Does not check SSL Certificate Revocation Status

velleto commented 6 years ago

General informations

OfflineIMAP still syncs with mail server, even if their SSL certificate has been revoked. I realise that this may expected behavior, or be the fault of my poor configuration of SSL features (below).

I stumbled across this, when my university changed their certificates and had revoked ones online for a short maintenance time frame. When the new ones were installed, OfflineIMAP refused to connect, as the fingerprint had changed (as expected and documented).

system/distribution (with version): Ubuntu 17.10/ Ubuntu 18.04
offlineimap version (offlineimap -V): offlineimap v7.1.5, imaplib2 v2.57 (system), Python v2.7.15rc1, OpenSSL 1.1.0g 2 Nov 2017

Configuration file offlineimaprc

[general]

metadata = somepath/metadata
pythonfile = somepath/offlineimap.py

accounts = email

[Account email]
localrepository     = email-local
remoterepository    = email-remote

[Repository email-local]
type                = Maildir
localfolders        = somepath/myemail@domain.tld/mailbox

[Repository email-remote]
type                = IMAP
remotehost          = mail.domain.tld
remoteuser          = myemail
remotepasseval      = keychain("myemail@domain.tld")

ssl                 = yes
sslcacertfile       = /etc/ssl/certs/ca-certificates.crt
cert_fingerprint    = 21987e2442191dc606f25fdfc7dce6091416b74a

maxconnections      = 3
holdconnectionopen  = true
createfolders       = false

pythonfile (if any)

Irrelevant to issue.

Logs, error

None.

Steps to reproduce the error

This is somewhat difficult for me to reproduce, as I don't have a mail server with a revoked certificate.

nicolas33 commented 6 years ago

We won't check for the SSL validity when using the cert_fingerprint of the certificate. Certificate validation is done with the sslcacertfile option.

See https://github.com/OfflineIMAP/offlineimap/blob/master/offlineimap.conf#L748

chris001 commented 6 years ago

This is an interesting security issue.

Pinning the IMAP server cert (setting the cert fingerprint) in our client config is OK, but maybe add config option default enabled, "verify pinned cert fingerprint is not revoked and halt with error when revoked".
On the IMAP server side, many sys admin can and do automate cert fingerprint pinning for server users by activating DANE TLS on the server DNS, which updates the TLS cert fingerprint of the IMAP server (and all TLS servers on the domain) into a DNS record for the IMAP server domain.
It would be a very good time right now to enable by default DANE TLS cert checking where the TLS connection is made at the openSSL client level (inimaplib2.py ). When your server supports DANE TLS (cert fingerprint for IMAP port in DNSSEC), you can skip the maintenance work of having to update server TLS cert fingerprint to our IMAP client config.

velleto commented 6 years ago

@nicolas33

We won't check for the SSL validity when using the cert_fingerprint of the certificate. Certificate validation is done with the sslcacertfile option.

In that same configuration file it states that:

https://github.com/OfflineIMAP/offlineimap/blob/88197a7e9097a3774aa328c110d9a6692d4cf465/offlineimap.conf#L781-L784

I understand this to mean that: first the certificate will be verified, and then the fingerprint checked, returning an error if either fails. I have configured the sslcacertfile and cert_fingerprint. Have I done so incorrectly, or have I misunderstood the excerpt above? If there has been a misunderstanding, I would suggest changing that wording to be less ambiguous.

OfflineIMAP / offlineimap