[PATCH v2] Re: Implement Server SSL fingerprint check

Nicolas Sebrecht nicolas.s-dev at laposte.net
Fri Sep 2 21:08:16 BST 2011


On Tue, Aug 30, 2011 at 10:59:08PM +0200, Sebastian Spaeth wrote:
> If we connect to a SSL server (not STARTTLS) and no CA cert has been
> specified for verification, we check the configured SSL fingerprint and
> bail out in case it has not been set yet, or it does not match.
> 
> This means one more mandatory option for SSL configuration, but it
> improves security a lot.
> 
> Signed-off-by: Sebastian Spaeth <Sebastian at SSpaeth.de>
> ---
> Make Johannes happy. Use sha1 for fingerprinting, name the setting
> cert_fingerprint and even check fingerprint if cacertfile has been
> configured (if a fingerprint is given in the configuration).

I tend to agree with him, here.

>  Changelog.draft.rst            |    4 ++++
>  offlineimap/imaplibutil.py     |   22 ++++++++++++++++++++--
>  offlineimap/imapserver.py      |    2 ++
>  offlineimap/repository/IMAP.py |    3 +++
>  4 files changed, 29 insertions(+), 2 deletions(-)

I guess we should update the documentation to reflect the
cert_fingerprint feature. ,-)

-- 
Nicolas Sebrecht




More information about the OfflineIMAP-project mailing list