Secure testing team - Nov 2010 - Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid

Package: offlineimap
Severity: grave
Tags: security
Justification: user security hole

offlineimap performs absolutely no ssl certificate checking. So users could/can
be the victim of a man in the middle attack.
In debian the following bugs exist:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536421 (re certificate
expiration)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=153240 (re ssl fingerprint
checking)

This could be considered a bug in imaplib (http://bugs.python.org/issue10274).
A partial ''fix'' is the following(this ''fix''
isn''t complete and would break connections to servers using self-signed
certificates):


WARNING XXX: I haven''t tested this ''fix'' at all and
so it is most likely wrong.

diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py
index a60242b..c37688c 100644
--- a/offlineimap/imaplibutil.py
+++ b/offlineimap/imaplibutil.py
@@ -62,7 +62,7 @@ class IMAP4_Tunnel(IMAP4):
         self.infd.close()
         self.outfd.close()
         self.process.wait()
-        
+
 class sslwrapper:
     def __init__(self, sslsock):
         self.sslsock = sslsock
@@ -171,7 +171,7 @@ def new_open_ssl(self, host = '''', port =
IMAP4_SSL_PORT):
         if last_error != 0:
             # FIXME
             raise socket.error(last_error)
-        self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile)
+        self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile,
cert_reqs=ssl.CERT_REQUIRED,
ca_certs="/etc/ssl/certs/ca-certificates.crt")
         self.sslobj = sslwrapper(self.sslobj)



Although, this isn''t complete because it will break self-signed
certificate using servers and http://bugs.python.org/issue1589 means that it
won''t provide full protection etc.
Really, what is required is that by default the certificate is checked and
perhaps an option is added to bypass the check.

This isn''t a new discovery, see [1], but the package provides no
warning about this fact. I added a warning too
https://github.com/jgoerzen/offlineimap/wiki/ perhaps debian can add a warning
(in the package description) until this is fixed.

[0] - http://thread.gmane.org/gmane.mail.imap.offlineimap.general/760

-- System Information:
Debian Release: 5.0.6
  APT prefers stable
  APT policy: (900, ''stable''), (650,
''testing'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.36 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash