reverting recent SSL-related patches
Eygene Ryabinkin
rea at codelabs.ru
Sun Jan 18 08:24:47 GMT 2015
Tue, Jan 13, 2015 at 12:27:54PM +0300, Eygene Ryabinkin wrote:
> But Nicolas's point that I am currently support is that approach makes
> the default OS bundle location to be not a strict default: it will be
> used when there is no cert_fingerprint and it won't be used when people
> waht fingerprinting. It creates possible point of confusion, so our
> recent conversation in this topic and out-of-list were dedicated to
> finding more sane solution. Seems like we had found one (that I was
> describing above), but I'll need to turn it into code and test.
>
> Once the patch will be ready and tested, I'll post it here for review
> of interested parties, since there seems to still be some ground for
> discussion, but it is better to continue them having working
> implementation of proposed solution.
Well, I was slooow on this, but here we go:
http://codelabs.ru/patches/offlineimap/2015-Make-OS-default-CA-certificate-file-to-be-requested-expicitely.diff
You can request OS-default bundle via
{{{
sslcacertfile = OS-DEFAULT
}}}
distro maintainers can modify stock (example) offlineimap.conf
to read
{{{
sslcacertfile = OS-DEFAULT
}}}
from the beginning to allow new uses to use default bundle automatically,
but request will be explicit, so no false expectations will arise.
--
rea
More information about the OfflineIMAP-project
mailing list