Mercurial > hg
comparison mercurial/help/config.txt @ 29285:63a3749147af
mail: unsupport smtp.verifycert (BC)
smtp.verifycert was accidentally broken by cca59ef27e60. And,
I believe the "loose" value has been broken for longer than that.
The current code refuses to talk to a remote server unless the
CA is trusted or the fingerprint is validated. In other words,
we lost the ability for smtp.verifycert to lower/disable security.
There are special considerations for smtp.verifycert in
sslutil.validatesocket() (the "strict" argument). This violates
the direction sslutil is evolving towards, which has all security
options determined at wrapsocket() time and a unified code path and
configs for determining security options.
Since smtp.verifycert is broken and since we'll soon have new
security defaults and new mechanisms for controlling host security,
this patch formally deprecates smtp.verifycert. With this patch,
the socket security code in mail.py now effectively mirrors code
in url.py and other places we're doing socket security.
For the record, removing smtp.verifycert because it was accidentally
broken is a poor excuse to remove it. However, I would have done this
anyway because smtp.verifycert is a one-off likely used by few people
(users of the patchbomb extension) and I don't think the existence
of this seldom-used one-off in security code can be justified,
especially when you consider that better mechanisms are right around
the corner.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Sat, 04 Jun 2016 11:13:28 -0700 |
| parents | f0ccb6cde3e5 |
| children | ecc9b788fd69 |
comparison
equal
deleted
inserted
replaced
| 29284:1c7167009936 | 29285:63a3749147af |
|---|---|
| 1484 | 1484 |
| 1485 ``tls`` | 1485 ``tls`` |
| 1486 Optional. Method to enable TLS when connecting to mail server: starttls, | 1486 Optional. Method to enable TLS when connecting to mail server: starttls, |
| 1487 smtps or none. (default: none) | 1487 smtps or none. (default: none) |
| 1488 | 1488 |
| 1489 ``verifycert`` | |
| 1490 Optional. Verification for the certificate of mail server, when | |
| 1491 ``tls`` is starttls or smtps. "strict", "loose" or False. For | |
| 1492 "strict" or "loose", the certificate is verified as same as the | |
| 1493 verification for HTTPS connections (see ``[hostfingerprints]`` and | |
| 1494 ``[web] cacerts`` also). For "strict", sending email is also | |
| 1495 aborted, if there is no configuration for mail server in | |
| 1496 ``[hostfingerprints]`` and ``[web] cacerts``. --insecure for | |
| 1497 :hg:`email` overwrites this as "loose". (default: strict) | |
| 1498 | |
| 1499 ``username`` | 1489 ``username`` |
| 1500 Optional. User name for authenticating with the SMTP server. | 1490 Optional. User name for authenticating with the SMTP server. |
| 1501 (default: None) | 1491 (default: None) |
| 1502 | 1492 |
| 1503 ``password`` | 1493 ``password`` |