reverting recent SSL-related patches

Tomasz Żok tomasz.zok at gmail.com
Mon Jan 12 22:15:39 UTC 2015


On 2015-01-12 at 13:36, Nicolas Sebrecht wrote:
> > I have a fix for this in my "next" since today.  It basically inhibits
> > usage of OS-default CA bundle if cert_fingerprint is configured.
> 
> Which is what I was thinking first but I realized it's wrong. Since
> there are defaults, users might want/expect OS-default CA bundle to
> apply even if they manually add a fingerprint. But it can't be both
> cases and we have to make a choice.

Hmm, why do you say "it can't be both"? Do we have to select one of
'sslcacertfile', OS-provided defaults or 'cert_fingerprint' a priori and then
keep the decision unchanged?


What would you say about the following authentication procedure: 
(executed from 1 to 3 until successful)
1.  If 'sslcacertfile' points to an existing certstore (whatever format), try
    authenticating with it
2.  If possible to find OS-provided CA certificates, try authenticating with it
3.  If 'cert_fingerprint' is set, try authenticating with it

Here are some reasons why:
-   Authenticating through certificate chain is more secure than through
    fingerprint only (hence, the 'cert_fingerprint' as the last step)
-   If user knows what he/she is doing, then let him/her override the
    certificates' chain (hence, 'sslcacertfile' as the first step)
-   By default, if user sets nothing, OfflineIMAP would try to use the
    OS-provided certificates either way

Only if all steps fail will OfflineIMAP stop with an error. 


Maybe I am wrong on the conceptual level or maybe there are technical obstacles
to implement such procedure? What are your opinions and comments?

All the best,
Tomasz



More information about the OfflineIMAP-project mailing list