Enable strict TLS certificate checks by default

deltachat-ffi/deltachat.h

@@ -3793,9 +3793,10 @@ int64_t          dc_lot_get_timestamp     (const dc_lot_t* lot);
  */
 
 /**
- * Configure certificate checks automatically.
+ * Accept invalid certificates, including self-signed ones
+ * or having incorrect hostname.
  */
-#define DC_CERTCK_AUTO 0
+#define DC_CERTCK_ACCEPT_INVALID_CERTIFICATES 0
 
 /**
  * Strictly check TLS certificates;
@@ -3803,12 +3804,6 @@ int64_t          dc_lot_get_timestamp     (const dc_lot_t* lot);
  */
 #define DC_CERTCK_STRICT 1
 
-/**
- * Accept invalid certificates, including self-signed ones
- * or having incorrect hostname.
- */
-#define DC_CERTCK_ACCEPT_INVALID_CERTIFICATES 3
-
 /**
  * @}
  */

python/src/deltachat/const.py

@@ -68,9 +68,8 @@ DC_LP_IMAP_SOCKET_PLAIN = 0x400
 DC_LP_SMTP_SOCKET_STARTTLS = 0x10000
 DC_LP_SMTP_SOCKET_SSL = 0x20000
 DC_LP_SMTP_SOCKET_PLAIN = 0x40000
-DC_CERTCK_AUTO = 0
+DC_CERTCK_ACCEPT_INVALID_CERTIFICATES = 0
 DC_CERTCK_STRICT = 1
-DC_CERTCK_ACCEPT_INVALID_CERTIFICATES = 3
 DC_EMPTY_MVBOX = 0x01
 DC_EMPTY_INBOX = 0x02
 DC_EVENT_INFO = 100

src/login_param.rs

@@ -9,19 +9,21 @@ use crate::context::Context;
 #[repr(i32)]
 #[strum(serialize_all = "snake_case")]
 pub enum CertificateChecks {
-    Automatic = 0,
+    AcceptInvalidCertificates = 0,
     Strict = 1,
 
     /// Same as AcceptInvalidCertificates
     /// Previously known as AcceptInvalidHostnames, now deprecated.
     AcceptInvalidCertificates2 = 2,
 
-    AcceptInvalidCertificates = 3,
+    /// Same as AcceptInvalidCertificates
+    /// Deprecated.
+    AcceptInvalidCertificates3 = 3,
 }
 
 impl Default for CertificateChecks {
     fn default() -> Self {
-        Self::Automatic
+        Self::Strict
     }
 }
 
@@ -280,16 +282,8 @@ fn get_readable_flags(flags: i32) -> String {
 pub fn dc_build_tls(certificate_checks: CertificateChecks) -> async_native_tls::TlsConnector {
     let tls_builder = async_native_tls::TlsConnector::new();
     match certificate_checks {
-        CertificateChecks::Automatic => {
-            // Same as AcceptInvalidCertificates for now.
-            // TODO: use provider database when it becomes available
-            tls_builder
-                .danger_accept_invalid_hostnames(true)
-                .danger_accept_invalid_certs(true)
-        }
         CertificateChecks::Strict => tls_builder,
-        CertificateChecks::AcceptInvalidCertificates
+        _ => tls_builder
-        | CertificateChecks::AcceptInvalidCertificates2 => tls_builder
             .danger_accept_invalid_hostnames(true)
             .danger_accept_invalid_certs(true),
     }
@@ -303,6 +297,8 @@ mod tests {
     fn test_certificate_checks_display() {
         use std::string::ToString;
 
+        assert_eq!("strict".to_string(), CertificateChecks::Strict.to_string());
+
         assert_eq!(
             "accept_invalid_certificates".to_string(),
             CertificateChecks::AcceptInvalidCertificates.to_string()

src/provider/data.rs

@@ -177,6 +177,8 @@ lazy_static::lazy_static! {
             ConfigDefault { key: Config::MvboxMove, value: "0" },
             ConfigDefault { key: Config::E2eeEnabled, value: "0" },
             ConfigDefault { key: Config::MediaQuality, value: "1" },
+            ConfigDefault { key: Config::ImapCertificateChecks, value: "0" },
+            ConfigDefault { key: Config::SmtpCertificateChecks, value: "0" },
         ]),
     };