reverting recent SSL-related patches

Nicolas Sebrecht nicolas.s-dev at
Tue Jan 13 09:15:54 GMT 2015

On Tue, Jan 13, 2015 at 08:48:43AM +0100, Michael Vogt wrote:

> I feel strongly that the user should not have to configure a default
> ca-certificates anywhere in its configuration file. I don't have to do
> this with e.g. wget or curl or ldap, there is a default
> (distro/os specific) thats used unless the user overrides this.

Sadly, I'm not sure that we can fairly compare CA for the web and
those for IMAP. This is all about how distro maintainers are concerned
about IMAP CA Certs.

I wonder if distro maintainers do their job for OfflineIMAP as well as
for wget, curl or ldap. They have to both fix the possibly-tuned path to
CA Bundle and fix the CA Cert if it is wrong. The feedback we had is
that the user-defined fingerprint option was correct but the default
OS-defined CA Cert failed.

Also, I'm thinking about a certain amount of users whose use
non-widespread IMAP servers that distro maintainers are not aware of.
For them, the provided CA Bundle will fail.

> I'm probably missing something here but it seems that for those users
> who have the fingerprint configured in the repo you simply unset
> self.ca_certs in WrappedIMAP4_SSL for this imap repository and reply
> entirely on the fingerprint. Something like (untested):

You can't do that because you might want both fingerprint AND CA Cert.
The worse is that for those in this configuration it would not anymore
honor the user-defined CA Cert silently.

I guess Eygene will publish a fix soon. ,-)

Thank you.

Nicolas Sebrecht

More information about the OfflineIMAP-project mailing list