From 9b85ffef89f204d5cfe0a9e16551f79e1591f407 Mon Sep 17 00:00:00 2001
From: Sebastian Spaeth <Sebastian@SSpaeth.de>
Date: Tue, 18 Jan 2011 11:25:49 +0100
Subject: [PATCH] Only verify hostname if we actually use CA certs

The current code path checked the CA cert host name, even if we did not
specify a CA cert file to use. Make the host name check dependent on a
CA cert file.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
---
 offlineimap/imaplibutil.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py
index ba6a5bb..6ff946b 100644
--- a/offlineimap/imaplibutil.py
+++ b/offlineimap/imaplibutil.py
@@ -134,11 +134,12 @@ class WrappedIMAP4_SSL(IMAP4_SSL):
                                      self.certfile)
 
         else:
-            #ssl.wrap_socket worked and cert is verified, now check
-            #that hostnames also match.
-            error = self._verifycert(self.sslobj.getpeercert(), host)
-            if error:
-                raise ssl.SSLError("SSL Certificate host name mismatch: %s" % error)
+            #ssl.wrap_socket worked and cert is verified (if configured),
+            #now check that hostnames also match if we have a CA cert.
+            if self._cacertfile:
+                error = self._verifycert(self.sslobj.getpeercert(), host)
+                if error:
+                    raise ssl.SSLError("SSL Certificate host name mismatch: %s" % error)
 
         #TODO: Done for now. We should implement a mutt-like behavior
         #that offers the users to accept a certificate (presenting a