[Imaplib2-devel] Re: STARTTLS and certificates Re:[ANNOUNCE] OfflineIMAP v6.3.4-rc3 released
Piers Lauder
piers at janeelix.com
Wed Jul 13 01:13:20 BST 2011
On Tue, 12 Jul 2011 14:49:26 +0200, Johannes Stezenbach wrote:
>
> On Tue, Jul 12, 2011 at 01:19:58PM +0300, Daniel Shahaf wrote:
> > Johannes Stezenbach wrote on Tue, Jul 12, 2011 at 12:12:43 +0200:
> > > On Tue, Jul 12, 2011 at 12:56:42PM +0300, Daniel Shahaf wrote:
> > > >
> > > > The OpenSSL consumers I'm aware of are informed by OpenSSL of the
> > > > expiration and are given the option to ignore it.
> > > >
> > > > ie, as opposed to outright aborting the connection, OpenSSL passes the
> > > > X509_V_ERR_CERT_HAS_EXPIRED flag to the application and it decides what
> > > > to do.
> > > >
> > > > [ I'm only describing how svn/ra_serf/serf/openssl works; I'm not an
> > > > expert at OpenSSL's API. ]
> > >
> > > So maybe it is Python's ssl module which does not evaulate that flag,
> > > thus we have to do it ourselves.
> >
> > Does offlineimap read the flag, or does it compare the cert's expiration
> > date to time.time() by hand?
>
> The latter. Python's ssl module does not offer all details
> available in openssl's API.
>
> http://docs.python.org/release/2.7.2/library/ssl.html
> does not mention "expire".
>
> Johannes
So the callback is definately needed then.
And I've added the SO_KEEPALIVE.
Piers.
More information about the OfflineIMAP-project
mailing list