From 7f819de49f63c5ec3989d2dc47a3f84065ae2118 Mon Sep 17 00:00:00 2001 From: link2xt Date: Sat, 4 Sep 2021 20:06:10 +0000 Subject: [PATCH] Always check certificate when connecting over SOCKS5 in Automatic mode There is a real risk of an active attack when connecting to non-.onion servers over Tor, as bad Tor exit nodes are cheap to set up. It's probably not needed for .onion domains, but we don't make an exception for now. --- src/configure.rs | 4 +++- src/imap.rs | 6 +++++- src/smtp.rs | 3 ++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/configure.rs b/src/configure.rs index 97469ae0f..050abd030 100644 --- a/src/configure.rs +++ b/src/configure.rs @@ -319,7 +319,9 @@ async fn configure(ctx: &Context, param: &mut LoginParam) -> Result<()> { .filter(|params| params.protocol == Protocol::Smtp) .cloned() .collect(); - let provider_strict_tls = param.provider.map_or(false, |provider| provider.strict_tls); + let provider_strict_tls = param + .provider + .map_or(socks5_config.is_some(), |provider| provider.strict_tls); let smtp_config_task = task::spawn(async move { let mut smtp_configured = false; diff --git a/src/imap.rs b/src/imap.rs index fe5b3cfe4..9a6112b41 100644 --- a/src/imap.rs +++ b/src/imap.rs @@ -228,7 +228,11 @@ impl Imap { param.socks5_config.clone(), ¶m.addr, param.server_flags & DC_LP_AUTH_OAUTH2 != 0, - param.provider.map_or(false, |provider| provider.strict_tls), + param + .provider + .map_or(param.socks5_config.is_some(), |provider| { + provider.strict_tls + }), idle_interrupt, ) .await?; diff --git a/src/smtp.rs b/src/smtp.rs index bf1ce1ca8..5f3c129d2 100644 --- a/src/smtp.rs +++ b/src/smtp.rs @@ -109,7 +109,8 @@ impl Smtp { &lp.socks5_config, &lp.addr, lp.server_flags & DC_LP_AUTH_OAUTH2 != 0, - lp.provider.map_or(false, |provider| provider.strict_tls), + lp.provider + .map_or(lp.socks5_config.is_some(), |provider| provider.strict_tls), ) .await }