Python3.4 now uses system's CA to connect to SMTP via TLS

2014-06-16 19:34:59 +02:00 · 2014-06-16 19:34:59 +02:00 · f489ae63d6
commit f489ae63d6
parent 4a7830a96d
3 changed files with 14 additions and 7 deletions
--- a/docs/docs/configuration/server.rst
+++ b/docs/docs/configuration/server.rst
@ -183,9 +183,10 @@ port

 security
    use a secure connection to the server, possible values: *none*, *starttls*
-    or *ssl*. Note, that Python does not validate the server's certificate and
-    thus the connection is vulnerable to Man-in-the-Middle attacks. Therefore,
-    you should definitely use a dedicated SMTP account for Isso.
+    or *ssl*. Note, that there is no easy way for Python 2.7 and 3.3 to
+    implement certification validation and thus the connection is vulnerable to
+    Man-in-the-Middle attacks. You should definitely use a dedicated SMTP
+    account for Isso in that case.

 to
    recipient address, e.g. your email address
--- a/isso/ext/notifications.py
+++ b/isso/ext/notifications.py
@ -2,6 +2,7 @@

 from __future__ import unicode_literals

+import sys
 import io
 import time
 import json
@ -63,7 +64,11 @@ class SMTP(object):
                            timeout=self.conf.getint('timeout'))

        if self.conf.get('security') == 'starttls':
-            self.client.starttls();
+            if sys.version_info >= (3, 4):
+                import ssl
+                self.client.starttls(context=ssl.create_default_context())
+            else:
+                self.client.starttls()

        if self.conf.get('username') and self.conf.get('password'):
            self.client.login(self.conf.get('username'),
--- a/share/isso.conf
+++ b/share/isso.conf
@ -88,9 +88,10 @@ host = localhost
 port = 587

 # use a secure connection to the server, possible values: none, starttls or
-# ssl. Note, that Python does not validate the server's certificate and thus
-# the connection is vulnerable to Man-in-the-Middle attacks. Therefore, you
-# should definitely use a dedicated SMTP account for Isso.
+# ssl. Note, that there is no easy way for Python 2.7 and 3.3 to implement
+# certification validation and thus the connection is vulnerable to
+# Man-in-the-Middle attacks. You should definitely use a dedicated SMTP account
+# for Isso in that case.
 security = starttls

 # recipient address, e.g. your email address