cert_fingerprint errors on upgrade
gber at opensuse.org
Thu Jun 7 23:32:11 BST 2012
On 07.06.2012 23:02, Sebastian Spaeth wrote:
> Guido Berhoerster<gber at opensuse.org> schrieb:
>> could you make offlineimap at least check the system certificates
>> by default? That should cover probably most cases and not inflict
>> pain on users and distributors dealing with the fallout. Those
>> few who host their mail on a server without a certificate trusted
>> by the system probably know how to deal with the situation.
> Hi, sure, I want to make things as easy as possible for users. but
> A) afaik there is not even a default location for system certificates among linux distributions, not to speak of different opeating systems.
Yeah, this would need to be a distutils option (--with-ca-bundle= or
something like that) leaving it to the packagers to pass the correct
location at build time.
> B) should we try to match each existing ca cert file we the cert we received? How many are that, and what woujld be the perf implications?
> Is there a standard to check ca cert file locations?
Python's ssl module uses certificate bundles by default, i.e. you can
just pass the bundle location to the ca_certs argument of
ssl.wrap_socket() and it will at least do certificate validation using
all intermediary certificates in the bundle.
It should be noted though that neither your WrappedIMAP4_SSL open() nor
Python 2.x's ssl.wrap_socket provide much security to speak of, both
lack hostname verification and are thus vulnerable to MITM attacks and
there are apparently no validity period and CRL checks. Apparently
Python 3.2 has improved somewhat and can verify the hostname.
More information about the OfflineIMAP-project