RFC: fully secure SMTP connection for "hg email"

Kevin Bullock kbullock+mercurial at ringworld.org
Sun Mar 17 13:55:13 CDT 2013

On 17 Mar 2013, at 11:42 AM, FUJIWARA Katsunori wrote:

> Hi, devels
> We can use secure connection to SMTP server by setting "[smtp] tls" to
> starttls or smtps for "hg email".
> But, AFAIK, the certificate of SMTP server isn't verified as same as
> verification for HTTPS connection at push/pull operations. This may
> cause man-in-the-middle security problem.
> To connect to SMTP server safely via (maybe untrustable) networks, the
> certificate of it should be verified: e.g. mail transmission via GMail
> account.
> So, I tried to verify the certificate of SMTP server before
> authentication/transmission step of SMTP, but it seems to be difficult
> to do so as same as verification for HTTPS connection, because:
>  - in smtplib, "ssl.wrap_socket()" is invoked for STARTTLS/SMTPS
>    without explicit "cert_reqs" argument, so default value
>    "CERT_NONE" is used for it:
>      http://hg.python.org/cpython/file/59292f366b53/Lib/smtplib.py#l635
>      http://hg.python.org/cpython/file/59292f366b53/Lib/smtplib.py#l874

It seems like we should be able to do the certificate verification when we set up the SMTP connection <http://selenic.com/hg/file/tip/mercurial/mail.py#l33>. For the SMTPS case, we can pass the certfile parameter to smtplib.SMTP_SSL(), and for the STARTTLS case, we can pass it in when we call s.starttls().

That assumes we have the CA certificate bundle configured à la web.cacerts (in fact, we should reuse that setting, or rename it and deprecate the old one). I'm not clear on how you're suggesting to verify it by fingerprint, without monkey-patching smtplib... could you elaborate?

pacem in terris / мир / शान्ति / ‎‫سَلاَم‬ / 平和
Kevin R. Bullock

More information about the Mercurial-devel mailing list