Revert "Enable strict TLS certificate checks by default"

This reverts commit 6d9ff3d248.

deltachat-ffi/deltachat.h

@@ -3793,10 +3793,9 @@ int64_t          dc_lot_get_timestamp     (const dc_lot_t* lot);
  */
 
 /**
- * Accept invalid certificates, including self-signed ones
+ * Configure certificate checks automatically.
- * or having incorrect hostname.
  */
-#define DC_CERTCK_ACCEPT_INVALID_CERTIFICATES 0
+#define DC_CERTCK_AUTO 0
 
 /**
  * Strictly check TLS certificates;
@@ -3804,6 +3803,12 @@ int64_t          dc_lot_get_timestamp     (const dc_lot_t* lot);
  */
 #define DC_CERTCK_STRICT 1
 
+/**
+ * Accept invalid certificates, including self-signed ones
+ * or having incorrect hostname.
+ */
+#define DC_CERTCK_ACCEPT_INVALID_CERTIFICATES 3
+
 /**
  * @}
  */

python/src/deltachat/const.py

@@ -68,8 +68,9 @@ DC_LP_IMAP_SOCKET_PLAIN = 0x400
 DC_LP_SMTP_SOCKET_STARTTLS = 0x10000
 DC_LP_SMTP_SOCKET_SSL = 0x20000
 DC_LP_SMTP_SOCKET_PLAIN = 0x40000
-DC_CERTCK_ACCEPT_INVALID_CERTIFICATES = 0
+DC_CERTCK_AUTO = 0
 DC_CERTCK_STRICT = 1
+DC_CERTCK_ACCEPT_INVALID_CERTIFICATES = 3
 DC_EMPTY_MVBOX = 0x01
 DC_EMPTY_INBOX = 0x02
 DC_EVENT_INFO = 100

src/login_param.rs

@@ -9,21 +9,19 @@ use crate::context::Context;
 #[repr(i32)]
 #[strum(serialize_all = "snake_case")]
 pub enum CertificateChecks {
-    AcceptInvalidCertificates = 0,
+    Automatic = 0,
     Strict = 1,
 
     /// Same as AcceptInvalidCertificates
     /// Previously known as AcceptInvalidHostnames, now deprecated.
     AcceptInvalidCertificates2 = 2,
 
-    /// Same as AcceptInvalidCertificates
+    AcceptInvalidCertificates = 3,
-    /// Deprecated.
-    AcceptInvalidCertificates3 = 3,
 }
 
 impl Default for CertificateChecks {
     fn default() -> Self {
-        Self::Strict
+        Self::Automatic
     }
 }
 
@@ -282,8 +280,16 @@ fn get_readable_flags(flags: i32) -> String {
 pub fn dc_build_tls(certificate_checks: CertificateChecks) -> async_native_tls::TlsConnector {
     let tls_builder = async_native_tls::TlsConnector::new();
     match certificate_checks {
+        CertificateChecks::Automatic => {
+            // Same as AcceptInvalidCertificates for now.
+            // TODO: use provider database when it becomes available
+            tls_builder
+                .danger_accept_invalid_hostnames(true)
+                .danger_accept_invalid_certs(true)
+        }
         CertificateChecks::Strict => tls_builder,
-        _ => tls_builder
+        CertificateChecks::AcceptInvalidCertificates
+        | CertificateChecks::AcceptInvalidCertificates2 => tls_builder
             .danger_accept_invalid_hostnames(true)
             .danger_accept_invalid_certs(true),
     }
@@ -297,8 +303,6 @@ mod tests {
     fn test_certificate_checks_display() {
         use std::string::ToString;
 
-        assert_eq!("strict".to_string(), CertificateChecks::Strict.to_string());
-
         assert_eq!(
             "accept_invalid_certificates".to_string(),
             CertificateChecks::AcceptInvalidCertificates.to_string()

src/provider/data.rs

@@ -177,8 +177,6 @@ lazy_static::lazy_static! {
             ConfigDefault { key: Config::MvboxMove, value: "0" },
             ConfigDefault { key: Config::E2eeEnabled, value: "0" },
             ConfigDefault { key: Config::MediaQuality, value: "1" },
-            ConfigDefault { key: Config::ImapCertificateChecks, value: "0" },
-            ConfigDefault { key: Config::SmtpCertificateChecks, value: "0" },
         ]),
     };