Re: [PATCH] git-imap-send.txt: remove the use of sslverify=false in GMail example
On Thu, Apr 11, 2013 at 06:55:03PM +0300, Barbu Paul - Gheorghe wrote: Should I create a new patch removing them all? Sounds like a good idea to me. And update the commit message with Junio's suggestions. Regards Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] git-imap-send.txt: remove the use of sslverify=false in GMail example
On 04/10/2013 09:44 PM, Junio C Hamano wrote: Thanks. My pleasure. While removing that item from the configuration is a good thing to do in the post 1.8.2.1 era, the reason why it is does not have much to do with GMail is SSL capable. Should I change the commit message in order to avoid confusion among devs that read it? The configuration item is not about Do we connect over SSL when talking to this host?, but is about When we use SSL with this host, do we verify the certificate it gave us?. If I change it, how should it sound? It could be: Since GMail's certificates can be sslverify-ed there is no need to set sslverify to false, the example using it may confuse readers that it's needed since it's also used in the previous example configurations, too. Have a nice day! -- Barbu Paul - Gheorghe Common sense is not so common - Voltaire Visit My GitHub profile to see my open-source projects - https://github.com/paullik -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] git-imap-send.txt: remove the use of sslverify=false in GMail example
On Wed, Apr 10, 2013 at 11:44:03AM -0700, Junio C Hamano wrote: The reason why we can run with sslverify=true against gmail is because we know imap.gmail.com gives a validly signed certificate that leads all the way to a root CA the user's OpenSSL installation is likely to trust (if your hand-rolled imap-over-ssl server uses a snakeoil certificate, even though the server may be SSL capable, you may not be able to successfully connect to it without sslverify turned off). Maybe imap-send should learn imap.sslCAInfo and imap.sslCAPath like http.* to handle custom certificates. diff --git a/Documentation/git-imap-send.txt b/Documentation/git-imap-send.txt index 875d283..b15dffe 100644 --- a/Documentation/git-imap-send.txt +++ b/Documentation/git-imap-send.txt @@ -123,7 +123,6 @@ to specify your account settings: host = imaps://imap.gmail.com user = u...@gmail.com port = 993 -sslverify = false - You might need to instead use: folder = [Google Mail]/Drafts if you get an error I think we should remove sslverify = false from the other example as well. Recommending sslverify = false is IMHO a bad idea as SSL provides no protection without verification. Regards Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] git-imap-send.txt: remove the use of sslverify=false in GMail example
On 04/11/2013 06:26 PM, Simon Ruderich wrote: I think we should remove sslverify = false from the other example as well. Recommending sslverify = false is IMHO a bad idea as SSL provides no protection without verification. Yep, that was why I thought there should be at least an example without it. Should I create a new patch removing them all? -- Barbu Paul - Gheorghe Common sense is not so common - Voltaire Visit My GitHub profile to see my open-source projects - https://github.com/paullik -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] git-imap-send.txt: remove the use of sslverify=false in GMail example
Since GMail is SSL capable there is no need to set sslverify to false, the example using it may confuse readers that it's needed since it's also used in the previous example configurations, too Signed-off-by: Barbu Paul - Gheorghe barbu.paul.gheor...@gmail.com --- Documentation/git-imap-send.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/Documentation/git-imap-send.txt b/Documentation/git-imap-send.txt index 875d283..b15dffe 100644 --- a/Documentation/git-imap-send.txt +++ b/Documentation/git-imap-send.txt @@ -123,7 +123,6 @@ to specify your account settings: host = imaps://imap.gmail.com user = u...@gmail.com port = 993 - sslverify = false - You might need to instead use: folder = [Google Mail]/Drafts if you get an error -- Barbu Paul - Gheorghe Common sense is not so common - Voltaire Visit My GitHub profile to see my open-source projects - https://github.com/paullik -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] git-imap-send.txt: remove the use of sslverify=false in GMail example
Barbu Paul - Gheorghe barbu.paul.gheor...@gmail.com writes: Since GMail is SSL capable there is no need to set sslverify to false, the example using it may confuse readers that it's needed since it's also used in the previous example configurations, too Signed-off-by: Barbu Paul - Gheorghe barbu.paul.gheor...@gmail.com --- Thanks. While removing that item from the configuration is a good thing to do in the post 1.8.2.1 era, the reason why it is does not have much to do with GMail is SSL capable. The configuration item is not about Do we connect over SSL when talking to this host?, but is about When we use SSL with this host, do we verify the certificate it gave us?. The reason why we can run with sslverify=true against gmail is because we know imap.gmail.com gives a validly signed certificate that leads all the way to a root CA the user's OpenSSL installation is likely to trust (if your hand-rolled imap-over-ssl server uses a snakeoil certificate, even though the server may be SSL capable, you may not be able to successfully connect to it without sslverify turned off). Side note. Before 1.8.2 and/or 1.8.1.4, git-imap-send did not implement sslverify correctly; CVS-2013-0308 was inherited from its origin isync, where it _did_ verify the certificate is valid, but did not make sure the certificate was for the host it thought it was talking with. Also note that 1.8.2.1 and/or 1.8.1.6 were the first versions that support Server Name Identification (RFC4366). Connection with older versions of git-imap-send over SSL to hosts like googlemail.com that multi-home different SSL hosts can receive a valid certificate for another host that sits at the same IP address, which will lead to the sslverify check to fail. Documentation/git-imap-send.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/Documentation/git-imap-send.txt b/Documentation/git-imap-send.txt index 875d283..b15dffe 100644 --- a/Documentation/git-imap-send.txt +++ b/Documentation/git-imap-send.txt @@ -123,7 +123,6 @@ to specify your account settings: host = imaps://imap.gmail.com user = u...@gmail.com port = 993 - sslverify = false - You might need to instead use: folder = [Google Mail]/Drafts if you get an error -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html