reverting recent SSL-related patches
Tomasz Żok
tomasz.zok at gmail.com
Mon Jan 12 22:15:39 GMT 2015
On 2015-01-12 at 13:36, Nicolas Sebrecht wrote:
> > I have a fix for this in my "next" since today. It basically inhibits
> > usage of OS-default CA bundle if cert_fingerprint is configured.
>
> Which is what I was thinking first but I realized it's wrong. Since
> there are defaults, users might want/expect OS-default CA bundle to
> apply even if they manually add a fingerprint. But it can't be both
> cases and we have to make a choice.
Hmm, why do you say "it can't be both"? Do we have to select one of
'sslcacertfile', OS-provided defaults or 'cert_fingerprint' a priori and then
keep the decision unchanged?
What would you say about the following authentication procedure:
(executed from 1 to 3 until successful)
1. If 'sslcacertfile' points to an existing certstore (whatever format), try
authenticating with it
2. If possible to find OS-provided CA certificates, try authenticating with it
3. If 'cert_fingerprint' is set, try authenticating with it
Here are some reasons why:
- Authenticating through certificate chain is more secure than through
fingerprint only (hence, the 'cert_fingerprint' as the last step)
- If user knows what he/she is doing, then let him/her override the
certificates' chain (hence, 'sslcacertfile' as the first step)
- By default, if user sets nothing, OfflineIMAP would try to use the
OS-provided certificates either way
Only if all steps fail will OfflineIMAP stop with an error.
Maybe I am wrong on the conceptual level or maybe there are technical obstacles
to implement such procedure? What are your opinions and comments?
All the best,
Tomasz
More information about the OfflineIMAP-project
mailing list