Closed Yannik closed 5 years ago
PROTOCOL_SSLv23 automatically selects the highest available ssl/tls version: https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_SSLv23
I would strongly recommend dropping the smtp-ssl-protocol
option alltogether. Selecting the highest available ssl/tls version is always reasonable (I can't think of a single situation where it shouldn't be used) and this simplifies email.py, as well as the effort users need to put into configuring smtp in rss2email.cfg, as they will have to research what SSLv23
actually means. (It's not straight forward that this also enabled TLS).
I have fixed a few issues I stumbled upon, using this in production without any problems now.
Merged in https://github.com/leezu/rss2email/tree/leezu and hopefully to be included in the rss2mail fork having admin access to the pypi package: https://github.com/rss2email/rss2email/pull/13
@Yannik This has been merged in https://github.com/rss2email/rss2email ; care to close this PR? :)
Before this fix, SSL certificates were not verified and the hostname was not matched to the ssl certificate. (Even if the certificates were verified, an attacker could use a free ssl certificate for any domain and it would be accepted.)
Citing Python SSL security considerations (https://docs.python.org/3/library/ssl.html#ssl-security): "For client use, if you don’t have any special requirements for your security policy, it is highly recommended that you use the create_default_context() function to create your SSL context. It will load the system’s trusted CA certificates, enable certificate validation and hostname checking, and try to choose reasonably secure protocol and cipher settings."
This fix is backwards compatible with Python 3.2. These changes overlap with the changes already suggested by wking in this PR: https://github.com/wking/rss2email/pull/59#issuecomment-164196261