offlineimap: fails to check the remote server's ssl certificate is valid
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
offlineimap (Debian) |
Fix Released
|
Unknown
|
|||
offlineimap (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: offlineimap
Package: offlineimap
Severity: grave
Tags: security
Justification: user security hole
offlineimap performs absolutely no ssl certificate checking. So users could/can be the victim of a man in the middle attack.
In debian the following bugs exist:
http://
http://
This could be considered a bug in imaplib (http://
A partial 'fix' is the following(this 'fix' isn't complete and would break connections to server's using self-signed certificates):
WARNING XXX: I haven't tested this 'fix' at all and so it is most likely wrong.
diff --git a/offlineimap/
index a60242b..c37688c 100644
--- a/offlineimap/
+++ b/offlineimap/
@@ -62,7 +62,7 @@ class IMAP4_Tunnel(
-
+
class sslwrapper:
def __init__(self, sslsock):
@@ -171,7 +171,7 @@ def new_open_ssl(self, host = '', port = IMAP4_SSL_PORT):
if last_error != 0:
# FIXME
raise socket.
- self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile)
+ self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile, cert_reqs=
Although, this isn't complete because it will break self-signed certificate using server's and http://
Really, what is required is that by default the certificate is checked and perhaps an option is added to bypass the check.
This isn't a new discovery, see [1], but the package provides no warning about this fact. I added a warning to https:/
[1] - http://
-- System Information:
Debian Release: 5.0.6
APT prefers stable
APT policy: (900, 'stable'), (650, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.36 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=
Shell: /bin/sh linked to /bin/bash
visibility: | private → public |
description: | updated |
summary: |
- offlineimap: fails check the remote server's ssl certificate is valid + offlineimap: fails to check the remote server's ssl certificate is valid |
Changed in offlineimap (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in offlineimap (Debian): | |
status: | Unknown → New |
Changed in offlineimap (Debian): | |
status: | New → Fix Released |
see http:// bugs.debian. org/cgi- bin/bugreport. cgi?bug= 603450