Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid

Sun, 14 Nov 2010 00:57:21 -0800 

Package: offlineimap
Severity: grave
Tags: security
Justification: user security hole

offlineimap performs absolutely no ssl certificate checking. So users could/can 
be the victim of a man in the middle attack.
In debian the following bugs exist:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536421 (re certificate 
expiration)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=153240 (re ssl fingerprint 
checking)

This could be considered a bug in imaplib (http://bugs.python.org/issue10274).
A partial 'fix' is the following(this 'fix' isn't complete and would break 
connections to servers using self-signed certificates):


WARNING XXX: I haven't tested this 'fix' at all and so it is most likely wrong.

diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py
index a60242b..c37688c 100644
--- a/offlineimap/imaplibutil.py
+++ b/offlineimap/imaplibutil.py
@@ -62,7 +62,7 @@ class IMAP4_Tunnel(IMAP4):
         self.infd.close()
         self.outfd.close()
         self.process.wait()
-        
+
 class sslwrapper:
     def __init__(self, sslsock):
         self.sslsock = sslsock
@@ -171,7 +171,7 @@ def new_open_ssl(self, host = '', port = IMAP4_SSL_PORT):
         if last_error != 0:
             # FIXME
             raise socket.error(last_error)
-        self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile)
+        self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile, 
cert_reqs=ssl.CERT_REQUIRED, ca_certs="/etc/ssl/certs/ca-certificates.crt")
         self.sslobj = sslwrapper(self.sslobj)



Although, this isn't complete because it will break self-signed certificate 
using servers and http://bugs.python.org/issue1589 means that it won't provide 
full protection etc.
Really, what is required is that by default the certificate is checked and 
perhaps an option is added to bypass the check.

This isn't a new discovery, see [1], but the package provides no warning about 
this fact. I added a warning too https://github.com/jgoerzen/offlineimap/wiki/ 
perhaps debian can add a warning (in the package description) until this is 
fixed.

[0] - http://thread.gmane.org/gmane.mail.imap.offlineimap.general/760

-- System Information:
Debian Release: 5.0.6
  APT prefers stable
  APT policy: (900, 'stable'), (650, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.36 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to