[Imaplib2-devel] Re: STARTTLS and certificates Re:[ANNOUNCE] OfflineIMAP v6.3.4-rc3 released
Daniel Shahaf
d.s at daniel.shahaf.name
Tue Jul 12 08:57:35 BST 2011
Johannes Stezenbach wrote on Tue, Jul 12, 2011 at 09:46:45 +0200:
> On Tue, Jul 12, 2011 at 11:10:28AM +1000, Piers Lauder wrote:
> > On Mon, 11 Jul 2011 19:14:26 +0200, Johannes Stezenbach wrote:
> >
> > ...
> > imapobj.starttls(self.sslclientkey, self.sslclientcert,
> > ca_certs=self.sslcacertfile,
> > cert_reqs=ssl.CERT_REQUIRED,
> > cert_verify_cb=imapobj._verifycert)
> >
> > ...
> >
> > Just to clarify what "cert_verify_cb" is for :-
> >
> > If the "ca_certs" value is a PEM formatted file containing certificates
> > used to validate certificates passed from the other end of the connection,
> > what added protection does the callback provide?
>
> Well, I guess openssl does not check every attribute of the cert,
> to give users some flexibility in what they consider a valid cert.
> So it's left for the openssl user to check the hostname and expiration.
> I'm not 100% sure myself what else might be needed, if I would do in-depth
> research on this topic I would look at Mercurial (because I trust
> the Mercurial maintainer to get it right).
Looking at the Serf library's code, I find handling of the
'X509_V_ERR_CERT_HAS_EXPIRED' value which tells me openssl does verify
expiration dates.
More information about the OfflineIMAP-project
mailing list