_cb=imapobj._verifycert)
>
> ...
>
> Just to clarify what "cert_verify_cb" is for :-
>
> If the "ca_certs" value is a PEM formatted file containing certificates
> used to validate certificates passed from the other end of the connection,
> what added protection does the callback provide?
Well, I guess openssl does not check every attribute of the cert,
to give users some flexibility in what they consider a valid cert.
So it's left for the openssl user to check the hostname and expiration.
I'm not 100% sure myself what else might be needed, if I would do in-depth
research on this topic I would look at Mercurial (because I trust
the Mercurial maintainer to get it right).
Johannes
More information about the OfflineIMAP-project
mailing list