disable verification of ssl certs via CA if fingerpint is set

Up to a4863b2 offlineimap did not include a default CA bundle. And folks who set cert_fingerprint (because they might connect to a host using a self-signed cert or an onion service without the onion address in the SANs) were able to validate their certificates. Since a4863b2 you always have a `sslcacertfile` configured (since it always falls back to the os one) and thus the old way didn't work anymore. If a use defines a `cert_fingerprint` there is not much use to validate the cert through the CA chain, since the fingerprint is the stronges verification you can get. Therefor we can disable verfication when `cert_fingerprint` is set. This enables users to fetch emails again from onion services or hosts using self-signed certifcates, but doesn't question nor change any other behavior. Fixes #41
OfflineIMAP · Apr 29, 2021 · 871b117 · 871b117
1 parent 1e7ef9e
commit 871b117
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/offlineimap/imapserver.py b/offlineimap/imapserver.py
@@ -95,6 +95,9 @@ def __init__(self, repos):
             self.__verifycert = None  # Disable cert verification.
             # This way of working sucks hard...
         self.fingerprint = repos.get_ssl_fingerprint()
+        if self.fingerprint is not None:
+            self.__verifycert = None  # if we have a cert fingerprint
+            # we do not require verfication via CA
         self.tlslevel = repos.gettlslevel()
         self.sslversion = repos.getsslversion()
         self.starttls = repos.getstarttls()