offlineimap
offlineimap copied to clipboard
OfflineIMAP
Does not check SSL Certificate Revocation Status
General informations
OfflineIMAP still syncs with mail server, even if their SSL certificate has been revoked. I realise that this may expected behavior, or be the fault of my poor configuration of SSL features (below).
I stumbled across this, when my university changed their certificates and had revoked ones online for a short maintenance time frame. When the new ones were installed, OfflineIMAP refused to connect, as the fingerprint had changed (as expected and documented).
- system/distribution (with version): Ubuntu 17.10/ Ubuntu 18.04
- offlineimap version (
offlineimap -V): offlineimap v7.1.5, imaplib2 v2.57 (system), Python v2.7.15rc1, OpenSSL 1.1.0g 2 Nov 2017
Configuration file offlineimaprc
[general]
metadata = somepath/metadata
pythonfile = somepath/offlineimap.py
accounts = email
[Account email]
localrepository = email-local
remoterepository = email-remote
[Repository email-local]
type = Maildir
localfolders = somepath/[email protected]/mailbox
[Repository email-remote]
type = IMAP
remotehost = mail.domain.tld
remoteuser = myemail
remotepasseval = keychain("[email protected]")
ssl = yes
sslcacertfile = /etc/ssl/certs/ca-certificates.crt
cert_fingerprint = 21987e2442191dc606f25fdfc7dce6091416b74a
maxconnections = 3
holdconnectionopen = true
createfolders = false
pythonfile (if any)
Irrelevant to issue.
Logs, error
None.
Steps to reproduce the error
- This is somewhat difficult for me to reproduce, as I don't have a mail server with a revoked certificate.
We won't check for the SSL validity when using the cert_fingerprint of the certificate. Certificate validation is done with the sslcacertfile option.
See https://github.com/OfflineIMAP/offlineimap/blob/master/offlineimap.conf#L748
This is an interesting security issue.
- Pinning the IMAP server cert (setting the cert fingerprint) in our client config is OK, but maybe add config option default enabled, "verify pinned cert fingerprint is not revoked and halt with error when revoked".
- On the IMAP server side, many sys admin can and do automate cert fingerprint pinning for server users by activating DANE TLS on the server DNS, which updates the TLS cert fingerprint of the IMAP server (and all TLS servers on the domain) into a DNS record for the IMAP server domain.
- It would be a very good time right now to enable by default DANE TLS cert checking where the TLS connection is made at the openSSL client level (in
imaplib2.py). When your server supports DANE TLS (cert fingerprint for IMAP port in DNSSEC), you can skip the maintenance work of having to update server TLS cert fingerprint to our IMAP client config.
@nicolas33
We won't check for the SSL validity when using the cert_fingerprint of the certificate. Certificate validation is done with the sslcacertfile option.
In that same configuration file it states that:
https://github.com/OfflineIMAP/offlineimap/blob/88197a7e9097a3774aa328c110d9a6692d4cf465/offlineimap.conf#L781-L784
I understand this to mean that: first the certificate will be verified, and then the fingerprint checked, returning an error if either fails.
I have configured the sslcacertfile and cert_fingerprint. Have I done so incorrectly, or have I misunderstood the excerpt above?
If there has been a misunderstanding, I would suggest changing that wording to be less ambiguous.