diff --git a/offlineimap.conf b/offlineimap.conf index ff788f9..27b2c2b 100644 --- a/offlineimap.conf +++ b/offlineimap.conf @@ -787,10 +787,11 @@ remotehost = examplehost # # In Windows, Microsoft uses the term "thumbprint" instead of "fingerprint". # +# Supported fingerprint hashes are sha512, sha384, sha256, sha224 and sha1. # Fingerprints must be in hexadecimal form without leading '0x': # 40 hex digits like bbfe29cf97acb204591edbafe0aa8c8f914287c9. # -#cert_fingerprint = [, ] +#cert_fingerprint = [, ] # This option stands in the [Repository RemoteExample] section. diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py index 16c3b28..c88d04b 100644 --- a/offlineimap/imaplibutil.py +++ b/offlineimap/imaplibutil.py @@ -23,7 +23,7 @@ import socket import errno import zlib from sys import exc_info -from hashlib import sha1 +from hashlib import sha512, sha384, sha256, sha224, sha1 import six @@ -201,15 +201,18 @@ class WrappedIMAP4_SSL(UsefulIMAPMixIn, IMAP4_SSL): "having SSL helps nothing.", OfflineImapError.ERROR.REPO) super(WrappedIMAP4_SSL, self).open(host, port) if self._fingerprint: + server_cert = self.sock.getpeercert(True) + hashes = sha512, sha384, sha256, sha224, sha1 + server_fingerprints = [hash(server_cert).hexdigest() for hash in hashes] # compare fingerprints - fingerprint = sha1(self.sock.getpeercert(True)).hexdigest() - if fingerprint not in self._fingerprint: - raise OfflineImapError("Server SSL fingerprint '%s' " + matches = [(server_fingerprint in self._fingerprint) for server_fingerprint in server_fingerprints] + if not any(matches): + raise OfflineImapError("Server SSL fingerprint(s) '%s' " "for hostname '%s' " "does not match configured fingerprint(s) %s. " "Please verify and set 'cert_fingerprint' accordingly " "if not set yet."% - (fingerprint, host, self._fingerprint), + (zip([hash.__name__ for hash in hashes], server_fingerprints), host, self._fingerprint), OfflineImapError.ERROR.REPO)