From fcf27d7be5f5b2f7f5ebc91533642514f5ee2f97 Mon Sep 17 00:00:00 2001 From: Giel van Schijndel Date: Sun, 17 Aug 2014 15:50:35 +0200 Subject: [PATCH] When using StartTLS verify the CA and/or fingerprint Signed-off-by: Giel van Schijndel --- offlineimap/imapserver.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/offlineimap/imapserver.py b/offlineimap/imapserver.py index d384bd2..bc03052 100644 --- a/offlineimap/imapserver.py +++ b/offlineimap/imapserver.py @@ -19,6 +19,7 @@ from offlineimap import imaplibutil, imaputil, threadutil, OfflineImapError from offlineimap.ui import getglobalui from threading import Lock, BoundedSemaphore, Thread, Event, currentThread import offlineimap.accounts +from hashlib import sha1 import hmac import socket import base64 @@ -200,11 +201,26 @@ class IMAPServer: if 'STARTTLS' in imapobj.capabilities and not self.usessl: self.ui.debug('imap', 'Using STARTTLS connection') try: - imapobj.starttls() + imapobj.starttls(self.sslclientkey, + self.sslclientcert, + self.sslcacertfile, + self.verifycert, + self.sslversion, + ) except imapobj.error as e: raise OfflineImapError("Failed to start " "TLS connection: %s" % str(e), OfflineImapError.ERROR.REPO) + expected_fingerprint = self.repos.get_ssl_fingerprint() + if (expected_fingerprint or not self.sslcacertfile): + # compare fingerprints + fingerprint = sha1(imapobj.sock.getpeercert(True)).hexdigest() + if fingerprint != expected_fingerprint: + raise OfflineImapError("Server SSL fingerprint '%s' for hos" + "tname '%s' does not match configured fingerprint. Pl" + "ease verify and set 'cert_fingerprint' accordingly i" + "f not set yet." % (fingerprint, imapobj.host), + OfflineImapError.ERROR.REPO) ## All _authn_* procedures are helpers that do authentication.