disable verification of ssl certs via CA if fingerpint is set #66
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Up to a4863b2 offlineimap did not include a default CA bundle. And
folks who set cert_fingerprint (because they might connect to a
host using a self-signed cert or an onion service without the onion
address in the SANs) were able to validate their certificates.
Since a4863b2 you always have a
sslcacertfile
configured (sinceit always falls back to the os one) and thus the old way didn't
work anymore.
If a use defines a
cert_fingerprint
there is not much use tovalidate the cert through the CA chain, since the fingerprint
is the stronges verification you can get. Therefor we can disable
verfication when
cert_fingerprint
is set.This enables users to fetch emails again from onion services or
hosts using self-signed certifcates, but doesn't question nor
change any other behavior.
Fixes #41
Debian reverted a4863b2 (https://bugs.debian.org/981338) - Fedora just switched to offlineimap3 and thus that issue will also popup there and thus more and more users will have issues.