RFC: fully secure SMTP connection for "hg email"

Kevin Bullock kbullock+mercurial at ringworld.org
Tue Mar 19 09:47:34 CDT 2013 

On 19 Mar 2013, at 1:41 AM, FUJIWARA Katsunori wrote:

> According to comment of "SMTP.starttls()", SSL socket created with
> CERT_NONE seems not to check the certificate of peer.
> 
>        If the server supports TLS, this will encrypt the rest of the SMTP
>        session. If you provide the keyfile and certfile parameters,
>        the identity of the SMTP server and client can be checked. This,
>        however, depends on whether the socket module really checks the
>                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        certificates.
>        ^^^^^^^^^^^^

...but I think this is lying <http://docs.python.org/2/library/ssl.html#module-ssl>:

    The keyfile and certfile parameters specify optional files which contain a certificate to be used to identify the local side of the connection.
                     ^^^^^

> In addition to it, "certfile" parameter to SSLSocket requires
> "keyfile", because "certfile" is also used as keyfile (and causes
> error in connection step) if "keyfile" is not specified:

Bwuh? I guess the certfile option is for _client_ certificate authentication. Not that you'd know from the documentation <http://docs.python.org/2/library/smtplib.html>:

    ... keyfile and certfile are also optional, and can contain a PEM formatted private key and certificate chain file for the SSL connection. ...

>> That assumes we have the CA certificate bundle configured à la
>> web.cacerts (in fact, we should reuse that setting, or rename it and
>> deprecate the old one). I'm not clear on how you're suggesting to
>> verify it by fingerprint, without monkey-patching smtplib... could
>> you elaborate?
> 
> IMHO, for monky-patching smtplib, "SMTP_SSL._get_socket()" and
> "SMTP.starttls()" should be fully overridden.
> 
> Overriding them for just one Python version seems not to be so
> difficult.
> 
> But I'm not sure that keeping compatibility of monkey-patched them
> against any Python versions is reasonable (and good for policy of
> Mercurial code) enough.

We would only have to override them for two Python versions (modulo differences between 2.6.x point releases), because smtplib doesn't support SSL before 2.6. We do the same thing for HTTPS certificate checking -- I think we issue a warning if the Python you're running doesn't support SSL (for our purposes).

pacem in terris / мир / शान्ति / ‎‫سَلاَم‬ / 平和
Kevin R. Bullock

More information about the Mercurial-devel mailing list