Bug#833191: offlineimap: Please add default value of sslcacertfile
On Tue, Aug 02, 2016 at 12:57:37AM +0100, Reuben Thomas wrote: > Package: offlineimap > Version: 6.6.1+dfsg1-2 > Severity: wishlist > > As a bit of Debian integration, it would seem reasonable to add a default > value for sslcacertfile (/etc/ssl/certs/ca-certificates.crt). Python3 port of offlineimap (offlineimap3) attempted to do this by using 'OS-DEFAULT' if sslcacertfile is not mentioned but that caused regression and 'cert_fingerprint' stopped working. As a result I have reverted that change in Debian. An upstream issue is open for this regression at https://github.com/OfflineIMAP/offlineimap3/issues/41. -- Regards Sudip
Bug#833191: offlineimap: Please add default value of sslcacertfile
On Thu, Sep 08, 2016 at 12:21PM, Reuben Thomas wrote: > On 8 September 2016 at 12:14, Ilias Tsitsimpis> wrote: > > > > > Currently, the man page does not document any of the available options > > in the configuration file. These are documented in the example file: > > /usr/share/doc/offlineimap/examples/offlineimap.conf.gz > > > > Maybe we could create an offlineimaprc man page, that would document the > > above options. > > It might be simpler and better simply to add a pointer to the examples > file to the man page. ACK. I have fixed that in the latest upload. -- Ilias
Bug#833191: offlineimap: Please add default value of sslcacertfile
On 8 September 2016 at 12:14, Ilias Tsitsimpiswrote: > > Currently, the man page does not document any of the available options > in the configuration file. These are documented in the example file: > /usr/share/doc/offlineimap/examples/offlineimap.conf.gz > > Maybe we could create an offlineimaprc man page, that would document the > above options > . > It might be simpler and better simply to add a pointer to the examples file to the man page. -- http://rrt.sc3d.org
Bug#833191: offlineimap: Please add default value of sslcacertfile
On Thu, Sep 08, 2016 at 11:56AM, Reuben Thomas wrote: > On 8 September 2016 at 11:48, Ilias Tsitsimpis> wrote: > > This means that if Debian provides a default value for the > > sslcacertfile, then it is not possible to connect to a server without > > verifying its certificate (and thus rendering the cert_fingerprint > > option obsolete). > > Is it not possible for the user to unset sslcacertfile? I don't think it is possible to unset an option using Python's ConfigParser. We would have to use a special value (just like OS-DEFAULT) to denote that this option should be disabled. > If that were necessary in order to use just cert_fingerprint, that would be > an extra signal to the user that they are making their setup potentially > less secure. This should probably be discussed with the upstream. I don't think we should introduce a change like this in the Debian package. > > That said, OfflineIMAP provides the special value OS-DEFAULT for the > > sslcacertfile option which will automatically determine the system-wide > > location of the standard trusted CA roots file. > > > > That's a help, thanks (I've used it); perhaps it could be documented in > the man page? Currently, the man page does not document any of the available options in the configuration file. These are documented in the example file: /usr/share/doc/offlineimap/examples/offlineimap.conf.gz Maybe we could create an offlineimaprc man page, that would document the above options. -- Ilias
Bug#833191: offlineimap: Please add default value of sslcacertfile
On 8 September 2016 at 11:48, Ilias Tsitsimpiswrote: > > I am afraid this cannot be done easily, because OfflineIMAP distinguish > between sslcacertfile having and not having a value. > [snip] This means that if Debian provides a default value for the > sslcacertfile, then it is not possible to connect to a server without > verifying its certificate (and thus rendering the cert_fingerprint > option obsolete). > Is it not possible for the user to unset sslcacertfile? If that were necessary in order to use just cert_fingerprint, that would be an extra signal to the user that they are making their setup potentially less secure. > That said, OfflineIMAP provides the special value OS-DEFAULT for the > sslcacertfile option which will automatically determine the system-wide > location of the standard trusted CA roots file. > That's a help, thanks (I've used it); perhaps it could be documented in the man page? -- http://rrt.sc3d.org
Bug#833191: offlineimap: Please add default value of sslcacertfile
Control: tags -1 wontfix Hi Reuben, On Tue, Aug 02, 2016 at 12:57AM, Reuben Thomas wrote: > As a bit of Debian integration, it would seem reasonable to add a default > value for sslcacertfile (/etc/ssl/certs/ca-certificates.crt). I am afraid this cannot be done easily, because OfflineIMAP distinguish between sslcacertfile having and not having a value. >From the docs: | sslcacertfile | | SSL CA Cert(s) to verify the server cert against (optional). | No SSL verification is done without this option. If it is | specified, the CA Cert(s) need to verify the Server cert AND | match the hostname (* wildcard allowed on the left hand side) | The certificate should be in PEM format. and also: | cert_fingerprint | | If you connect via SSL/TLS (ssl = yes) and you have no CA certificate | specified, OfflineIMAP will refuse to sync as it connects to a server | with an unknown "fingerprint". If you are sure you connect to the | correct server, you can then configure the presented server | fingerprint here. OfflineIMAP will verify that the server fingerprint | has not changed on each connect and refuse to connect otherwise. | | You can also configure fingerprint validation in addition to | CA certificate validation above and it will check both: | OfflineIMAP fill verify certificate first and if things will be fine, | fingerprint will be validated. This means that if Debian provides a default value for the sslcacertfile, then it is not possible to connect to a server without verifying its certificate (and thus rendering the cert_fingerprint option obsolete). That said, OfflineIMAP provides the special value OS-DEFAULT for the sslcacertfile option which will automatically determine the system-wide location of the standard trusted CA roots file. If you have any suggestion about how this could be fixed, please advice. In the meantime, I am marking this as WONTFIX. Best, -- Ilias
Bug#833191: offlineimap: Please add default value of sslcacertfile
Package: offlineimap Version: 6.6.1+dfsg1-2 Severity: wishlist As a bit of Debian integration, it would seem reasonable to add a default value for sslcacertfile (/etc/ssl/certs/ca-certificates.crt). -- System Information: Debian Release: stretch/sid APT prefers xenial-updates APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-31-generic (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages offlineimap depends on: ii python-imaplib2 2.53-1 pn python:any Versions of packages offlineimap recommends: ii python-socks 1.5.0+dfsg-4 Versions of packages offlineimap suggests: ii doc-base 0.10.7 pn python-kerberos -- no debconf information