SSL certification handling.

svn path=/trunk/; revision=3314

1 files changed, 26 insertions, 4 deletions

diff --git a/fetchmailconf b/fetchmailconf
index 8ec65603..ab4aa9de 100755
--- a/fetchmailconf
+++ b/fetchmailconf
@@ -238,6 +238,9 @@ class User:
         self.sslkey = None		# SSL key filename
         self.sslcert = None		# SSL certificate filename
         self.sslproto = None		# Force SSL?
+        self.sslcertck = 0		# Enable strict SSL cert checking
+	self.sslcertpath = None		# Path to trusted certificates
+	self.sslfingerprint = None	# SSL key fingerprint to check
         self.properties = None		# Extension properties
 	User.typemap = (
 	    ('remote',      'String'),
@@ -271,6 +274,9 @@ class User:
 	    ('ssl',         'Boolean'),
 	    ('sslkey',      'String'),
 	    ('sslcert',     'String'),
+	    ('sslcertck',   'Boolean'),
+	    ('sslcertpath', 'String'),
+	    ('sslfingerprint', 'String'),
             ('properties',  'String'))
 
     def __repr__(self):
@@ -331,8 +337,14 @@ class User:
 	    res = res + " sslkey " + `self.sslkey`
 	if self.sslcert and self.sslcert != UserDefaults.sslcert:
 	    res = res + " sslcert " + `self.sslcert`
-        if self.sslproto and self.sslcert != UserDefaults.sslproto:
-            res = res + " sslproto " + `self.sslcert`
+        if self.sslproto and self.sslproto != UserDefaults.sslproto:
+            res = res + " sslproto " + `self.sslproto`
+        if self.sslcertck and self.sslcertck != UserDefaults.sslcertck:
+            res = res +  flag2str(self.sslcertck, 'sslcertck')
+        if self.sslcertpath and self.sslcertpath != UserDefaults.sslcertpath:
+            res = res + " sslcertpath " + `self.sslcertpath`
+        if self.sslfingerprint and self.sslfingerprint != UserDefaults.sslfingerprint:
+            res = res + " sslfingerprint " + `self.sslfingerprint`
 	if self.expunge != UserDefaults.expunge:
 	    res = res + " expunge " + `self.expunge`
         res = res + "\n"
@@ -925,6 +937,10 @@ manual page for details on these.
 The ssl option enables SSL communication with a mailserver
 supporting Secure Sockets Layer. The sslkey and sslcert options
 declare key and certificate files for use with SSL.
+The sslcertck option enables strict checking of SSL server
+certificates (and sslcertpath gives trusted certificate
+directory). With sslfingerprint, you can specify a finger-
+print the server's key is checked against.
 
 The `netsec' option will be configurable only if fetchmail
 was compiled with IPV6 support.  If you need to use it,
@@ -1535,6 +1551,12 @@ class UserEdit(Frame, MyWidget):
 			 self.sslkey, '14').pack(side=TOP, fill=X)
             LabeledEntry(sslwin, 'SSL certificate:',
 			 self.sslcert, '14').pack(side=TOP, fill=X)
+            Checkbutton(sslwin, text="Check server SSL certificate?",
+                        variable=self.sslcertck).pack(side=TOP, fill=X)
+            LabeledEntry(sslwin, 'SSL trusted certificate directory:',
+			 self.sslcertpath, '14').pack(side=TOP, fill=X)
+            LabeledEntry(sslwin, 'SSL key fingerprint:',
+			 self.sslfingerprint, '14').pack(side=TOP, fill=X)
             sslwin.pack(fill=X, anchor=N)
 
         names = Frame(leftwin, relief=RAISED, bd=5)
@@ -1813,8 +1835,8 @@ def copy_instance(toclass, fromdict):
 # present in the dictionary.
     optional = ('interface', 'monitor',
                 'netsec',
-                'ssl', 'sslkey', 'sslcert', 'sslproto',
-                'showdots')
+                'ssl', 'sslkey', 'sslcert', 'sslproto', 'sslcertck',
+		'sslcertpath', 'sslfingerprint', 'showdots')
     class_sig = setdiff(toclass.__dict__.keys(), optional)
     class_sig.sort()
     dict_keys = setdiff(fromdict.keys(), optional)