From: John Keeping <john@keeping.me.uk>
To: Junio C Hamano <gitster@pobox.com>
Cc: "brian m. carlson" <sandals@crustytoothpaste.net>,
Ramkumar Ramachandra <artagnon@gmail.com>,
Git List <git@vger.kernel.org>
Subject: Re: [PATCH v2 2/2] send-email: introduce sendemail.smtpsslcertpath
Date: Fri, 5 Jul 2013 19:43:33 +0100 [thread overview]
Message-ID: <20130705184333.GN9161@serenity.lan> (raw)
In-Reply-To: <7vehbc7tcc.fsf@alter.siamese.dyndns.org>
On Fri, Jul 05, 2013 at 11:30:11AM -0700, Junio C Hamano wrote:
> John Keeping <john@keeping.me.uk> writes:
>
> > On Fri, Jul 05, 2013 at 10:20:11AM -0700, Junio C Hamano wrote:
> >> "brian m. carlson" <sandals@crustytoothpaste.net> writes:
> >>
> >> > You've covered the STARTTLS case, but not the SSL one right above it.
> >> > Someone using smtps on port 465 will still see the warning. You can
> >> > pass SSL_verify_mode to Net::SMTP::SSL->new just like you pass it to
> >> > start_SSL.
> >>
> >> OK, will a fix-up look like this on top of 1/2 and 2/2?
> >
> > According to IO::Socket::SSL [1], if neither SSL_ca_file nor SSL_ca_path
> > is specified then builtin defaults will be used, so I wonder if we
> > should pass SSL_VERIFY_PEER regardless (possibly with a switch for
> > SSL_VERIFY_NONE if people really need that).
> >
> > [1] http://search.cpan.org/~sullr/IO-Socket-SSL-1.951/lib/IO/Socket/SSL.pm
>
> Interesting. That frees us from saying "we assume /etc/ssl/cacerts
> is the default location, and let the users override it".
>
> To help those "I do not want verification because I know my server
> does not present valid certificate, I know my server is internal and
> trustable, and I do not bother to fix it" people, we can let them
> specify an empty string (or any non-directory) as the CACertPath,
> and structure the code like so?
>
> if (defined $smtp_ssl_cert_path && -d $smtp_ssl_cert_path) {
> return (SSL_verify_mode => SSL_VERIFY_PEER,
> SSL_ca_path => $smtp_ssl_cert_path);
> } elsif (defined $smtp_ssl_cert_path) {
> return (SSL_verify_mode => SSL_VERIFY_NONE);
> } else {
> return (SSL_verify_mode => SSL_VERIFY_PEER);
> }
I'd rather have '$smtp_ssl_cert_path ne ""' in the first if condition
(instead of the '-d $smtp_ssl_cert_path') but that seems reasonable and
agrees with my reading of the documentation.
Perhaps a complete solution could allow CA files as well:
if (defined $smtp_ssl_cert_path) {
if ($smtp_ssl_cert_path eq "") {
return (SSL_verify_mode => SSL_VERIFY_NONE);
} elsif (-f $smtp_ssl_cert_path) {
return (SSL_verify_mode => SSL_VERIFY_PEER,
SSL_ca_file => $smtp_ssl_cert_path);
} else {
return (SSL_verify_mode => SSL_VERIFY_PEER,
SSL_ca_path => $smtp_ssl_cert_path);
}
} else {
return (SSL_verify_mode => SSL_VERIFY_PEER);
}
next prev parent reply other threads:[~2013-07-05 18:43 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-05 12:05 [PATCH v2 0/2] Squelch warning from send-email Ramkumar Ramachandra
2013-07-05 12:05 ` [PATCH v2 1/2] send-email: squelch warning from Net::SMTP::SSL Ramkumar Ramachandra
2013-07-06 14:28 ` Torsten Bögershausen
2013-07-06 14:32 ` brian m. carlson
2013-07-06 15:49 ` Torsten Bögershausen
2013-07-14 13:49 ` Ramkumar Ramachandra
2013-07-14 17:03 ` brian m. carlson
2013-07-14 21:49 ` Ramkumar Ramachandra
2013-07-15 3:07 ` Torsten Bögershausen
2013-07-15 4:15 ` Junio C Hamano
2013-07-16 0:15 ` [PATCH] send-email: improve SSL certificate verification brian m. carlson
2013-07-16 2:33 ` Torsten Bögershausen
2013-07-16 2:35 ` brian m. carlson
2013-07-18 16:53 ` Re* " Junio C Hamano
2013-07-18 17:36 ` Ramkumar Ramachandra
2013-07-05 12:05 ` [PATCH v2 2/2] send-email: introduce sendemail.smtpsslcertpath Ramkumar Ramachandra
2013-07-05 12:33 ` Eric Sunshine
2013-07-05 12:36 ` Ramkumar Ramachandra
2013-07-05 12:45 ` brian m. carlson
2013-07-05 12:53 ` Ramkumar Ramachandra
2013-07-05 13:01 ` brian m. carlson
2013-07-05 17:20 ` Junio C Hamano
2013-07-05 17:47 ` John Keeping
2013-07-05 18:30 ` Junio C Hamano
2013-07-05 18:43 ` John Keeping [this message]
2013-07-06 6:25 ` Junio C Hamano
2013-07-06 11:46 ` John Keeping
2013-07-07 4:12 ` Junio C Hamano
2013-07-07 9:02 ` John Keeping
2013-07-05 20:29 ` brian m. carlson
2013-07-07 5:54 ` Jeff King
2013-07-07 10:01 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130705184333.GN9161@serenity.lan \
--to=john@keeping.me.uk \
--cc=artagnon@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).