[PATCH] Check SSL certificate for expiration

Sebastian Spaeth Sebastian at SSpaeth.de
Sat Jun 11 20:35:38 BST 2011

We currently don't care about expiration dates of the servers SSL
certificate. This patch adds a check that fails Cert verification when
it is past its due date. There is no way or option to override this

Unfortunately we only seem to be able to get SSL certificate data when
we passed in a CA cert file? How do we get that date when we don't have
a ca cert file?

Signed-off-by: Sebastian Spaeth <Sebastian at SSpaeth.de>
Based against next. Do we need a way to override this? And how do I get
a servers SSL expiration date in python when we don't have a CA CERT to
pass in?

 offlineimap/imaplibutil.py |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py
index f501af6..20ab336 100644
--- a/offlineimap/imaplibutil.py
+++ b/offlineimap/imaplibutil.py
@@ -229,6 +229,13 @@ class WrappedIMAP4_SSL(UsefulIMAPMixIn, IMAP4_SSL):
         dnsname = hostname.lower()
         certnames = []
+        # cert expired?
+        notafter = cert.get('notAfter') 
+        if notafter:
+            if time.time() >= ssl.cert_time_to_seconds(notafter):
+                return ('server certificate error: certificate expired %s'
+                        ) % notafter
         # First read commonName
         for s in cert.get('subject', []):
             key, value = s[0]

More information about the OfflineIMAP-project mailing list