classification
Title: imaplib should provide a means to validate a remote server ssl certificate(s)
Type: enhancement Stage: resolved
Components: None Versions: Python 3.2, Python 3.3
process
Status: closed Resolution: fixed
Dependencies: 8808 Superseder:
Assigned To: Nosy List: asdfasdfasdfasdfasdfasdfasdf, christian.heimes, eric.araujo, pitrou
Priority: normal Keywords:

Created on 2010-11-01 03:55 by asdfasdfasdfasdfasdfasdfasdf, last changed 2016-09-08 14:28 by christian.heimes. This issue is now closed.

Messages (4)
msg120108 - (view) Author: david (asdfasdfasdfasdfasdfasdfasdf) Date: 2010-11-01 03:55
imaplib should provide a means to validate a remote server ssl certificate(s).

So currently imaplib allows you to do the following:

import imaplib
conn = imaplib.IMAP4_SSL("imap.gmail.com")

#the following should fail
conn = imaplib.IMAP4_SSL("74.125.39.109")
conn = imaplib.IMAP4_SSL("i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org",
443)
conn = imaplib.IMAP4_SSL("insert_self_signed_imap_server_here")
However, only the first call("imap.gmail.com") should *NOT* result in an error being raised (if the certificate is being checked :) ).

I wasn't able to find a way to get imaplib.IMAP4_SSL to take the certificate for the remote server without wanting a private cert (which wasn't / isn't desired ).

If an option is added / method added that takes in an optional parameter to validate the remote IMAP's ssl certificate has been signed by a trusted certificate authority this would be a good solution.
msg120142 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-11-01 17:31
Right, IMAP_SSL should first accept an additional context argument as noted in issue10274. Then it can be patched to optionally call ssl.match_hostname on the server certificate. That second part can mimick what is done by HTTPSConnection:
http://code.python.org/hg/branches/py3k/file/tip/Lib/http/client.py#l1052
msg120143 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-11-01 17:32
Sorry, the actual issue number is issue8808.
msg275017 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-08 14:28
You can use a custom ssl context to enforce cert and hostname validation:

>>> import imaplib, ssl
>>> ctx = ssl.create_default_context()
>>> conn = imaplib.IMAP4_SSL("74.125.133.109", ssl_context=ctx)
Traceback (most recent call last):
...
ssl.CertificateError: hostname '74.125.133.109' doesn't match 'imap.gmail.com'
History
Date User Action Args
2016-09-08 14:28:18christian.heimessetstatus: open -> closed

nosy: + christian.heimes
messages: + msg275017

resolution: fixed
stage: needs patch -> resolved
2010-11-17 09:50:26eric.araujosetnosy: + eric.araujo
2010-11-01 17:32:53pitrousetdependencies: + imaplib should support SSL contexts, - imaplib should provide a means to validate a remote server ssl certificate(s)
messages: + msg120143
2010-11-01 17:32:53pitrouunlinkissue10274 dependencies
2010-11-01 17:31:44pitrousetversions: + Python 3.3
messages: + msg120142

dependencies: + imaplib should provide a means to validate a remote server ssl certificate(s)
type: security -> enhancement
stage: needs patch
2010-11-01 17:31:44pitroulinkissue10274 dependencies
2010-11-01 17:24:55eric.araujosetnosy: + pitrou
2010-11-01 03:55:32asdfasdfasdfasdfasdfasdfasdfcreate