From 871b1175f1418fb1cb1b25e5da805be1dfc2c565 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 29 Apr 2021 14:24:15 +0200 Subject: [PATCH] disable verification of ssl certs via CA if fingerpint is set Up to a4863b2 offlineimap did not include a default CA bundle. And folks who set cert_fingerprint (because they might connect to a host using a self-signed cert or an onion service without the onion address in the SANs) were able to validate their certificates. Since a4863b2 you always have a `sslcacertfile` configured (since it always falls back to the os one) and thus the old way didn't work anymore. If a use defines a `cert_fingerprint` there is not much use to validate the cert through the CA chain, since the fingerprint is the stronges verification you can get. Therefor we can disable verfication when `cert_fingerprint` is set. This enables users to fetch emails again from onion services or hosts using self-signed certifcates, but doesn't question nor change any other behavior. Fixes #41 --- offlineimap/imapserver.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/offlineimap/imapserver.py b/offlineimap/imapserver.py index bd377f7..c38bd78 100644 --- a/offlineimap/imapserver.py +++ b/offlineimap/imapserver.py @@ -95,6 +95,9 @@ class IMAPServer: self.__verifycert = None # Disable cert verification. # This way of working sucks hard... self.fingerprint = repos.get_ssl_fingerprint() + if self.fingerprint is not None: + self.__verifycert = None # if we have a cert fingerprint + # we do not require verfication via CA self.tlslevel = repos.gettlslevel() self.sslversion = repos.getsslversion() self.starttls = repos.getstarttls()