Extend handling of cert_fingerprint

Add ability to specify multiple fingerprints. Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2014-05-07 01:22:29 +04:00
parent 1690e5f74e
commit d2ec2a4e9e
4 changed files with 32 additions and 9 deletions
--- a/offlineimap/imaplibutil.py
+++ b/offlineimap/imaplibutil.py
@ -141,21 +141,28 @@ class WrappedIMAP4_SSL(UsefulIMAPMixIn, IMAP4_SSL):
    """Improved version of imaplib.IMAP4_SSL overriding select()"""
    def __init__(self, *args, **kwargs):
        self._fingerprint = kwargs.get('fingerprint', None)
+        if type(self._fingerprint) != type([]):
+            self._fingerprint = [self._fingerprint]
        if 'fingerprint' in kwargs:
            del kwargs['fingerprint']
        super(WrappedIMAP4_SSL, self).__init__(*args, **kwargs)

    def open(self, host=None, port=None):
+        if not self.ca_certs and not self._fingerprint:
+            raise OfflineImapError("No CA certificates " + \
+              "and no server fingerprints configured.  " + \
+              "You must configure at least something, otherwise " + \
+              "having SSL helps nothing.", OfflineImapError.ERROR.REPO)
        super(WrappedIMAP4_SSL, self).open(host, port)
-        if (self._fingerprint or not self.ca_certs):
+        if self._fingerprint:
            # compare fingerprints
            fingerprint = sha1(self.sock.getpeercert(True)).hexdigest()
-            if fingerprint != self._fingerprint:
-                raise OfflineImapError("Server SSL fingerprint '%s' for hostnam"
-                      "e '%s' does not match configured fingerprint. Please ver"
-                      "ify and set 'cert_fingerprint' accordingly if not set ye"
-                      "t." % (fingerprint, host),
-                                       OfflineImapError.ERROR.REPO)
+            if fingerprint not in self._fingerprint:
+                raise OfflineImapError("Server SSL fingerprint '%s' " % fingerprint + \
+                      "for hostname '%s' " % host + \
+                      "does not match configured fingerprint(s) %s.  " % self._fingerprint + \
+                      "Please verify and set 'cert_fingerprint' accordingly " + \
+                      "if not set yet.", OfflineImapError.ERROR.REPO)


 class WrappedIMAP4(UsefulIMAPMixIn, IMAP4):
--- a/offlineimap/repository/IMAP.py
+++ b/offlineimap/repository/IMAP.py
@ -215,7 +215,16 @@ class IMAPRepository(BaseRepository):
        return self.getconf('ssl_version', None)

    def get_ssl_fingerprint(self):
-        return self.getconf('cert_fingerprint', None)
+        """
+        Return array of possible certificate fingerprints.
+
+        Configuration item cert_fingerprint can contain multiple
+        comma-separated fingerprints in hex form.
+
+        """
+
+        value = self.getconf('cert_fingerprint', "")
+        return [f.strip().lower() for f in value.split(',') if f]

    def getpreauthtunnel(self):
        return self.getconf('preauthtunnel', None)