disable verification of ssl certs via CA if fingerpint is set
Up toa4863b2
offlineimap did not include a default CA bundle. And folks who set cert_fingerprint (because they might connect to a host using a self-signed cert or an onion service without the onion address in the SANs) were able to validate their certificates. Sincea4863b2
you always have a `sslcacertfile` configured (since it always falls back to the os one) and thus the old way didn't work anymore. If a use defines a `cert_fingerprint` there is not much use to validate the cert through the CA chain, since the fingerprint is the stronges verification you can get. Therefor we can disable verfication when `cert_fingerprint` is set. This enables users to fetch emails again from onion services or hosts using self-signed certifcates, but doesn't question nor change any other behavior. Fixes #41
This commit is contained in:
parent
1e7ef9e7e6
commit
871b1175f1
@ -95,6 +95,9 @@ class IMAPServer:
|
|||||||
self.__verifycert = None # Disable cert verification.
|
self.__verifycert = None # Disable cert verification.
|
||||||
# This way of working sucks hard...
|
# This way of working sucks hard...
|
||||||
self.fingerprint = repos.get_ssl_fingerprint()
|
self.fingerprint = repos.get_ssl_fingerprint()
|
||||||
|
if self.fingerprint is not None:
|
||||||
|
self.__verifycert = None # if we have a cert fingerprint
|
||||||
|
# we do not require verfication via CA
|
||||||
self.tlslevel = repos.gettlslevel()
|
self.tlslevel = repos.gettlslevel()
|
||||||
self.sslversion = repos.getsslversion()
|
self.sslversion = repos.getsslversion()
|
||||||
self.starttls = repos.getstarttls()
|
self.starttls = repos.getstarttls()
|
||||||
|
Loading…
Reference in New Issue
Block a user