Revert "Enable strict TLS certificate checks by default"

This reverts commit 6d9ff3d248.
2026-04-17 21:46:35 +03:00 · 2020-06-06 15:38:51 +02:00
parent 5239f2edad
commit ec441b16f1
4 changed files with 22 additions and 14 deletions
--- a/deltachat-ffi/deltachat.h
+++ b/deltachat-ffi/deltachat.h
@@ -3793,10 +3793,9 @@ int64_t          dc_lot_get_timestamp     (const dc_lot_t* lot);
 */

 /**
- * Accept invalid certificates, including self-signed ones
- * or having incorrect hostname.
+ * Configure certificate checks automatically.
 */
-#define DC_CERTCK_ACCEPT_INVALID_CERTIFICATES 0
+#define DC_CERTCK_AUTO 0

 /**
 * Strictly check TLS certificates;
@@ -3804,6 +3803,12 @@ int64_t          dc_lot_get_timestamp     (const dc_lot_t* lot);
 */
 #define DC_CERTCK_STRICT 1

+/**
+ * Accept invalid certificates, including self-signed ones
+ * or having incorrect hostname.
+ */
+#define DC_CERTCK_ACCEPT_INVALID_CERTIFICATES 3
+
 /**
 * @}
 */
--- a/python/src/deltachat/const.py
+++ b/python/src/deltachat/const.py
@@ -68,8 +68,9 @@ DC_LP_IMAP_SOCKET_PLAIN = 0x400
 DC_LP_SMTP_SOCKET_STARTTLS = 0x10000
 DC_LP_SMTP_SOCKET_SSL = 0x20000
 DC_LP_SMTP_SOCKET_PLAIN = 0x40000
-DC_CERTCK_ACCEPT_INVALID_CERTIFICATES = 0
+DC_CERTCK_AUTO = 0
 DC_CERTCK_STRICT = 1
+DC_CERTCK_ACCEPT_INVALID_CERTIFICATES = 3
 DC_EMPTY_MVBOX = 0x01
 DC_EMPTY_INBOX = 0x02
 DC_EVENT_INFO = 100
--- a/src/login_param.rs
+++ b/src/login_param.rs
@@ -9,21 +9,19 @@ use crate::context::Context;
 #[repr(i32)]
 #[strum(serialize_all = "snake_case")]
 pub enum CertificateChecks {
-    AcceptInvalidCertificates = 0,
+    Automatic = 0,
    Strict = 1,

    /// Same as AcceptInvalidCertificates
    /// Previously known as AcceptInvalidHostnames, now deprecated.
    AcceptInvalidCertificates2 = 2,

-    /// Same as AcceptInvalidCertificates
-    /// Deprecated.
-    AcceptInvalidCertificates3 = 3,
+    AcceptInvalidCertificates = 3,
 }

 impl Default for CertificateChecks {
    fn default() -> Self {
-        Self::Strict
+        Self::Automatic
    }
 }

@@ -282,8 +280,16 @@ fn get_readable_flags(flags: i32) -> String {
 pub fn dc_build_tls(certificate_checks: CertificateChecks) -> async_native_tls::TlsConnector {
    let tls_builder = async_native_tls::TlsConnector::new();
    match certificate_checks {
+        CertificateChecks::Automatic => {
+            // Same as AcceptInvalidCertificates for now.
+            // TODO: use provider database when it becomes available
+            tls_builder
+                .danger_accept_invalid_hostnames(true)
+                .danger_accept_invalid_certs(true)
+        }
        CertificateChecks::Strict => tls_builder,
-        _ => tls_builder
+        CertificateChecks::AcceptInvalidCertificates
+        | CertificateChecks::AcceptInvalidCertificates2 => tls_builder
            .danger_accept_invalid_hostnames(true)
            .danger_accept_invalid_certs(true),
    }
@@ -297,8 +303,6 @@ mod tests {
    fn test_certificate_checks_display() {
        use std::string::ToString;

-        assert_eq!("strict".to_string(), CertificateChecks::Strict.to_string());
-
        assert_eq!(
            "accept_invalid_certificates".to_string(),
            CertificateChecks::AcceptInvalidCertificates.to_string()
--- a/src/provider/data.rs
+++ b/src/provider/data.rs
@@ -177,8 +177,6 @@ lazy_static::lazy_static! {
            ConfigDefault { key: Config::MvboxMove, value: "0" },
            ConfigDefault { key: Config::E2eeEnabled, value: "0" },
            ConfigDefault { key: Config::MediaQuality, value: "1" },
-            ConfigDefault { key: Config::ImapCertificateChecks, value: "0" },
-            ConfigDefault { key: Config::SmtpCertificateChecks, value: "0" },
        ]),
    };