Implement Server SSL fingerprint check

If we connect to a SSL server (not STARTTLS) and no CA cert has been specified for verification, we check the configured SSL fingerprint and bail out in case it has not been set yet, or it does not match. This means one more mandatory option for SSL configuration, but it improves security a lot. Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de> Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2011-09-12 09:50:41 +02:00
parent 5cbec30b3e
commit 8800fa37a3
5 changed files with 39 additions and 2 deletions
--- a/offlineimap.conf
+++ b/offlineimap.conf
@ -327,6 +327,16 @@ ssl = yes
 # The certificate should be in PEM format.
 # sslcacertfile = /path/to/cacertfile.crt

+# If you connect via SSL/TLS (ssl=true) and you have no CA certificate
+# specified, offlineimap will refuse to sync as it connects to a server
+# with an unknown "fingerprint". If you are sure you connect to the
+# correct server, you can then configure the presented server
+# fingerprint here. OfflineImap will verify that the server fingerprint
+# has not changed on each connect and refuse to connect otherwise.
+# You can also configure this in addition to CA certificate validation
+# above and it will check both ways.  cert_fingerprint =
+# <SHA1_of_server_certificate_here>
+
 # Specify the port.  If not specified, use a default port.
 # remoteport = 993