Feature #41738
closed
Allow IMAP4 email receiving to skip SSL certificate verification with `ssl=force` option
0%
Description
I get
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=10.19.1.103:993 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)
This change works:
imap = Net::IMAP.new(host, port: port, ssl: { :verify_mode => OpenSSL::SSL::VERIFY_NONE })
Perhabs it will fix #38253, too.
Files
Related issues
Updated by Grischa Zengel 12 months ago
In my case debug was very useful:
debug_client = Net::IMAP.new(hostname, debug: true)
Here are some more options:
# ==== Options
#
# Accepts the following options:
#
# [port]
# Port number. Defaults to 993 when +ssl+ is truthy, and 143 otherwise.
#
# [ssl]
# If +true+, the connection will use TLS with the default params set by
# {OpenSSL::SSL::SSLContext#set_params}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html#method-i-set_params].
# If +ssl+ is a hash, it's passed to
# {OpenSSL::SSL::SSLContext#set_params}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html#method-i-set_params];
# the keys are names of attribute assignment methods on
# SSLContext[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html]. For example:
#
# [{ca_file}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html#attribute-i-ca_file]]
# The path to a file containing a PEM-format CA certificate.
# [{ca_path}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html#attribute-i-ca_path]]
# The path to a directory containing CA certificates in PEM format.
# [{min_version}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html#method-i-min_version-3D]]
# Sets the lower bound on the supported SSL/TLS protocol version. Set to
# an +OpenSSL+ constant such as +OpenSSL::SSL::TLS1_2_VERSION+,
# [{verify_mode}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html#attribute-i-verify_mode]]
# SSL session verification mode. Valid modes include
# +OpenSSL::SSL::VERIFY_PEER+ and +OpenSSL::SSL::VERIFY_NONE+.
#
# See {OpenSSL::SSL::SSLContext}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html] for other valid SSL context params.
#
# See DeprecatedClientOptions.new for deprecated SSL arguments.
#
# [config]
# A Net::IMAP::Config object to use as the basis for #config. By default,
# the global Net::IMAP.config is used.
#
# >>>
# *NOTE:* +config+ does not set #config directly---it sets the _parent_
# config for inheritance. Every client creates its own unique #config.
#
# All other keyword arguments are forwarded to Net::IMAP::Config.new, to
# initialize the client's #config. For example:
#
# [{open_timeout}[rdoc-ref:Config#open_timeout]]
# Seconds to wait until a connection is opened
# [{idle_response_timeout}[rdoc-ref:Config#idle_response_timeout]]
# Seconds to wait until an IDLE response is received
#
# See Net::IMAP::Config for other valid options.
Updated by Go MAEDA 12 months ago
After reading lib/redmine/pop3.rb, I found that specifying ssl=force for receiving emails via POP3 allows skipping certificate verification. However, despite being available for POP3, this option cannot be set for IMAP4, which lacks consistency. The same option should be available for IMAP4 as well.
source:tags/6.0.1/lib/redmine/pop3.rb#L25
def check(pop_options={}, options={})
if pop_options[:ssl]
ssl = true
if pop_options[:ssl] == 'force'
Net::POP3.enable_ssl(OpenSSL::SSL::VERIFY_NONE)
else
Net::POP3.enable_ssl(OpenSSL::SSL::VERIFY_PEER)
end
else
ssl = false
end
Updated by Grischa Zengel 11 months ago
It's a good solution. Why not putting it on next release?
Updated by Go MAEDA 11 months ago
- Related to Feature #16707: Integrate support of SSL for POP3 incoming emails added
Updated by Go MAEDA 11 months ago
- File 41738.patch 41738.patch added
The attached patch introduces support for the ssl=force option, which allows skipping SSL certificate verification. This change ensures consistency with lib/redmine/pop3.rb.
Updated by Go MAEDA 11 months ago
- File 41738-update-description.patch 41738-update-description.patch added
- Target version changed from Candidate for next major release to 6.1.0
This additional patch updates the task descriptions for redmine:email:receive_imap and redmine:email:receive_pop3 rake tasks to clarify that setting ssl=force disables server certificate verification.
Setting the target version to 6.1.0.
Updated by Go MAEDA 11 months ago
- Related to Defect #38253: Cannot read e-mails fo creating tickets added
Updated by Go MAEDA 11 months ago
- Related to Feature #19324: SSL/TLS certificate verification fails on receive_imap added
Updated by Go MAEDA 10 months ago
- Subject changed from IMAP receive: option to ignore certificate to Allow IMAP4 email receiving to skip SSL certificate verification with `ssl=force` option
- Status changed from New to Closed
- Assignee set to Go MAEDA
- Resolution set to Fixed
Committed the change in r23415.
The rake task redmine:email:receive_imap now supports the ssl=force option to skip server certificate verification, just like redmine:email:receive_pop3.