[PATCH v2] Re: Implement Server SSL fingerprint check
Nicolas Sebrecht
nicolas.s-dev at laposte.net
Fri Sep 2 21:08:16 BST 2011
On Tue, Aug 30, 2011 at 10:59:08PM +0200, Sebastian Spaeth wrote:
> If we connect to a SSL server (not STARTTLS) and no CA cert has been
> specified for verification, we check the configured SSL fingerprint and
> bail out in case it has not been set yet, or it does not match.
>
> This means one more mandatory option for SSL configuration, but it
> improves security a lot.
>
> Signed-off-by: Sebastian Spaeth <Sebastian at SSpaeth.de>
> ---
> Make Johannes happy. Use sha1 for fingerprinting, name the setting
> cert_fingerprint and even check fingerprint if cacertfile has been
> configured (if a fingerprint is given in the configuration).
I tend to agree with him, here.
> Changelog.draft.rst | 4 ++++
> offlineimap/imaplibutil.py | 22 ++++++++++++++++++++--
> offlineimap/imapserver.py | 2 ++
> offlineimap/repository/IMAP.py | 3 +++
> 4 files changed, 29 insertions(+), 2 deletions(-)
I guess we should update the documentation to reflect the
cert_fingerprint feature. ,-)
--
Nicolas Sebrecht
More information about the OfflineIMAP-project
mailing list