[PATCH 1 of 9 V2] mail: unsupport smtp.verifycert (BC)

Yuya Nishihara yuya at tcha.org
Wed Jun 1 13:51:16 UTC 2016


On Tue, 31 May 2016 19:21:57 -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc at gmail.com>
> # Date 1464747586 25200
> #      Tue May 31 19:19:46 2016 -0700
> # Node ID a17ef4b3ffc9394a49edf4b509fbac04d223b324
> # Parent  48b38b16a8f83ea98ebdf0b370f59fd90dc17935
> mail: unsupport smtp.verifycert (BC)
> 
> smtp.verifycert was accidentally broken by cca59ef27e60. The current
> code refuses to talk to a remote server unless the CA is trusted or
> the fingerprint is validated. In other words, we lost the ability
> for smtp.verifycert to lower/disable security.
> 
> There are special considerations for smtp.verifycert in
> sslutil.validatesocket() (the "strict" argument). This violates
> the direction sslutil  is evolving towards, which has all security
> options determined at wrapsocket() time and a unified code path and
> configs for determining security options.
> 
> Since smtp.verifycert is broken and since we'll soon have new
> security defaults and new mechanisms for controlling host security,
> formally deprecate smtp.verifycert. With this patch, the socket
> security code in mail.py now effectively mirrors code in url.py and
> other places we're doing socket security.

(+CC foozy as he should know the detail of smtp.verifycert)

I second this change, but "broken by cca59ef27e60" shouldn't be a reason.
It isn't even released.

> -``verifycert``
> -    Optional. Verification for the certificate of mail server, when
> -    ``tls`` is starttls or smtps. "strict", "loose" or False. For
> -    "strict" or "loose", the certificate is verified as same as the
> -    verification for HTTPS connections (see ``[hostfingerprints]`` and
> -    ``[web] cacerts`` also). For "strict", sending email is also
> -    aborted, if there is no configuration for mail server in
> -    ``[hostfingerprints]`` and ``[web] cacerts``.  --insecure for
> -    :hg:`email` overwrites this as "loose". (default: strict)

IIRC, this option was introduced to mitigate the risk of breaking change
in stable release, where user has web.cacerts but his SMTP server might
provide a self-signed certificate, for example. For this purpose, "loose"
seems useless. Also, "loose" appears not working from the beginning if
cacerts are available.

Now we're going to add a config knob to control per-host security features,
and we'll provide a hint for it, I think dropping smtp.verifycert is
acceptable.

The series looks good to me except for a few nits.


More information about the Mercurial-devel mailing list