nylas / sync-engine

:incoming_envelope: IMAP/SMTP sync system with modern APIs
https://nylas.com/docs/platform
GNU Affero General Public License v3.0
3.5k stars 354 forks source link

TLS Improvements #373

Closed pfista closed 8 years ago

pfista commented 8 years ago

What this PR does:

Addresses InsecurePlatformWarning

Certain Python platforms (specifically, versions of Python earlier than 2.7.9) have restrictions in their ssl module that limit the configuration that urllib3 can apply. In particular, this can cause HTTPS requests that would succeed on more featureful platforms to fail, and can cause certain security features to be unavailable.

Addresses SNIMissingWarning

Certain Python distributions (specifically, versions of Python earlier than 2.7.9) and older OpenSSLs have restrictions that prevent them from using the SNI (Server Name Indication) extension. This can cause unexpected behaviour when making some HTTPS requests, usually causing the server to present the a TLS certificate that is not valid for the website you’re trying to access.

We should be verifying HTTPS requests by default, because security. This will enable HTTPS verification by default, meaning we check that a server’s certificate is signed by a trusted certificate authority.

Furthermore, it temporarily uses older, insecure, root certificates from mozilla (old_where()) to support cross-signed certificates until we can update to 2.7.9 or update openssl.

We still do not verify HTTPS requests for sync-engine-eas. We have a custom HTTPAdapter called RetryHTTPAdapter that does not do verification, probably because our customers are using self-signed certs. I’ve updated that adapter to use ssl.PROTOCOL_SSLV23 to ensure greatest compatibility. While eavesdroppers wouldn’t be able to listen in on the traffic, the connection is still susceptible to a MITM attack. This is why we don't expose any sensitive information through webhooks currently.