classification
Title: imaplib should provide a means to validate a remote server ssl certificate(s)
Type: enhancement Stage: needs patch
Components: None Versions: Python 3.3, Python 3.2
process
Status: open Resolution:
Dependencies: 8808 Superseder:
Assigned To: Nosy List: asdfasdfasdfasdfasdfasdfasdf, eric.araujo, pitrou
Priority: normal Keywords:

Created on 2010-11-01 03:55 by asdfasdfasdfasdfasdfasdfasdf, last changed 2010-11-17 09:50 by eric.araujo.

Messages (3)
msg120108 - (view) Author: david (asdfasdfasdfasdfasdfasdfasdf) Date: 2010-11-01 03:55 
imaplib should provide a means to validate a remote server ssl certificate(s).

So currently imaplib allows you to do the following:

import imaplib
conn = imaplib.IMAP4_SSL("imap.gmail.com")

#the following should fail
conn = imaplib.IMAP4_SSL("74.125.39.109")
conn = imaplib.IMAP4_SSL("i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org",
443)
conn = imaplib.IMAP4_SSL("insert_self_signed_imap_server_here")
However, only the first call("imap.gmail.com") should *NOT* result in an error being raised (if the certificate is being checked :) ).

I wasn't able to find a way to get imaplib.IMAP4_SSL to take the certificate for the remote server without wanting a private cert (which wasn't / isn't desired ).

If an option is added / method added that takes in an optional parameter to validate the remote IMAP's ssl certificate has been signed by a trusted certificate authority this would be a good solution.
msg120142 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-11-01 17:31 
Right, IMAP_SSL should first accept an additional context argument as noted in issue10274. Then it can be patched to optionally call ssl.match_hostname on the server certificate. That second part can mimick what is done by HTTPSConnection:
http://code.python.org/hg/branches/py3k/file/tip/Lib/http/client.py#l1052
msg120143 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-11-01 17:32 
Sorry, the actual issue number is issue8808.
History
Date User Action Args
2010-11-17 09:50:26eric.araujosetnosy: + eric.araujo
2010-11-01 17:32:53pitrousetdependencies: + imaplib should support SSL contexts, - imaplib should provide a means to validate a remote server ssl certificate(s)
messages: + msg120143
2010-11-01 17:32:53pitrouunlinkissue10274 dependencies
2010-11-01 17:31:44pitrousetversions: + Python 3.3
messages: + msg120142

dependencies: + imaplib should provide a means to validate a remote server ssl certificate(s)
type: security -> enhancement
stage: needs patch
2010-11-01 17:31:44pitroulinkissue10274 dependencies
2010-11-01 17:24:55eric.araujosetnosy: + pitrou
2010-11-01 03:55:32asdfasdfasdfasdfasdfasdfasdfcreate