Title: imaplib should provide a means to validate a remote server ssl certificate(s)
Type: enhancement Stage: resolved
Components: None Versions: Python 3.2, Python 3.3
Status: closed Resolution: fixed
Dependencies: 8808 Superseder:
Assigned To: Nosy List: asdfasdfasdfasdfasdfasdfasdf, christian.heimes, eric.araujo, pitrou
Priority: normal Keywords:

Created on 2010-11-01 03:55 by asdfasdfasdfasdfasdfasdfasdf, last changed 2016-09-08 14:28 by christian.heimes. This issue is now closed.

Messages (4)
msg120108 - (view) Author: david (asdfasdfasdfasdfasdfasdfasdf) Date: 2010-11-01 03:55
imaplib should provide a means to validate a remote server ssl certificate(s).

So currently imaplib allows you to do the following:

import imaplib
conn = imaplib.IMAP4_SSL("")

#the following should fail
conn = imaplib.IMAP4_SSL("")
conn = imaplib.IMAP4_SSL("",
conn = imaplib.IMAP4_SSL("insert_self_signed_imap_server_here")
However, only the first call("") should *NOT* result in an error being raised (if the certificate is being checked :) ).

I wasn't able to find a way to get imaplib.IMAP4_SSL to take the certificate for the remote server without wanting a private cert (which wasn't / isn't desired ).

If an option is added / method added that takes in an optional parameter to validate the remote IMAP's ssl certificate has been signed by a trusted certificate authority this would be a good solution.
msg120142 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-11-01 17:31
Right, IMAP_SSL should first accept an additional context argument as noted in issue10274. Then it can be patched to optionally call ssl.match_hostname on the server certificate. That second part can mimick what is done by HTTPSConnection:
msg120143 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-11-01 17:32
Sorry, the actual issue number is issue8808.
msg275017 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-08 14:28
You can use a custom ssl context to enforce cert and hostname validation:

>>> import imaplib, ssl
>>> ctx = ssl.create_default_context()
>>> conn = imaplib.IMAP4_SSL("", ssl_context=ctx)
Traceback (most recent call last):
ssl.CertificateError: hostname '' doesn't match ''
Date User Action Args
2016-09-08 14:28:18christian.heimessetstatus: open -> closed

nosy: + christian.heimes
messages: + msg275017

resolution: fixed
stage: needs patch -> resolved
2010-11-17 09:50:26eric.araujosetnosy: + eric.araujo
2010-11-01 17:32:53pitrousetdependencies: + imaplib should support SSL contexts, - imaplib should provide a means to validate a remote server ssl certificate(s)
messages: + msg120143
2010-11-01 17:32:53pitrouunlinkissue10274 dependencies
2010-11-01 17:31:44pitrousetversions: + Python 3.3
messages: + msg120142

dependencies: + imaplib should provide a means to validate a remote server ssl certificate(s)
type: security -> enhancement
stage: needs patch
2010-11-01 17:31:44pitroulinkissue10274 dependencies
2010-11-01 17:24:55eric.araujosetnosy: + pitrou
2010-11-01 03:55:32asdfasdfasdfasdfasdfasdfasdfcreate