On Thu, Sep 08, 2016 at 11:56AM, Reuben Thomas wrote: > On 8 September 2016 at 11:48, Ilias Tsitsimpis <i.tsitsim...@gmail.com> > wrote: > > This means that if Debian provides a default value for the > > sslcacertfile, then it is not possible to connect to a server without > > verifying its certificate (and thus rendering the cert_fingerprint > > option obsolete). > > Is it not possible for the user to unset sslcacertfile?
I don't think it is possible to unset an option using Python's ConfigParser. We would have to use a special value (just like OS-DEFAULT) to denote that this option should be disabled. > If that were necessary in order to use just cert_fingerprint, that would be > an extra signal to the user that they are making their setup potentially > less secure. This should probably be discussed with the upstream. I don't think we should introduce a change like this in the Debian package. > > That said, OfflineIMAP provides the special value OS-DEFAULT for the > > sslcacertfile option which will automatically determine the system-wide > > location of the standard trusted CA roots file. > > > > That's a help, thanks (I've used it); perhaps it could be documented in > the man page? Currently, the man page does not document any of the available options in the configuration file. These are documented in the example file: /usr/share/doc/offlineimap/examples/offlineimap.conf.gz Maybe we could create an offlineimaprc man page, that would document the above options. -- Ilias