On Thu, Sep 08, 2016 at 11:56AM, Reuben Thomas wrote:
> On 8 September 2016 at 11:48, Ilias Tsitsimpis <i.tsitsim...@gmail.com>
> wrote:
> > This means that if Debian provides a default value for the
> > sslcacertfile, then it is not possible to connect to a server without
> > verifying its certificate (and thus rendering the cert_fingerprint
> > option obsolete).
>
> Is it not possible for the user to unset sslcacertfile?
I don't think it is possible to unset an option using Python's
ConfigParser. We would have to use a special value (just like
OS-DEFAULT) to denote that this option should be disabled.
> If that were necessary in order to use just cert_fingerprint, that would be
> an extra signal to the user that they are making their setup potentially
> less secure.
This should probably be discussed with the upstream. I don't think we
should introduce a change like this in the Debian package.
> > That said, OfflineIMAP provides the special value OS-DEFAULT for the
> > sslcacertfile option which will automatically determine the system-wide
> > location of the standard trusted CA roots file.
> >
>
> That's a help, thanks (I've used it); perhaps it could be documented in
> the man page?
Currently, the man page does not document any of the available options
in the configuration file. These are documented in the example file:
/usr/share/doc/offlineimap/examples/offlineimap.conf.gz
Maybe we could create an offlineimaprc man page, that would document the
above options.
--
Ilias
