disable verification of ssl certs via CA if fingerpint is set

Up to a4863b2 offlineimap did not include a default CA bundle. And folks who set cert_fingerprint (because they might connect to a host using a self-signed cert or an onion service without the onion address in the SANs) were able to validate their certificates. Since a4863b2 you always have a `sslcacertfile` configured (since it always falls back to the os one) and thus the old way didn't work anymore. If a use defines a `cert_fingerprint` there is not much use to validate the cert through the CA chain, since the fingerprint is the stronges verification you can get. Therefor we can disable verfication when `cert_fingerprint` is set. This enables users to fetch emails again from onion services or hosts using self-signed certifcates, but doesn't question nor change any other behavior. Fixes #41
2021-04-29 14:24:15 +02:00 · 2021-04-29 14:24:15 +02:00 · 871b1175f1
commit 871b1175f1
parent 1e7ef9e7e6
1 changed files with 3 additions and 0 deletions
--- a/offlineimap/imapserver.py
+++ b/offlineimap/imapserver.py
@ -95,6 +95,9 @@ class IMAPServer:
            self.__verifycert = None  # Disable cert verification.
            # This way of working sucks hard...
        self.fingerprint = repos.get_ssl_fingerprint()
+        if self.fingerprint is not None:
+            self.__verifycert = None  # if we have a cert fingerprint
+            # we do not require verfication via CA
        self.tlslevel = repos.gettlslevel()
        self.sslversion = repos.getsslversion()
        self.starttls = repos.getstarttls()