reverting recent SSL-related patches
Michael Vogt
michael.vogt at gmail.com
Tue Jan 13 07:48:43 UTC 2015
On Sun, Jan 11, 2015 at 12:08:52AM +0100, Nicolas Sebrecht wrote:
> Merge branch 'ns/fix-fingerprint' into next
[..]
> The cause is that they introduced a regression: the fingerprint option alone is
> not working anymore. Such configuration fails on a bad certificate (the one
> provided by the default locations).
[..]
First of all, thanks for your work on the offlineimap!
I feel strongly that the user should not have to configure a default
ca-certificates anywhere in its configuration file. I don't have to do
this with e.g. wget or curl or ldap, there is a default
(distro/os specific) thats used unless the user overrides this.
I'm probably missing something here but it seems that for those users
who have the fingerprint configured in the repo you simply unset
self.ca_certs in WrappedIMAP4_SSL for this imap repository and reply
entirely on the fingerprint. Something like (untested):
--- a/offlineimap/imaplibutil.py
+++ b/offlineimap/imaplibutil.py
@@ -145,6 +145,9 @@ class WrappedIMAP4_SSL(UsefulIMAPMixIn,
IMAP4_SSL):
if 'fingerprint' in kwargs:
del kwargs['fingerprint']
super(WrappedIMAP4_SSL, self).__init__(*args, **kwargs)
+ # fingerprint overrides the certs
+ if 'fingerprint' in kwargs:
+ self.ca_certs = None
def open(self, host=None, port=None):
if not self.ca_certs and not self._fingerprint:
I imagine that people who use this option do not trust the cert chain
and use the fingerprint as a sort of cert-pinning so this should do
exactly what they want.
Cheers,
Michael
More information about the OfflineIMAP-project
mailing list