[Imaplib2-devel] Re: STARTTLS and certificates Re:[ANNOUNCE] OfflineIMAP v6.3.4-rc3 released
Johannes Stezenbach
js at sig21.net
Tue Jul 12 13:49:26 BST 2011
On Tue, Jul 12, 2011 at 01:19:58PM +0300, Daniel Shahaf wrote:
> Johannes Stezenbach wrote on Tue, Jul 12, 2011 at 12:12:43 +0200:
> > On Tue, Jul 12, 2011 at 12:56:42PM +0300, Daniel Shahaf wrote:
> > >
> > > The OpenSSL consumers I'm aware of are informed by OpenSSL of the
> > > expiration and are given the option to ignore it.
> > >
> > > ie, as opposed to outright aborting the connection, OpenSSL passes the
> > > X509_V_ERR_CERT_HAS_EXPIRED flag to the application and it decides what
> > > to do.
> > >
> > > [ I'm only describing how svn/ra_serf/serf/openssl works; I'm not an
> > > expert at OpenSSL's API. ]
> >
> > So maybe it is Python's ssl module which does not evaulate that flag,
> > thus we have to do it ourselves.
>
> Does offlineimap read the flag, or does it compare the cert's expiration
> date to time.time() by hand?
The latter. Python's ssl module does not offer all details
available in openssl's API.
http://docs.python.org/release/2.7.2/library/ssl.html
does not mention "expire".
Johannes
More information about the OfflineIMAP-project
mailing list