From 632f1fe61f9e7700ac46a5a077d94fe652be2a09 Mon Sep 17 00:00:00 2001 From: Daniel Shahaf Date: Sun, 8 May 2011 22:55:55 +0300 Subject: [PATCH] FAQ: add two entries concerning 'sslcacertfile' Add a FAQ entry about non-verifying SSL certificates by default, and another about how to generate a certificates file to feed to the 'sslcacertfile' repository configuration item. Signed-off-by: Daniel Shahaf Signed-off-by: Nicolas Sebrecht --- docs/FAQ.rst | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/docs/FAQ.rst b/docs/FAQ.rst index fcc55b3..ae4fbe2 100644 --- a/docs/FAQ.rst +++ b/docs/FAQ.rst @@ -22,6 +22,7 @@ Please feel free to ask questions and/or provide answers; send email to the .. _mailing list: http://lists.alioth.debian.org/mailman/listinfo/offlineimap-project .. _OfflineIMAP: https://github.com/nicolas33/offlineimap +.. _ssl.wrap_socket: http://docs.python.org/library/ssl.html#ssl.wrap_socket OfflineIMAP @@ -252,6 +253,33 @@ What is the mailbox name recorder (mbnames) for? Some mail readers, such as mutt, are not capable of automatically determining the names of your mailboxes. OfflineIMAP can help these programs by writing the names of the folders in a format you specify. See the example offlineimap.conf for details. +Does OfflineIMAP verify SSL certificates? +----------------------------------------- + +By default, no. However, as of version 6.3.2, it is possible to enforce verification +of SSL certificate on a per-repository basis by setting the `sslcacertfile` option in the +config file. (See the example offlineimap.conf for details.) + +How do I generate an `sslcacertfile` file? +------------------------------------------ + +The `sslcacertfile` file must contain an SSL certificate (or a concatenated +certificates chain) in PEM format. (See the documentation of +`ssl.wrap_socket`_'s `certfile` parameter for the gory details.) The following +command should generate a file in the proper format:: + + openssl s_client -CApath /etc/ssl/certs -connect ${hostname}:imaps -showcerts \ + | perl -ne 'print if /BEGIN/../END/; print STDERR if /return/' > $sslcacertfile + ^D + +Before using the resulting file, ensure that openssl verified the certificate +successfully. + +The path `/etc/ssl/certs` is not standardized; your system may store +SSL certificates elsewhere. (On some systems it may be in +`/usr/local/share/certs/`.) + + IMAP Server Notes =================