add option CertificateFileStrict to reject invalid certs from CertificateFile
mailbox synchronizer
Brought to you by:
ossi
Menu
▾
▴
#13 add option CertificateFileStrict to reject invalid certs from CertificateFile
I have a setup using a CertificateFile directive a bit like this:
IMAPAccount XXX Host XXX ... SSLType IMAPS CertificateFile /path/to/dovecot.pem
The certificate has expired:
$ openssl x509 -text -in dovecot.pem -noout
Certificate:
...
Validity
Not Before: Dec 27 00:42:30 2014 GMT
Not After : Dec 26 00:42:30 2016 GMT
Yet I've never seen mbsync warn me about this. Shouldn't it refuse to work, or at the very least emit a warning?
Thanks
I've just found this in the docs:
CertificateFile path File containing additional X.509 certificates used to verify server identities. Directly matched peer certificates are always trusted, regardless of validity.I'd argue that probably isn't a great idea.
given that the primary purpose of this option is forcibly accepting certs which are somehow invalid - specifically expired - refusing to work just isn't an option in the general case. however, there have been requests for more paranoid cert handling before, and in particular in conjunction with 'SystemCertificates no' it makes some sense. i suppose i could add an option CertificateFileStrict or some such.
Ticket moved from /p/isync/bugs/29/
Can't be converted:
i've had another look at this and my tentative conclusion is again that this makes little sense:
if you specify a host cert, you do that to bypass the regular CA chain.
if you specify a CA root (or just rely on the system's trust store), then the cert chain will be fully validated. in that case you aren't supposed to specify the host cert as well.
the only use case where it would matter is if you specify a host cert that is self-signed (so the CA-based path is not taken). given that this is a rare case where you'd likely have full control over the cert, would you really expect mbsync to do the complaining about expiration?