Re: [Django] #35653: Support EMAIL_SSL_CERTFILE for private certificate authority
28 views
Skip to first unread message
Django
Aug 2, 2024, 2:28:27 PM8/2/24
to django-...@googlegroups.com
#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+--------------------------------------
Reporter: dkaylor | Owner: (none)
Type: New feature | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+--------------------------------------
Comment (by Mike Edmunds):
(Also, since the docs for EMAIL_SSL_CERTIFICATE already say "certificate
chain file," it seems reasonable to expect that could be a private CA
bundle. Which would make this a bug.)
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-----------------------------+--------------------------------------
Reporter: dkaylor | Owner: (none)
Type: New feature | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+--------------------------------------
Comment (by Mike Edmunds):
(Also, since the docs for EMAIL_SSL_CERTIFICATE already say "certificate
chain file," it seems reasonable to expect that could be a private CA
bundle. Which would make this a bug.)
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Aug 3, 2024, 3:10:02 AM8/3/24
to django-...@googlegroups.com
#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+------------------------------------
-----------------------------+------------------------------------
Reporter: dkaylor | Owner: (none)
Type: New feature | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Type: New feature | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+------------------------------------
Changes (by Sarah Boyce):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+------------------------------------
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:8>
Django
Aug 7, 2024, 8:04:11 AM8/7/24
to django-...@googlegroups.com
#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
Easy pickings: 0 | UI/UX: 0
Changes (by Igor Scheller):
* has_patch: 0 => 1
* owner: (none) => Igor Scheller
* status: new => assigned
Comment:
I added a [https://github.com/django/django/pull/18456 PR] to implement it
as an additional feature (altho changing the current behaviour might be an
option too)
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:9>
Django
Aug 7, 2024, 12:40:58 PM8/7/24
to django-...@googlegroups.com
#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
Changes (by Sarah Boyce):
-----------------------------+-----------------------------------------
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:10>
Django
Aug 8, 2024, 7:32:57 AM8/8/24
to django-...@googlegroups.com
#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
Comment (by Igor Scheller):
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
As noted in the PR discussion, adding another option should be avoided in
favour of the upcoming EMAIL_PROVIDERS setting, discussed in #35514.
The PR now reflects that change by allowing the setting to be set in the
con structor and later from above providers config.
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:11>
Django
Aug 8, 2024, 2:17:10 PM8/8/24
to django-...@googlegroups.com
#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
Comment (by Mike Edmunds):
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
This seems like a useful addition, given that:
- Internal private CAs are not all that exotic.
- Django's current documentation seems to suggest that
EMAIL_SSL_CERTIFICATE can be set to a private CA bundle, but this doesn't
actually work.
- Although the problem can be solved by subclassing smtp.EmailBackend to
override ssl_context, that seems to be error prone. A lot of high-ranking
solutions disable certificate checking entirely or introduce other
security issues. (Another common recommendation is downgrading to Django
4.1.)
Question: am I understanding correctly that the proposed `ssl_cafile`
option would also work to securely verify self-signed certs? (That seems
like another semi-common Django email question that generates a lot of
less-secure answers.)
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:12>
Django
Aug 9, 2024, 3:46:02 AM8/9/24
to django-...@googlegroups.com
#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
Comment (by Igor Scheller):
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
Yes, it allows you to add a
[https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locations
root-CA certificate] / bundle of certificates which is used as the trust
anchor, it can either be your own self-signed one or the one your
organisation set up as a private CA.
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:13>
Django
Dec 1, 2024, 1:33:11 PM12/1/24
to django-...@googlegroups.com
#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
Changes (by Jacob Walls):
-----------------------------+-----------------------------------------
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:14>
Django
Dec 3, 2024, 11:54:36 AM12/3/24
to django-...@googlegroups.com
#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
-----------------------------+-----------------------------------------
Changes (by Sarah Boyce):
* needs_better_patch: 0 => 1
--
* needs_better_patch: 0 => 1
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:15>
Reply all
Reply to author
Forward
0 new messages