Project

General

Profile

Actions

Feature #41738

open

IMAP receive: option to ignore certificate

Added by Grischa Zengel 11 days ago. Updated 4 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

I get

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=10.19.1.103:993 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)

This change works:
imap = Net::IMAP.new(host, port: port, ssl: { :verify_mode => OpenSSL::SSL::VERIFY_NONE })

Perhabs it will fix #38253, too.

Actions #1

Updated by Grischa Zengel 11 days ago

In my case debug was very useful:

debug_client = Net::IMAP.new(hostname, debug: true)

Here are some more options:

    # ==== Options
    #
    # Accepts the following options:
    #
    # [port]
    #   Port number.  Defaults to 993 when +ssl+ is truthy, and 143 otherwise.
    #
    # [ssl]
    #   If +true+, the connection will use TLS with the default params set by
    #   {OpenSSL::SSL::SSLContext#set_params}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html#method-i-set_params].
    #   If +ssl+ is a hash, it's passed to
    #   {OpenSSL::SSL::SSLContext#set_params}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html#method-i-set_params];
    #   the keys are names of attribute assignment methods on
    #   SSLContext[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html].  For example:
    #
    #   [{ca_file}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html#attribute-i-ca_file]]
    #     The path to a file containing a PEM-format CA certificate.
    #   [{ca_path}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html#attribute-i-ca_path]]
    #     The path to a directory containing CA certificates in PEM format.
    #   [{min_version}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html#method-i-min_version-3D]]
    #     Sets the lower bound on the supported SSL/TLS protocol version. Set to
    #     an +OpenSSL+ constant such as +OpenSSL::SSL::TLS1_2_VERSION+,
    #   [{verify_mode}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html#attribute-i-verify_mode]]
    #     SSL session verification mode.  Valid modes include
    #     +OpenSSL::SSL::VERIFY_PEER+ and +OpenSSL::SSL::VERIFY_NONE+.
    #
    #   See {OpenSSL::SSL::SSLContext}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html] for other valid SSL context params.
    #
    #   See DeprecatedClientOptions.new for deprecated SSL arguments.
    #
    # [config]
    #   A Net::IMAP::Config object to use as the basis for #config.  By default,
    #   the global Net::IMAP.config is used.
    #
    #   >>>
    #     *NOTE:* +config+ does not set #config directly---it sets the _parent_
    #     config for inheritance.  Every client creates its own unique #config.
    #
    #   All other keyword arguments are forwarded to Net::IMAP::Config.new, to
    #   initialize the client's #config. For example:
    #
    #   [{open_timeout}[rdoc-ref:Config#open_timeout]]
    #     Seconds to wait until a connection is opened
    #   [{idle_response_timeout}[rdoc-ref:Config#idle_response_timeout]]
    #     Seconds to wait until an IDLE response is received
    #
    #   See Net::IMAP::Config for other valid options.
Actions #2

Updated by Go MAEDA 10 days ago

After reading lib/redmine/pop3.rb, I found that specifying ssl=force for receiving emails via POP3 allows skipping certificate verification. However, despite being available for POP3, this option cannot be set for IMAP4, which lacks consistency. The same option should be available for IMAP4 as well.

source:tags/6.0.1/lib/redmine/pop3.rb#L25

      def check(pop_options={}, options={})
        if pop_options[:ssl]
          ssl = true
          if pop_options[:ssl] == 'force'
            Net::POP3.enable_ssl(OpenSSL::SSL::VERIFY_NONE)
          else
            Net::POP3.enable_ssl(OpenSSL::SSL::VERIFY_PEER)
          end
        else
          ssl = false
        end

Actions #3

Updated by Go MAEDA 10 days ago

  • Tracker changed from Defect to Feature
  • Affected version deleted (6.0.1)
Actions #4

Updated by Grischa Zengel 4 days ago

It's a good solution. Why not putting it on next release?

Actions

Also available in: Atom PDF