Bug#833191: offlineimap: Please add default value of sslcacertfile

[Sudip Mukherjee]

On Tue, Aug 02, 2016 at 12:57:37AM +0100, Reuben Thomas wrote:
> Package: offlineimap
> Version: 6.6.1+dfsg1-2
> Severity: wishlist
> 
> As a bit of Debian integration, it would seem reasonable to add a default
> value for sslcacertfile (/etc/ssl/certs/ca-certificates.crt).

Python3 port of offlineimap (offlineimap3) attempted to do this by using
'OS-DEFAULT' if sslcacertfile is not mentioned but that caused regression
and 'cert_fingerprint' stopped working. As a result I have reverted that
change in Debian. An upstream issue is open for this regression at
https://github.com/OfflineIMAP/offlineimap3/issues/41.


--
Regards
Sudip

Bug#833191: offlineimap: Please add default value of sslcacertfile

[Ilias Tsitsimpis]

On Thu, Sep 08, 2016 at 12:21PM, Reuben Thomas wrote:
> On 8 September 2016 at 12:14, Ilias Tsitsimpis 
> wrote:
> 
> >
> > Currently, the man page does not document any of the available options
> > in the configuration file. These are documented in the example file:
> > /usr/share/doc/offlineimap/examples/offlineimap.conf.gz
> >
> > Maybe we could create an offlineimaprc man page, that would document the
> > above options.
> 
> It might be simpler and better simply to add a pointer to the examples
> file to the man page.

ACK. I have fixed that in the latest upload.

-- 
Ilias

Bug#833191: offlineimap: Please add default value of sslcacertfile

[Reuben Thomas]

On 8 September 2016 at 12:14, Ilias Tsitsimpis 
wrote:

>
> Currently, the man page does not document any of the available options
> in the configuration file. These are documented in the example file:
> /usr/share/doc/offlineimap/examples/offlineimap.conf.gz
>
> Maybe we could create an offlineimaprc man page, that would document the
> above options
> ​.
>

​It might be simpler and better simply to add a pointer to the examples
file to the man page.

-- 
http://rrt.sc3d.org

Bug#833191: offlineimap: Please add default value of sslcacertfile

[Ilias Tsitsimpis]

On Thu, Sep 08, 2016 at 11:56AM, Reuben Thomas wrote:
> On 8 September 2016 at 11:48, Ilias Tsitsimpis 
> wrote:
> > This means that if Debian provides a default value for the
> > sslcacertfile, then it is not possible to connect to a server without
> > verifying its certificate (and thus rendering the cert_fingerprint
> > option obsolete).
> 
> Is it not possible for the user to unset sslcacertfile?

I don't think it is possible to unset an option using Python's
ConfigParser. We would have to use a special value (just like
OS-DEFAULT) to denote that this option should be disabled.

> If that were necessary in order to use just cert_fingerprint, that would be
> an extra signal to the user that they are making their setup potentially
> less secure.

This should probably be discussed with the upstream. I don't think we
should introduce a change like this in the Debian package.

> > That said, OfflineIMAP provides the special value OS-DEFAULT for the
> > sslcacertfile option which will automatically determine the system-wide
> > location of the standard trusted CA roots file.
> >
> 
> That's a help, thanks (I've used it); perhaps it could be documented in
> the man page?

Currently, the man page does not document any of the available options
in the configuration file. These are documented in the example file:
/usr/share/doc/offlineimap/examples/offlineimap.conf.gz

Maybe we could create an offlineimaprc man page, that would document the
above options.

-- 
Ilias

Bug#833191: offlineimap: Please add default value of sslcacertfile

[Reuben Thomas]

On 8 September 2016 at 11:48, Ilias Tsitsimpis 
wrote:

>
> I am afraid this cannot be done easily, because OfflineIMAP distinguish
> between sslcacertfile having and not having a value.
>

[snip]​

This means that if Debian provides a default value for the
> sslcacertfile, then it is not possible to connect to a server without
> verifying its certificate (and thus rendering the cert_fingerprint
> option obsolete).
>

​Is it not possible for the user to unset sslcacertfile?

If that were necessary in order to use just cert_fingerprint, that would be
an extra signal to the user that they are making their setup potentially
less secure.
​​

> That said, OfflineIMAP provides the special value OS-DEFAULT for the
> sslcacertfile option which will automatically determine the system-wide
> location of the standard trusted CA roots file.
>

​That's a help, thanks (I've used it); perhaps it could be documented in
the man page?​

-- 
http://rrt.sc3d.org

Bug#833191: offlineimap: Please add default value of sslcacertfile

[Ilias Tsitsimpis]

Control: tags -1 wontfix

Hi Reuben,

On Tue, Aug 02, 2016 at 12:57AM, Reuben Thomas wrote:
> As a bit of Debian integration, it would seem reasonable to add a default
> value for sslcacertfile (/etc/ssl/certs/ca-certificates.crt).

I am afraid this cannot be done easily, because OfflineIMAP distinguish
between sslcacertfile having and not having a value.

>From the docs:

| sslcacertfile
|
| SSL CA Cert(s) to verify the server cert against (optional).
| No SSL verification is done without this option. If it is
| specified, the CA Cert(s) need to verify the Server cert AND
| match the hostname (* wildcard allowed on the left hand side)
| The certificate should be in PEM format.

and also:

| cert_fingerprint
|
| If you connect via SSL/TLS (ssl = yes) and you have no CA certificate
| specified, OfflineIMAP will refuse to sync as it connects to a server
| with an unknown "fingerprint". If you are sure you connect to the
| correct server, you can then configure the presented server
| fingerprint here. OfflineIMAP will verify that the server fingerprint
| has not changed on each connect and refuse to connect otherwise.
|
| You can also configure fingerprint validation in addition to
| CA certificate validation above and it will check both:
| OfflineIMAP fill verify certificate first and if things will be fine,
| fingerprint will be validated.

This means that if Debian provides a default value for the
sslcacertfile, then it is not possible to connect to a server without
verifying its certificate (and thus rendering the cert_fingerprint
option obsolete).

That said, OfflineIMAP provides the special value OS-DEFAULT for the
sslcacertfile option which will automatically determine the system-wide
location of the standard trusted CA roots file.

If you have any suggestion about how this could be fixed, please advice.
In the meantime, I am marking this as WONTFIX.

Best,

-- 
Ilias

Bug#833191: offlineimap: Please add default value of sslcacertfile

[Reuben Thomas]

Package: offlineimap
Version: 6.6.1+dfsg1-2
Severity: wishlist

As a bit of Debian integration, it would seem reasonable to add a default
value for sslcacertfile (/etc/ssl/certs/ca-certificates.crt).

-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 
'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-31-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages offlineimap depends on:
ii  python-imaplib2  2.53-1
pn  python:any   

Versions of packages offlineimap recommends:
ii  python-socks  1.5.0+dfsg-4

Versions of packages offlineimap suggests:
ii  doc-base 0.10.7
pn  python-kerberos  

-- no debconf information