Make OS-default CA certificate file to be requested explicitely

This simplifies logics for the user, especially if he uses both fingerprint and certificate validation: it is hard to maintain the compatibility with the prior behaviour and to avoid getting default CA bundle to be disabled when fingerprint verification is requested. See http://thread.gmane.org/gmane.mail.imap.offlineimap.general/6695 for discussion about this change. Default CA bundle is requested via 'sslcertfile = OS-DEFAULT'. I had also enforced all cases where explicitely-requested CA bundles are non-existent to be hard errors: when users asks us to use CA bundle (and, thus, certificate validation), but we can't find one, we must error out rather than happily continue and downgrade to no validation. Reported-By: Edd Barrett <edd@theunixzoo.co.uk> Reviewed-By: Nicolas Sebrecht <nicolas.s-dev@laposte.net> Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2015-01-18 10:45:46 +03:00
parent 9b911faa58
commit f69613965f
4 changed files with 86 additions and 27 deletions
--- a/offlineimap/imapserver.py
+++ b/offlineimap/imapserver.py
@ -81,9 +81,10 @@ class IMAPServer:
        self.sslclientcert = repos.getsslclientcert()
        self.sslclientkey = repos.getsslclientkey()
        self.sslcacertfile = repos.getsslcacertfile()
-        self.sslversion = repos.getsslversion()
        if self.sslcacertfile is None:
            self.__verifycert = None # disable cert verification
+        self.fingerprint = repos.get_ssl_fingerprint()
+        self.sslversion = repos.getsslversion()

        self.delim = None
        self.root = None
@ -394,7 +395,6 @@ class IMAPServer:
                    success = 1
                elif self.usessl:
                    self.ui.connecting(self.hostname, self.port)
-                    fingerprint = self.repos.get_ssl_fingerprint()
                    imapobj = imaplibutil.WrappedIMAP4_SSL(self.hostname,
                                                           self.port,
                                                           self.sslclientkey,
@ -403,7 +403,7 @@ class IMAPServer:
                                                           self.__verifycert,
                                                           self.sslversion,
                                                           timeout=socket.getdefaulttimeout(),
-                                                           fingerprint=fingerprint
+                                                           fingerprint=self.fingerprint
                                                           )
                else:
                    self.ui.connecting(self.hostname, self.port)
@ -468,7 +468,7 @@ class IMAPServer:
                         (self.hostname, self.repos)
                raise OfflineImapError(reason, severity), None, exc_info()[2]

-            elif isinstance(e, SSLError) and e.errno == 1:
+            elif isinstance(e, SSLError) and e.errno == errno.EPERM:
                # SSL unknown protocol error
                # happens e.g. when connecting via SSL to a non-SSL service
                if self.port != 993: