RFC: fully secure SMTP connection for "hg email"
Kevin Bullock
kbullock+mercurial at ringworld.org
Sun Mar 17 13:55:13 CDT 2013
On 17 Mar 2013, at 11:42 AM, FUJIWARA Katsunori wrote:
> Hi, devels
>
> We can use secure connection to SMTP server by setting "[smtp] tls" to
> starttls or smtps for "hg email".
>
> But, AFAIK, the certificate of SMTP server isn't verified as same as
> verification for HTTPS connection at push/pull operations. This may
> cause man-in-the-middle security problem.
>
> To connect to SMTP server safely via (maybe untrustable) networks, the
> certificate of it should be verified: e.g. mail transmission via GMail
> account.
>
> So, I tried to verify the certificate of SMTP server before
> authentication/transmission step of SMTP, but it seems to be difficult
> to do so as same as verification for HTTPS connection, because:
>
> - in smtplib, "ssl.wrap_socket()" is invoked for STARTTLS/SMTPS
> without explicit "cert_reqs" argument, so default value
> "CERT_NONE" is used for it:
>
> http://hg.python.org/cpython/file/59292f366b53/Lib/smtplib.py#l635
> http://hg.python.org/cpython/file/59292f366b53/Lib/smtplib.py#l874
It seems like we should be able to do the certificate verification when we set up the SMTP connection <http://selenic.com/hg/file/tip/mercurial/mail.py#l33>. For the SMTPS case, we can pass the certfile parameter to smtplib.SMTP_SSL(), and for the STARTTLS case, we can pass it in when we call s.starttls().
That assumes we have the CA certificate bundle configured à la web.cacerts (in fact, we should reuse that setting, or rename it and deprecate the old one). I'm not clear on how you're suggesting to verify it by fingerprint, without monkey-patching smtplib... could you elaborate?
pacem in terris / мир / शान्ति / سَلاَم / 平和
Kevin R. Bullock
More information about the Mercurial-devel
mailing list