FAQ: add two entries concerning 'sslcacertfile'
Add a FAQ entry about non-verifying SSL certificates by default, and another about how to generate a certificates file to feed to the 'sslcacertfile' repository configuration item. Signed-off-by: Daniel Shahaf <d.s@daniel.shahaf.name> Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
This commit is contained in:
parent
40900dcfb6
commit
632f1fe61f
28
docs/FAQ.rst
28
docs/FAQ.rst
@ -22,6 +22,7 @@ Please feel free to ask questions and/or provide answers; send email to the
|
|||||||
|
|
||||||
.. _mailing list: http://lists.alioth.debian.org/mailman/listinfo/offlineimap-project
|
.. _mailing list: http://lists.alioth.debian.org/mailman/listinfo/offlineimap-project
|
||||||
.. _OfflineIMAP: https://github.com/nicolas33/offlineimap
|
.. _OfflineIMAP: https://github.com/nicolas33/offlineimap
|
||||||
|
.. _ssl.wrap_socket: http://docs.python.org/library/ssl.html#ssl.wrap_socket
|
||||||
|
|
||||||
|
|
||||||
OfflineIMAP
|
OfflineIMAP
|
||||||
@ -252,6 +253,33 @@ What is the mailbox name recorder (mbnames) for?
|
|||||||
|
|
||||||
Some mail readers, such as mutt, are not capable of automatically determining the names of your mailboxes. OfflineIMAP can help these programs by writing the names of the folders in a format you specify. See the example offlineimap.conf for details.
|
Some mail readers, such as mutt, are not capable of automatically determining the names of your mailboxes. OfflineIMAP can help these programs by writing the names of the folders in a format you specify. See the example offlineimap.conf for details.
|
||||||
|
|
||||||
|
Does OfflineIMAP verify SSL certificates?
|
||||||
|
-----------------------------------------
|
||||||
|
|
||||||
|
By default, no. However, as of version 6.3.2, it is possible to enforce verification
|
||||||
|
of SSL certificate on a per-repository basis by setting the `sslcacertfile` option in the
|
||||||
|
config file. (See the example offlineimap.conf for details.)
|
||||||
|
|
||||||
|
How do I generate an `sslcacertfile` file?
|
||||||
|
------------------------------------------
|
||||||
|
|
||||||
|
The `sslcacertfile` file must contain an SSL certificate (or a concatenated
|
||||||
|
certificates chain) in PEM format. (See the documentation of
|
||||||
|
`ssl.wrap_socket`_'s `certfile` parameter for the gory details.) The following
|
||||||
|
command should generate a file in the proper format::
|
||||||
|
|
||||||
|
openssl s_client -CApath /etc/ssl/certs -connect ${hostname}:imaps -showcerts \
|
||||||
|
| perl -ne 'print if /BEGIN/../END/; print STDERR if /return/' > $sslcacertfile
|
||||||
|
^D
|
||||||
|
|
||||||
|
Before using the resulting file, ensure that openssl verified the certificate
|
||||||
|
successfully.
|
||||||
|
|
||||||
|
The path `/etc/ssl/certs` is not standardized; your system may store
|
||||||
|
SSL certificates elsewhere. (On some systems it may be in
|
||||||
|
`/usr/local/share/certs/`.)
|
||||||
|
|
||||||
|
|
||||||
IMAP Server Notes
|
IMAP Server Notes
|
||||||
=================
|
=================
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user