cert_fingerprint errors on upgrade

Guido Berhoerster gber at opensuse.org
Thu Jun 7 23:32:11 BST 2012

On 07.06.2012 23:02, Sebastian Spaeth wrote:
> Guido Berhoerster<gber at opensuse.org>  schrieb:
>> could you make offlineimap at least check the system certificates
>> by default? That should cover probably most cases and not inflict
>> pain on users and distributors dealing with the fallout. Those
>> few who host their mail on a server without a certificate trusted
>> by the system probably know how to deal with the situation.
> Hi, sure, I want to make things as easy as possible for users. but
> A) afaik there is not even a default location for system certificates among linux distributions, not to speak of different opeating systems.

Yeah, this would need to be a distutils option (--with-ca-bundle= or 
something like that) leaving it to the packagers to pass the correct 
location at build time.

> B) should we try to match each existing ca cert file we the cert we received? How many are that, and what woujld be the perf implications?
> Is there a standard to check ca cert file locations?

Python's ssl module uses certificate bundles by default, i.e. you can 
just pass the bundle location to the ca_certs argument of 
ssl.wrap_socket() and it will at least do certificate validation using 
all intermediary certificates in the bundle.

It should be noted though that neither your WrappedIMAP4_SSL open() nor 
Python 2.x's ssl.wrap_socket provide much security to speak of, both 
lack hostname verification and are thus vulnerable to MITM attacks and 
there are apparently no validity period and CRL checks. Apparently 
Python 3.2 has improved somewhat and can verify the hostname.
Guido Berhoerster

More information about the OfflineIMAP-project mailing list