Ubuntu
offlineimap package

  1. Bug #675120
  2. Comment #0

Comment 0 for bug 675120

Revision history for this message
dave b. (d+b) wrote : offlineimap: fails check the remote server's ssl certificate is valid

Binary package hint: offlineimap

Package: offlineimap
Severity: grave
Tags: security
Justification: user security hole

offlineimap performs absolutely no ssl certificate checking. So users could/can be the victim of a man in the middle attack.
In debian the following bugs exist:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536421 (re certificate expiration)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=153240 (re ssl fingerprint checking)

This could be considered a bug in imaplib (http://bugs.python.org/issue10274).
A partial 'fix' is the following(this 'fix' isn't complete and would break connections to server's using self-signed certificates):

WARNING XXX: I haven't tested this 'fix' at all and so it is most likely wrong.

diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py
index a60242b..c37688c 100644
--- a/offlineimap/imaplibutil.py
+++ b/offlineimap/imaplibutil.py
@@ -62,7 +62,7 @@ class IMAP4_Tunnel(IMAP4):
         self.infd.close()
         self.outfd.close()
         self.process.wait()
-
+
 class sslwrapper:
     def __init__(self, sslsock):
         self.sslsock = sslsock
@@ -171,7 +171,7 @@ def new_open_ssl(self, host = '', port = IMAP4_SSL_PORT):
         if last_error != 0:
             # FIXME
             raise socket.error(last_error)
- self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile)
+ self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile, cert_reqs=ssl.CERT_REQUIRED, ca_certs="/etc/ssl/certs/ca-certificates.crt")
         self.sslobj = sslwrapper(self.sslobj)

Although, this isn't complete because it will break self-signed certificate using server's and http://bugs.python.org/issue1589 means that it won't provide full protection etc.
Really, what is required is that by default the certificate is checked and perhaps an option is added to bypass the check.

This isn't a new discovery, see [1], but the package provides no warning about this fact. I added a warning to https://github.com/jgoerzen/offlineimap/wiki/ perhaps debian can add a warning (in the package description) until this is fixed.

[1] - http://thread.gmane.org/gmane.mail.imap.offlineimap.general/760

-- System Information:
Debian Release: 5.0.6
  APT prefers stable
  APT policy: (900, 'stable'), (650, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.36 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash