Re: [PATCH v2 2/2] send-email: introduce sendemail.smtpsslcertpath

All of lore.kernel.org
 help / color / mirror / Atom feed

From: John Keeping <john@keeping.me.uk>
To: Junio C Hamano <gitster@pobox.com>
Cc: "brian m. carlson" <sandals@crustytoothpaste.net>,
	Ramkumar Ramachandra <artagnon@gmail.com>,
	Git List <git@vger.kernel.org>
Subject: Re: [PATCH v2 2/2] send-email: introduce sendemail.smtpsslcertpath
Date: Fri, 5 Jul 2013 19:43:33 +0100	[thread overview]
Message-ID: <20130705184333.GN9161@serenity.lan> (raw)
In-Reply-To: <7vehbc7tcc.fsf@alter.siamese.dyndns.org>

On Fri, Jul 05, 2013 at 11:30:11AM -0700, Junio C Hamano wrote:
> John Keeping <john@keeping.me.uk> writes:
> 
> > On Fri, Jul 05, 2013 at 10:20:11AM -0700, Junio C Hamano wrote:
> >> "brian m. carlson" <sandals@crustytoothpaste.net> writes:
> >> 
> >> > You've covered the STARTTLS case, but not the SSL one right above it.
> >> > Someone using smtps on port 465 will still see the warning.  You can
> >> > pass SSL_verify_mode to Net::SMTP::SSL->new just like you pass it to
> >> > start_SSL.
> >> 
> >> OK, will a fix-up look like this on top of 1/2 and 2/2?
> >
> > According to IO::Socket::SSL [1], if neither SSL_ca_file nor SSL_ca_path
> > is specified then builtin defaults will be used, so I wonder if we
> > should pass SSL_VERIFY_PEER regardless (possibly with a switch for
> > SSL_VERIFY_NONE if people really need that).
> >
> > [1] http://search.cpan.org/~sullr/IO-Socket-SSL-1.951/lib/IO/Socket/SSL.pm
> 
> Interesting.  That frees us from saying "we assume /etc/ssl/cacerts
> is the default location, and let the users override it".
> 
> To help those "I do not want verification because I know my server
> does not present valid certificate, I know my server is internal and
> trustable, and I do not bother to fix it" people, we can let them
> specify an empty string (or any non-directory) as the CACertPath,
> and structure the code like so?
> 
>         if (defined $smtp_ssl_cert_path && -d $smtp_ssl_cert_path) {
>                 return (SSL_verify_mode => SSL_VERIFY_PEER,
>                         SSL_ca_path => $smtp_ssl_cert_path);
>         } elsif (defined $smtp_ssl_cert_path) {
>                 return (SSL_verify_mode => SSL_VERIFY_NONE);
>         } else {
>                 return (SSL_verify_mode => SSL_VERIFY_PEER);
>         }

I'd rather have '$smtp_ssl_cert_path ne ""' in the first if condition
(instead of the '-d $smtp_ssl_cert_path') but that seems reasonable and
agrees with my reading of the documentation.

Perhaps a complete solution could allow CA files as well:

	if (defined $smtp_ssl_cert_path) {
		if ($smtp_ssl_cert_path eq "") {
			return (SSL_verify_mode => SSL_VERIFY_NONE);
		} elsif (-f $smtp_ssl_cert_path) {
			return (SSL_verify_mode => SSL_VERIFY_PEER,
				SSL_ca_file => $smtp_ssl_cert_path);
		} else {
			return (SSL_verify_mode => SSL_VERIFY_PEER,
				SSL_ca_path => $smtp_ssl_cert_path);
		}
	} else {
		return (SSL_verify_mode => SSL_VERIFY_PEER);
	}

next prev parent reply	other threads:[~2013-07-05 18:43 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-05 12:05 [PATCH v2 0/2] Squelch warning from send-email Ramkumar Ramachandra
2013-07-05 12:05 ` [PATCH v2 1/2] send-email: squelch warning from Net::SMTP::SSL Ramkumar Ramachandra
2013-07-06 14:28   ` Torsten Bögershausen
2013-07-06 14:32     ` brian m. carlson
2013-07-06 15:49       ` Torsten Bögershausen
2013-07-14 13:49         ` Ramkumar Ramachandra
2013-07-14 17:03           ` brian m. carlson
2013-07-14 21:49             ` Ramkumar Ramachandra
2013-07-15  3:07             ` Torsten Bögershausen
2013-07-15  4:15               ` Junio C Hamano
2013-07-16  0:15               ` [PATCH] send-email: improve SSL certificate verification brian m. carlson
2013-07-16  2:33                 ` Torsten Bögershausen
2013-07-16  2:35                   ` brian m. carlson
2013-07-18 16:53                   ` Re* " Junio C Hamano
2013-07-18 17:36                     ` Ramkumar Ramachandra
2013-07-05 12:05 ` [PATCH v2 2/2] send-email: introduce sendemail.smtpsslcertpath Ramkumar Ramachandra
2013-07-05 12:33   ` Eric Sunshine
2013-07-05 12:36     ` Ramkumar Ramachandra
2013-07-05 12:45   ` brian m. carlson
2013-07-05 12:53     ` Ramkumar Ramachandra
2013-07-05 13:01       ` brian m. carlson
2013-07-05 17:20     ` Junio C Hamano
2013-07-05 17:47       ` John Keeping
2013-07-05 18:30         ` Junio C Hamano
2013-07-05 18:43           ` John Keeping [this message]
2013-07-06  6:25             ` Junio C Hamano
2013-07-06 11:46               ` John Keeping
2013-07-07  4:12                 ` Junio C Hamano
2013-07-07  9:02                   ` John Keeping
2013-07-05 20:29       ` brian m. carlson
2013-07-07  5:54         ` Jeff King
2013-07-07 10:01           ` Junio C Hamano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130705184333.GN9161@serenity.lan \
    --to=john@keeping.me.uk \
    --cc=artagnon@gmail.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=sandals@crustytoothpaste.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.