tobias/docker-offlineimap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make OS-default CA certificate file to be requested explicitely

Browse Source 
This simplifies logics for the user, especially if he uses both
fingerprint and certificate validation: it is hard to maintain
the compatibility with the prior behaviour and to avoid getting
default CA bundle to be disabled when fingerprint verification
is requested.

See
  http://thread.gmane.org/gmane.mail.imap.offlineimap.general/6695
for discussion about this change.

Default CA bundle is requested via 'sslcertfile = OS-DEFAULT'.

I had also enforced all cases where explicitely-requested CA bundles
are non-existent to be hard errors: when users asks us to use CA
bundle (and, thus, certificate validation), but we can't find one,
we must error out rather than happily continue and downgrade to
no validation.

Reported-By: Edd Barrett <edd@theunixzoo.co.uk>
Reviewed-By: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
This commit is contained in:
Eygene Ryabinkin
2015-01-18 10:45:46 +03:00
parent 9b911faa58
commit f69613965f
4 changed files with 86 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
offlineimap.conf
View File

@ -497,6 +497,17 @@ remotehost = examplehost
#
# Tilde and environment variable expansions will be performed.
#
# Special value OS-DEFAULT makes OfflineIMAP to automatically
# determine system-wide location of standard trusted CA roots file
# for known OS distributions and use the first bundle encountered
# (if any). If no system-wide CA bundle is found, OfflineIMAP
# will refuse to continue; this is done to prevent creation
# of false security expectations ("I had configured CA bundle,
# thou certificate verification shalt be present").
#
# You can also use fingerprint verification via cert_fingerprint.
# See below for more verbose explanation.
#
#sslcacertfile = /path/to/cacertfile.crt
@ -506,10 +517,13 @@ remotehost = examplehost
# specified, OfflineIMAP will refuse to sync as it connects to a server
# with an unknown "fingerprint". If you are sure you connect to the
# correct server, you can then configure the presented server
# fingerprint here. OfflineImap will verify that the server fingerprint
# has not changed on each connection and refuse to connect otherwise.
# You can also configure this in addition to CA certificate validation
# above and it will check both ways.
# fingerprint here. OfflineIMAP will verify that the server fingerprint
# has not changed on each connect and refuse to connect otherwise.
#
# You can also configure fingerprint validation in addition to
# CA certificate validation above and it will check both:
# OfflineIMAP fill verify certificate first and if things will be fine,
# fingerprint will be validated.
#
# Multiple fingerprints can be specified, separated by commas.
#