Issue 10274: imaplib should provide a means to validate a remote server ssl certificate(s) (original) (raw)

imaplib should provide a means to validate a remote server ssl certificate(s).

So currently imaplib allows you to do the following:

import imaplib conn = imaplib.IMAP4_SSL("imap.gmail.com")

#the following should fail conn = imaplib.IMAP4_SSL("74.125.39.109") conn = imaplib.IMAP4_SSL("i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org", 443) conn = imaplib.IMAP4_SSL("insert_self_signed_imap_server_here") However, only the first call("imap.gmail.com") should NOT result in an error being raised (if the certificate is being checked :) ).

I wasn't able to find a way to get imaplib.IMAP4_SSL to take the certificate for the remote server without wanting a private cert (which wasn't / isn't desired ).

If an option is added / method added that takes in an optional parameter to validate the remote IMAP's ssl certificate has been signed by a trusted certificate authority this would be a good solution.

You can use a custom ssl context to enforce cert and hostname validation:

import imaplib, ssl ctx = ssl.create_default_context() conn = imaplib.IMAP4_SSL("74.125.133.109", ssl_context=ctx) Traceback (most recent call last): ... ssl.CertificateError: hostname '74.125.133.109' doesn't match 'imap.gmail.com'