[Imaplib2-devel] Re: STARTTLS and certificates Re:[ANNOUNCE] OfflineIMAP v6.3.4-rc3 released

Daniel Shahaf d.s at daniel.shahaf.name
Tue Jul 12 10:56:42 BST 2011

Sebastian Spaeth wrote on Tue, Jul 12, 2011 at 11:32:13 +0200:
> On Tue, 12 Jul 2011 10:57:35 +0300, Daniel Shahaf <d.s at daniel.shahaf.name> wrote:
> > Looking at the Serf library's code, I find handling of the
> > 'X509_V_ERR_CERT_HAS_EXPIRED' value which tells me openssl does verify
> > expiration dates.
> Which is weird, because we have debian bugs files against offlineimap
> that say that we are happily accepting certificates that had been
> expired for years.

The OpenSSL consumers I'm aware of are informed by OpenSSL of the
expiration and are given the option to ignore it.

ie, as opposed to outright aborting the connection, OpenSSL passes the
X509_V_ERR_CERT_HAS_EXPIRED flag to the application and it decides what
to do.

[ I'm only describing how svn/ra_serf/serf/openssl works; I'm not an
expert at OpenSSL's API. ]

> Sebastian

More information about the OfflineIMAP-project mailing list