From: Junio C Hamano <gitster@pobox.com>
To: Barbu Paul - Gheorghe <barbu.paul.gheorghe@gmail.com>
Cc: git@vger.kernel.org
Subject: Re: [PATCH] git-imap-send.txt: remove the use of sslverify=false in GMail example
Date: Wed, 10 Apr 2013 11:44:03 -0700 [thread overview]
Message-ID: <7vmwt6mdjg.fsf@alter.siamese.dyndns.org> (raw)
In-Reply-To: <51657E59.7030001@gmail.com> (Barbu Paul's message of "Wed, 10 Apr 2013 17:59:37 +0300")
Barbu Paul - Gheorghe <barbu.paul.gheorghe@gmail.com> writes:
> Since GMail is SSL capable there is no need to set sslverify to false, the
> example using it may confuse readers that it's needed since it's also used in
> the previous example configurations, too
>
> Signed-off-by: Barbu Paul - Gheorghe <barbu.paul.gheorghe@gmail.com>
> ---
Thanks.
While removing that item from the configuration is a good thing to
do in the post 1.8.2.1 era, the reason why it is does not have much
to do with "GMail is SSL capable".
The configuration item is not about "Do we connect over SSL when
talking to this host?", but is about "When we use SSL with this
host, do we verify the certificate it gave us?".
The reason why we can run with sslverify=true against gmail is
because we know imap.gmail.com gives a validly signed certificate
that leads all the way to a root CA the user's OpenSSL installation
is likely to trust (if your hand-rolled imap-over-ssl server uses a
snakeoil certificate, even though the server may be "SSL capable",
you may not be able to successfully connect to it without sslverify
turned off).
Side note. Before 1.8.2 and/or 1.8.1.4, git-imap-send did not
implement sslverify correctly; CVS-2013-0308 was inherited from its
origin "isync", where it _did_ verify the certificate is valid, but
did not make sure the certificate was for the host it thought it was
talking with.
Also note that 1.8.2.1 and/or 1.8.1.6 were the first versions that
support Server Name Identification (RFC4366). Connection with older
versions of git-imap-send over SSL to hosts like googlemail.com that
multi-home different SSL hosts can receive a valid certificate for
another host that sits at the same IP address, which will lead to
the sslverify check to fail.
> Documentation/git-imap-send.txt | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/Documentation/git-imap-send.txt b/Documentation/git-imap-send.txt
> index 875d283..b15dffe 100644
> --- a/Documentation/git-imap-send.txt
> +++ b/Documentation/git-imap-send.txt
> @@ -123,7 +123,6 @@ to specify your account settings:
> host = imaps://imap.gmail.com
> user = user@gmail.com
> port = 993
> - sslverify = false
> ---------
> You might need to instead use: folder = "[Google Mail]/Drafts" if you get an error
next prev parent reply other threads:[~2013-04-10 18:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-10 14:59 [PATCH] git-imap-send.txt: remove the use of sslverify=false in GMail example Barbu Paul - Gheorghe
2013-04-10 18:44 ` Junio C Hamano [this message]
2013-04-11 13:36 ` Barbu Paul - Gheorghe
2013-04-11 15:26 ` Simon Ruderich
2013-04-11 15:55 ` Barbu Paul - Gheorghe
2013-04-20 14:08 ` Simon Ruderich
2013-04-22 19:26 ` [PATCH] git-imap-send.txt: remove the use of sslverify=false Barbu Paul - Gheorghe
2013-04-24 17:18 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7vmwt6mdjg.fsf@alter.siamese.dyndns.org \
--to=gitster@pobox.com \
--cc=barbu.paul.gheorghe@gmail.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).