Re: [Django] #35653: Support EMAIL_SSL_CERTFILE for private certificate authority (was: SSL error sending mail when EMAIL_SSL_CERTFILE is set without EMAIL_SSL_KEYFILE)
5 views
Skip to first unread message
Django
Aug 2, 2024, 2:09:17 PM8/2/24
to django-...@googlegroups.com
#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+--------------------------------------
Reporter: dkaylor | Owner: (none)
Type: New feature | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+--------------------------------------
Changes (by Mike Edmunds):
* resolution: duplicate =>
* status: closed => new
* summary:
SSL error sending mail when EMAIL_SSL_CERTFILE is set without
EMAIL_SSL_KEYFILE
=> Support EMAIL_SSL_CERTFILE for private certificate authority
* type: Bug => New feature
Comment:
I don't think this is a duplicate of #34504. That ticket wanted to disable
hostname checking and certificate verification, which is indeed not
recommended.
This ticket is trying to use a private certificate authority ''with''
hostname checking and certificate verification enabled. I'd think we'd
want to encourage that when using a private CA. Django's SMTP EmailBackend
makes that difficult right now, by requiring subclassing and overriding an
undocumented property.
I would treat this as a feature request for Django's SMTP EmailBackend to
support setting EMAIL_SSL_CERTIFICATE to a private CA or self-signed
certificate, with all recommended security enabled.
If we don't want to do that, we should probably add some documentation
along the lines of:
- EMAIL_SSL_CERTIFICATE is meant only for client authentication, and
therefore must either include the private key or be used together with
EMAIL_SSL_KEYFILE.
- To use a private certificate authority or self-signed certificate with
your SMTP server, ''don't'' use Django's EMAIL_SSL_CERTIFICATE. Instead,
add your private CA to your system's OpenSSL ca-path or set the
SSL_CERT_FILE and/or SSL_CERT_DIR ''environment'' variables to point to
it. (See Python's
[https://docs.python.org/3/library/ssl.html#ssl.get_default_verify_paths
ssl.get_default_verify_paths()].)
(Also, I might be misunderstanding, but it looks like when
EMAIL_SSL_CERTIFICATE is set the
[https://github.com/django/django/blob/b478cae00643d6730746f2614792b35a7d3187ff/django/core/mail/backends/smtp.py#L62
SMTP backend creates] a ''less-secure''
[https://docs.python.org/3/library/ssl.html#ssl-
security:~:text=if%20you%20create%20the%20SSL%20context%20by%20calling%20the%20SSLContext%20constructor%20yourself%2C%20it%20will%20not%20have%20certificate%20validation%20nor%20hostname%20checking%20enabled%20by%20default
SSLContext with checking disabled]. And I see we've actually
[https://docs.djangoproject.com/en/5.0/ref/settings/#std-setting-
EMAIL_SSL_CERTFILE:~:text=Note%20that%20setting%20EMAIL_SSL_CERTFILE%20and%20EMAIL_SSL_KEYFILE%20doesn%E2%80%99t%20result%20in%20any%20certificate%20checking.
documented that behavior].)
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-----------------------------+--------------------------------------
Reporter: dkaylor | Owner: (none)
Type: New feature | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+--------------------------------------
Changes (by Mike Edmunds):
* resolution: duplicate =>
* status: closed => new
* summary:
SSL error sending mail when EMAIL_SSL_CERTFILE is set without
EMAIL_SSL_KEYFILE
=> Support EMAIL_SSL_CERTFILE for private certificate authority
* type: Bug => New feature
Comment:
I don't think this is a duplicate of #34504. That ticket wanted to disable
hostname checking and certificate verification, which is indeed not
recommended.
This ticket is trying to use a private certificate authority ''with''
hostname checking and certificate verification enabled. I'd think we'd
want to encourage that when using a private CA. Django's SMTP EmailBackend
makes that difficult right now, by requiring subclassing and overriding an
undocumented property.
I would treat this as a feature request for Django's SMTP EmailBackend to
support setting EMAIL_SSL_CERTIFICATE to a private CA or self-signed
certificate, with all recommended security enabled.
If we don't want to do that, we should probably add some documentation
along the lines of:
- EMAIL_SSL_CERTIFICATE is meant only for client authentication, and
therefore must either include the private key or be used together with
EMAIL_SSL_KEYFILE.
- To use a private certificate authority or self-signed certificate with
your SMTP server, ''don't'' use Django's EMAIL_SSL_CERTIFICATE. Instead,
add your private CA to your system's OpenSSL ca-path or set the
SSL_CERT_FILE and/or SSL_CERT_DIR ''environment'' variables to point to
it. (See Python's
[https://docs.python.org/3/library/ssl.html#ssl.get_default_verify_paths
ssl.get_default_verify_paths()].)
(Also, I might be misunderstanding, but it looks like when
EMAIL_SSL_CERTIFICATE is set the
[https://github.com/django/django/blob/b478cae00643d6730746f2614792b35a7d3187ff/django/core/mail/backends/smtp.py#L62
SMTP backend creates] a ''less-secure''
[https://docs.python.org/3/library/ssl.html#ssl-
security:~:text=if%20you%20create%20the%20SSL%20context%20by%20calling%20the%20SSLContext%20constructor%20yourself%2C%20it%20will%20not%20have%20certificate%20validation%20nor%20hostname%20checking%20enabled%20by%20default
SSLContext with checking disabled]. And I see we've actually
[https://docs.djangoproject.com/en/5.0/ref/settings/#std-setting-
EMAIL_SSL_CERTFILE:~:text=Note%20that%20setting%20EMAIL_SSL_CERTFILE%20and%20EMAIL_SSL_KEYFILE%20doesn%E2%80%99t%20result%20in%20any%20certificate%20checking.
documented that behavior].)
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Reply all
Reply to author
Forward
0 new messages