From ec441b16f186dc9bf0092d13960d5a5ebe34484e Mon Sep 17 00:00:00 2001 From: bjoern Date: Sat, 6 Jun 2020 15:38:51 +0200 Subject: [PATCH] Revert "Enable strict TLS certificate checks by default" This reverts commit 6d9ff3d2488aac98b3c39814cb2ed2fad7936f22. --- deltachat-ffi/deltachat.h | 11 ++++++++--- python/src/deltachat/const.py | 3 ++- src/login_param.rs | 20 ++++++++++++-------- src/provider/data.rs | 2 -- 4 files changed, 22 insertions(+), 14 deletions(-) diff --git a/deltachat-ffi/deltachat.h b/deltachat-ffi/deltachat.h index 8159e87d5..560154134 100644 --- a/deltachat-ffi/deltachat.h +++ b/deltachat-ffi/deltachat.h @@ -3793,10 +3793,9 @@ int64_t dc_lot_get_timestamp (const dc_lot_t* lot); */ /** - * Accept invalid certificates, including self-signed ones - * or having incorrect hostname. + * Configure certificate checks automatically. */ -#define DC_CERTCK_ACCEPT_INVALID_CERTIFICATES 0 +#define DC_CERTCK_AUTO 0 /** * Strictly check TLS certificates; @@ -3804,6 +3803,12 @@ int64_t dc_lot_get_timestamp (const dc_lot_t* lot); */ #define DC_CERTCK_STRICT 1 +/** + * Accept invalid certificates, including self-signed ones + * or having incorrect hostname. + */ +#define DC_CERTCK_ACCEPT_INVALID_CERTIFICATES 3 + /** * @} */ diff --git a/python/src/deltachat/const.py b/python/src/deltachat/const.py index 45a95a3e0..20139ef44 100644 --- a/python/src/deltachat/const.py +++ b/python/src/deltachat/const.py @@ -68,8 +68,9 @@ DC_LP_IMAP_SOCKET_PLAIN = 0x400 DC_LP_SMTP_SOCKET_STARTTLS = 0x10000 DC_LP_SMTP_SOCKET_SSL = 0x20000 DC_LP_SMTP_SOCKET_PLAIN = 0x40000 -DC_CERTCK_ACCEPT_INVALID_CERTIFICATES = 0 +DC_CERTCK_AUTO = 0 DC_CERTCK_STRICT = 1 +DC_CERTCK_ACCEPT_INVALID_CERTIFICATES = 3 DC_EMPTY_MVBOX = 0x01 DC_EMPTY_INBOX = 0x02 DC_EVENT_INFO = 100 diff --git a/src/login_param.rs b/src/login_param.rs index d7d9a9647..7309a90ad 100644 --- a/src/login_param.rs +++ b/src/login_param.rs @@ -9,21 +9,19 @@ use crate::context::Context; #[repr(i32)] #[strum(serialize_all = "snake_case")] pub enum CertificateChecks { - AcceptInvalidCertificates = 0, + Automatic = 0, Strict = 1, /// Same as AcceptInvalidCertificates /// Previously known as AcceptInvalidHostnames, now deprecated. AcceptInvalidCertificates2 = 2, - /// Same as AcceptInvalidCertificates - /// Deprecated. - AcceptInvalidCertificates3 = 3, + AcceptInvalidCertificates = 3, } impl Default for CertificateChecks { fn default() -> Self { - Self::Strict + Self::Automatic } } @@ -282,8 +280,16 @@ fn get_readable_flags(flags: i32) -> String { pub fn dc_build_tls(certificate_checks: CertificateChecks) -> async_native_tls::TlsConnector { let tls_builder = async_native_tls::TlsConnector::new(); match certificate_checks { + CertificateChecks::Automatic => { + // Same as AcceptInvalidCertificates for now. + // TODO: use provider database when it becomes available + tls_builder + .danger_accept_invalid_hostnames(true) + .danger_accept_invalid_certs(true) + } CertificateChecks::Strict => tls_builder, - _ => tls_builder + CertificateChecks::AcceptInvalidCertificates + | CertificateChecks::AcceptInvalidCertificates2 => tls_builder .danger_accept_invalid_hostnames(true) .danger_accept_invalid_certs(true), } @@ -297,8 +303,6 @@ mod tests { fn test_certificate_checks_display() { use std::string::ToString; - assert_eq!("strict".to_string(), CertificateChecks::Strict.to_string()); - assert_eq!( "accept_invalid_certificates".to_string(), CertificateChecks::AcceptInvalidCertificates.to_string() diff --git a/src/provider/data.rs b/src/provider/data.rs index 83e078695..3f5fbb058 100644 --- a/src/provider/data.rs +++ b/src/provider/data.rs @@ -177,8 +177,6 @@ lazy_static::lazy_static! { ConfigDefault { key: Config::MvboxMove, value: "0" }, ConfigDefault { key: Config::E2eeEnabled, value: "0" }, ConfigDefault { key: Config::MediaQuality, value: "1" }, - ConfigDefault { key: Config::ImapCertificateChecks, value: "0" }, - ConfigDefault { key: Config::SmtpCertificateChecks, value: "0" }, ]), };