PIM
/
offlineimap
mirror of https://github.com/OfflineIMAP/offlineimap.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Implement Server SSL fingerprint check 

If we connect to a SSL server (not STARTTLS) and no CA cert has been
specified for verification, we check the configured SSL fingerprint and
bail out in case it has not been set yet, or it does not match.

This means one more mandatory option for SSL configuration, but it
improves security a lot.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
This commit is contained in:
Sebastian Spaeth 2011-09-12 09:50:41 +02:00 committed by Nicolas Sebrecht
parent 5cbec30b3e
commit 8800fa37a3
5 changed files with 39 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Changelog.draft.rst
View File

@ -17,6 +17,10 @@ New Features
synchronization, but only skip that message, informing the user at the
end of the sync run.
* If you connect via ssl and 'cert_fingerprint' is configured, we check
that the server certificate is actually known and identical by
comparing the stored sha1 fingerprint with the current one.
Changes
-------

10
offlineimap.conf
View File

@ -327,6 +327,16 @@ ssl = yes
# The certificate should be in PEM format.
# sslcacertfile = /path/to/cacertfile.crt
# If you connect via SSL/TLS (ssl=true) and you have no CA certificate
# specified, offlineimap will refuse to sync as it connects to a server
# with an unknown "fingerprint". If you are sure you connect to the
# correct server, you can then configure the presented server
# fingerprint here. OfflineImap will verify that the server fingerprint
# has not changed on each connect and refuse to connect otherwise.
# You can also configure this in addition to CA certificate validation
# above and it will check both ways. cert_fingerprint =
# <SHA1_of_server_certificate_here>
# Specify the port. If not specified, use a default port.
# remoteport = 993

22
offlineimap/imaplibutil.py
View File

@ -21,8 +21,10 @@ import re
import socket
import time
import subprocess
from offlineimap.ui import getglobalui
import threading
from hashlib import sha1
from offlineimap.ui import getglobalui
from offlineimap import OfflineImapError
from offlineimap.imaplib2 import IMAP4, IMAP4_SSL, zlib, IMAP4_PORT, InternalDate, Mon2num
@ -137,7 +139,23 @@ def new_mesg(self, s, tn=None, secs=None):
class WrappedIMAP4_SSL(UsefulIMAPMixIn, IMAP4_SSL):
"""Improved version of imaplib.IMAP4_SSL overriding select()"""
pass
def __init__(self, *args, **kwargs):
self._fingerprint = kwargs.get('fingerprint', None)
if kwargs.has_key('fingerprint'):
del kwargs['fingerprint']
super(WrappedIMAP4_SSL, self).__init__(*args, **kwargs)
def open(self, host=None, port=None):
super(WrappedIMAP4_SSL, self).open(host, port)
if self._fingerprint or not self.ca_certs:
# compare fingerprints
fingerprint = sha1(self.sslobj.getpeercert(True)).hexdigest()
if fingerprint != self._fingerprint:
raise OfflineImapError("Server SSL fingerprint '%s' for hostnam"
"e '%s' does not match configured fingerprint. Please ver"
"ify and set 'cert_fingerprint' accordingly if not set ye"
"t." % (fingerprint, host),
OfflineImapError.ERROR.REPO)
class WrappedIMAP4(UsefulIMAPMixIn, IMAP4):

2
offlineimap/imapserver.py
View File

@ -209,6 +209,7 @@ class IMAPServer:
success = 1
elif self.usessl:
self.ui.connecting(self.hostname, self.port)
fingerprint = self.repos.get_ssl_fingerprint()
imapobj = imaplibutil.WrappedIMAP4_SSL(self.hostname,
self.port,
self.sslclientkey,
@ -216,6 +217,7 @@ class IMAPServer:
self.sslcacertfile,
self.verifycert,
timeout=socket.getdefaulttimeout(),
fingerprint=fingerprint
)
else:
self.ui.connecting(self.hostname, self.port)

3
offlineimap/repository/IMAP.py
View File

@ -182,6 +182,9 @@ class IMAPRepository(BaseRepository):
% (self.name, cacertfile))
return cacertfile
def get_ssl_fingerprint(self):
return self.getconf('cert_fingerprint', None)
def getpreauthtunnel(self):
return self.getconf('preauthtunnel', None)