Control: tags -1 wontfix Hi Reuben,
On Tue, Aug 02, 2016 at 12:57AM, Reuben Thomas wrote: > As a bit of Debian integration, it would seem reasonable to add a default > value for sslcacertfile (/etc/ssl/certs/ca-certificates.crt). I am afraid this cannot be done easily, because OfflineIMAP distinguish between sslcacertfile having and not having a value. >From the docs: | sslcacertfile | | SSL CA Cert(s) to verify the server cert against (optional). | No SSL verification is done without this option. If it is | specified, the CA Cert(s) need to verify the Server cert AND | match the hostname (* wildcard allowed on the left hand side) | The certificate should be in PEM format. and also: | cert_fingerprint | | If you connect via SSL/TLS (ssl = yes) and you have no CA certificate | specified, OfflineIMAP will refuse to sync as it connects to a server | with an unknown "fingerprint". If you are sure you connect to the | correct server, you can then configure the presented server | fingerprint here. OfflineIMAP will verify that the server fingerprint | has not changed on each connect and refuse to connect otherwise. | | You can also configure fingerprint validation in addition to | CA certificate validation above and it will check both: | OfflineIMAP fill verify certificate first and if things will be fine, | fingerprint will be validated. This means that if Debian provides a default value for the sslcacertfile, then it is not possible to connect to a server without verifying its certificate (and thus rendering the cert_fingerprint option obsolete). That said, OfflineIMAP provides the special value OS-DEFAULT for the sslcacertfile option which will automatically determine the system-wide location of the standard trusted CA roots file. If you have any suggestion about how this could be fixed, please advice. In the meantime, I am marking this as WONTFIX. Best, -- Ilias
