[PATCH] Check SSL certificate for expiration

[Sebastian Spaeth]

We currently don't care about expiration dates of the servers SSL
certificate. This patch adds a check that fails Cert verification when
it is past its due date. There is no way or option to override this
check.

Unfortunately we only seem to be able to get SSL certificate data when
we passed in a CA cert file? How do we get that date when we don't have
a ca cert file?

Signed-off-by: Sebastian Spaeth <Sebastian at SSpaeth.de>
---
Based against next. Do we need a way to override this? And how do I get
a servers SSL expiration date in python when we don't have a CA CERT to
pass in?

 offlineimap/imaplibutil.py |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py
index f501af6..20ab336 100644
--- a/offlineimap/imaplibutil.py
+++ b/offlineimap/imaplibutil.py
@@ -229,6 +229,13 @@ class WrappedIMAP4_SSL(UsefulIMAPMixIn, IMAP4_SSL):
         dnsname = hostname.lower()
         certnames = []
 
+        # cert expired?
+        notafter = cert.get('notAfter') 
+        if notafter:
+            if time.time() >= ssl.cert_time_to_seconds(notafter):
+                return ('server certificate error: certificate expired %s'
+                        ) % notafter
+
         # First read commonName
         for s in cert.get('subject', []):
             key, value = s[0]
-- 
1.7.4.1