disable verification of ssl certs via CA if fingerpint is set #66
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Up to a4863b2 offlineimap did not include a default CA bundle. And folks who set cert_fingerprint (because they might connect to a host using a self-signed cert or an onion service without the onion address in the SANs) were able to validate their certificates. Since a4863b2 you always have a `sslcacertfile` configured (since it always falls back to the os one) and thus the old way didn't work anymore. If a use defines a `cert_fingerprint` there is not much use to validate the cert through the CA chain, since the fingerprint is the stronges verification you can get. Therefor we can disable verfication when `cert_fingerprint` is set. This enables users to fetch emails again from onion services or hosts using self-signed certifcates, but doesn't question nor change any other behavior. Fixes OfflineIMAP#41
duritong
force-pushed
the
fix-fingerprint-verification
branch
from
a31e515
to
871b117
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Up to a4863b2 offlineimap did not include a default CA bundle. And
folks who set cert_fingerprint (because they might connect to a
host using a self-signed cert or an onion service without the onion
address in the SANs) were able to validate their certificates.
Since a4863b2 you always have a
sslcacertfileconfigured (sinceit always falls back to the os one) and thus the old way didn't
work anymore.
If a use defines a
cert_fingerprintthere is not much use tovalidate the cert through the CA chain, since the fingerprint
is the stronges verification you can get. Therefor we can disable
verfication when
cert_fingerprintis set.This enables users to fetch emails again from onion services or
hosts using self-signed certifcates, but doesn't question nor
change any other behavior.
Fixes #41
Debian reverted a4863b2 (https://bugs.debian.org/981338) - Fedora just switched to offlineimap3 and thus that issue will also popup there and thus more and more users will have issues.