disable verification of ssl certs via CA if fingerpint is set

Up to a4863b2 offlineimap did not include a default CA bundle. And
folks who set cert_fingerprint (because they might connect to a
host using a self-signed cert or an onion service without the onion
address in the SANs) were able to validate their certificates.

Since a4863b2 you always have a `sslcacertfile` configured (since
it always falls back to the os one) and thus the old way didn't
work anymore.

If a use defines a `cert_fingerprint` there is not much use to
validate the cert through the CA chain, since the fingerprint
is the stronges verification you can get. Therefor we can disable
verfication when `cert_fingerprint` is set.

This enables users to fetch emails again from onion services or
hosts using self-signed certifcates, but doesn't question nor
change any other behavior.

Fixes #41
This commit is contained in:
mh 2021-04-29 14:24:15 +02:00
parent 1e7ef9e7e6
commit 871b1175f1

View File

@ -95,6 +95,9 @@ class IMAPServer:
self.__verifycert = None # Disable cert verification. self.__verifycert = None # Disable cert verification.
# This way of working sucks hard... # This way of working sucks hard...
self.fingerprint = repos.get_ssl_fingerprint() self.fingerprint = repos.get_ssl_fingerprint()
if self.fingerprint is not None:
self.__verifycert = None # if we have a cert fingerprint
# we do not require verfication via CA
self.tlslevel = repos.gettlslevel() self.tlslevel = repos.gettlslevel()
self.sslversion = repos.getsslversion() self.sslversion = repos.getsslversion()
self.starttls = repos.getstarttls() self.starttls = repos.getstarttls()