Skip to content

Commit 7449390

Browse files
miss-islingtonserhiy-storchakaclaude
authored
[3.14] gh-72507: Document that imaplib does not verify TLS certificates by default (GH-152778) (GH-152863)
IMAP4_SSL() and IMAP4.starttls() do not verify the server certificate or hostname unless a suitable ssl_context is passed. (cherry picked from commit f3bf8ab) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 551703e commit 7449390

1 file changed

Lines changed: 14 additions & 0 deletions

File tree

Doc/library/imaplib.rst

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,13 @@ There's also a subclass for secure connections:
9797
(potentially long-lived) structure. Please read :ref:`ssl-security` for
9898
best practices.
9999

100+
.. note::
101+
102+
With the default *ssl_context*, the connection is encrypted but the
103+
server certificate and hostname are not verified.
104+
To verify them, pass a context created by
105+
:func:`ssl.create_default_context`.
106+
100107
The optional *timeout* parameter specifies a timeout in seconds for the
101108
connection attempt. If timeout is not given or is ``None``, the global default
102109
socket timeout is used.
@@ -589,6 +596,13 @@ An :class:`IMAP4` instance has the following methods:
589596
encryption on the IMAP connection. Please read :ref:`ssl-security` for
590597
best practices.
591598

599+
.. note::
600+
601+
With the default *ssl_context*, the connection is encrypted but the
602+
server certificate and hostname are not verified.
603+
To verify them, pass a context created by
604+
:func:`ssl.create_default_context`.
605+
592606
.. versionadded:: 3.2
593607

594608
.. versionchanged:: 3.4

0 commit comments

Comments
 (0)