Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid
On Sun, Nov 14, 2010 at 07:55:23PM +1100, david b wrote:
> Package: offlineimap
> Severity: grave
> Tags: security
> Justification: user security hole
>
> offlineimap performs absolutely no ssl certificate checking. So users could/can be the victim of a man in the middle attack.
> In debian the following bugs exist:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536421 (re certificate expiration)
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=153240 (re ssl fingerprint checking)
>
> This could be considered a bug in imaplib (http://bugs.python.org/issue10274).
> A partial 'fix' is the following(this 'fix' isn't complete and would break connections to servers using self-signed certificates):
FWIW, this is a limitation documented on the homepage since 2007:
https://github.com/jgoerzen/offlineimap/wiki
Cheers,
Moritz
Reply to: