reverting recent SSL-related patches

Nicolas Sebrecht nicolas.s-dev at
Mon Jan 12 22:53:14 GMT 2015

On Mon, Jan 12, 2015 at 11:15:39PM +0100, Tomasz ┼╗ok wrote:
> On 2015-01-12 at 13:36, Nicolas Sebrecht wrote:

> > > I have a fix for this in my "next" since today.  It basically inhibits
> > > usage of OS-default CA bundle if cert_fingerprint is configured.
> > 
> > Which is what I was thinking first but I realized it's wrong. Since
> > there are defaults, users might want/expect OS-default CA bundle to
> > apply even if they manually add a fingerprint. But it can't be both
> > cases and we have to make a choice.
> Hmm, why do you say "it can't be both"? 

Having a default means that if a user doesn't configure the option, use
the OS-specific path. But some setups requires the "NO" CA configured in
the sense that no CA must be used at all.

> Hmm, why do you say "it can't be both"? Do we have to select one of
> 'sslcacertfile', OS-provided defaults or 'cert_fingerprint' a priori and then
> keep the decision unchanged?
> What would you say about the following authentication procedure: 
> (executed from 1 to 3 until successful)
> 1.  If 'sslcacertfile' points to an existing certstore (whatever format), try
>     authenticating with it
> 2.  If possible to find OS-provided CA certificates, try authenticating with it
> 3.  If 'cert_fingerprint' is set, try authenticating with it
> Here are some reasons why:
> -   Authenticating through certificate chain is more secure than through
>     fingerprint only (hence, the 'cert_fingerprint' as the last step)
> -   If user knows what he/she is doing, then let him/her override the
>     certificates' chain (hence, 'sslcacertfile' as the first step)
> -   By default, if user sets nothing, OfflineIMAP would try to use the
>     OS-provided certificates either way
> Only if all steps fail will OfflineIMAP stop with an error. 
> Maybe I am wrong on the conceptual level or maybe there are technical obstacles
> to implement such procedure? What are your opinions and comments?

You are right about the procedure. This is something I had in mind at
some point, too. But if it's possible, it's not optimized at all.

We try to improve OfflineIMAP with fast in mind. Users of OfflineIMAP
are "advanced" users (who would want a local Maildir in the general
audience?) So, in general we rather keep the soft as fast as possible. If
the CA path is set (whether from a default or manually), it must we
correct and don't try n CA Cert.

I am sorry because some of our last discussions (with Eygene) happened
off-list. He proposed what appears a very good fix: the configuration
option will accept the keyword 'OS-DEFAULT' (or similar value).
So, the sslcacertfile option will accept all possible use cases while
still avoiding regressions or wrong user expectations:

  # sslcacertfile = whatever

Option is commented: no default, no CA.

  sslcacertfile = OS-DEFAULT

Use the internal default path. Default CA is used.

  sslcacertfile = /path/to/ca

Use the user path to CA. User-defined CA is used.


Nicolas Sebrecht

More information about the OfflineIMAP-project mailing list