[PATCH] Check SSL certificate for expiration

Sebastian Spaeth Sebastian at SSpaeth.de
Tue Jun 14 08:24:49 BST 2011

On Mon, 13 Jun 2011 22:24:55 +0200, Sven Kirmess <sven.kirmess at kzone.ch> wrote:
> On Sat, Jun 11, 2011 at 21:35, Sebastian Spaeth <Sebastian at sspaeth.de>wrote:
> > We currently don't care about expiration dates of the servers SSL
> > certificate. This patch adds a check that fails Cert verification when
> > it is past its due date. There is no way or option to override this
> > check.
> >
> Will that just report a warning? Or will this make it impossible to sync
> against a server with an expired certificate?

"There is no way or option to override this check."  :-)

For now, it will fail hard and abort syncing. So you would have to stop
using CA CERT verification if you want to use an expired cert. 

My reason for this is: 1) I wanted to keep the patch simple, we can get
all fancy based on feedback as followup 2) CA CERT verification *did*
fail, and a simple WARNING in the log is bound to be ignored by
everyone. Perhaps we should only continue if you pass in
--IGNORE_EXPIRED_CERTS as a command line option :-).

I mainly wanted to bring in the patch into play before it bit rots.

I still plan to have a second option of SSL cert cehcking that simply
presents a fingerprint and allows you to permanently accept this
certificate, just like mutt (and ssh) do. This option would not care
about expiration dates at all and just look for an unchanged SSL

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20110614/36113a02/attachment-0001.sig>

More information about the OfflineIMAP-project mailing list