Implement SSL certificate checking

Previously, we did not check at all the authenticy and validity of the SSL server we connected to. This is bad as it allows man-in-the-middle attacks etc. This patch remedies the situation somewhat. If we specify a sslcacertfile= setting in the Repository section, validate the server cert (on python>=2.6 or abort with python<=2.5). As before, no certificate check is performed without that option. In the future, the hostname check should be made optional and also a mutt-lick "accept this certificate forever" thing should be implemented. Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de> Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2010-12-16 12:43:47 +00:00
parent 219eb8c47f
commit 4f57b94e23
4 changed files with 134 additions and 57 deletions
--- a/offlineimap/imapserver.py
+++ b/offlineimap/imapserver.py
@@ -100,7 +100,8 @@ class IMAPServer:
    def __init__(self, config, reposname,
                 username = None, password = None, hostname = None,
                 port = None, ssl = 1, maxconnections = 1, tunnel = None,
-                 reference = '""', sslclientcert = None, sslclientkey = None):
+                 reference = '""', sslclientcert = None, sslclientkey = None,
+                 sslcacertfile= None):
        self.reposname = reposname
        self.config = config
        self.username = username
@@ -113,6 +114,7 @@ class IMAPServer:
        self.usessl = ssl
        self.sslclientcert = sslclientcert
        self.sslclientkey = sslclientkey
+        self.sslcacertfile = sslcacertfile
        self.delim = None
        self.root = None
        if port == None:
@@ -253,7 +255,8 @@ class IMAPServer:
                elif self.usessl:
                    UIBase.getglobalui().connecting(self.hostname, self.port)
                    imapobj = UsefulIMAP4_SSL(self.hostname, self.port,
-                                              self.sslclientkey, self.sslclientcert)
+                                              self.sslclientkey, self.sslclientcert, 
+                                              cacertfile = self.sslcacertfile)
                else:
                    UIBase.getglobalui().connecting(self.hostname, self.port)
                    imapobj = UsefulIMAP4(self.hostname, self.port)
@@ -414,6 +417,7 @@ class ConfigedIMAPServer(IMAPServer):
            ssl = self.repos.getssl()
            sslclientcert = self.repos.getsslclientcert()
            sslclientkey = self.repos.getsslclientkey()
+            sslcacertfile = self.repos.getsslcacertfile()
        reference = self.repos.getreference()
        server = None
        password = None
@@ -435,4 +439,5 @@ class ConfigedIMAPServer(IMAPServer):
                                self.repos.getmaxconnections(),
                                reference = reference,
                                sslclientcert = sslclientcert,
-                                sslclientkey = sslclientkey)
+                                sslclientkey = sslclientkey,
+                                sslcacertfile = sslcacertfile)