Skip to content

gh-72507: Document that imaplib does not verify TLS certificates by default#152778

Merged
serhiy-storchaka merged 1 commit into
python:mainfrom
serhiy-storchaka:imaplib-ssl-noverify-doc
Jul 2, 2026
Merged

gh-72507: Document that imaplib does not verify TLS certificates by default#152778
serhiy-storchaka merged 1 commit into
python:mainfrom
serhiy-storchaka:imaplib-ssl-noverify-doc

Conversation

@serhiy-storchaka

@serhiy-storchaka serhiy-storchaka commented Jul 1, 2026

Copy link
Copy Markdown
Member

IMAP4_SSL() and IMAP4.starttls() fall back to
ssl._create_stdlib_context() when no ssl_context is given, and that
context has check_hostname=False and verify_mode=CERT_NONE -- so with
the default the connection is encrypted but the server certificate and
hostname are not verified. The documentation implied otherwise ("the
class now supports hostname check").

This adds a note to both IMAP4_SSL and IMAP4.starttls stating that the
default does not verify, and pointing to ssl.create_default_context().

Only the documentation is changed; the default behavior is left as-is
(that broader change is tracked in gh-91826).

IMAP4_SSL() and IMAP4.starttls() do not verify the server certificate or
hostname unless a suitable ssl_context is passed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@serhiy-storchaka serhiy-storchaka requested a review from a team as a code owner July 1, 2026 12:28
@bedevere-app bedevere-app Bot added docs Documentation in the Doc dir skip news labels Jul 1, 2026
@github-project-automation github-project-automation Bot moved this to Todo in Docs PRs Jul 1, 2026
@serhiy-storchaka serhiy-storchaka added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes needs backport to 3.15 pre-release feature fixes, bugs and security fixes labels Jul 1, 2026
@read-the-docs-community

Copy link
Copy Markdown

Documentation build overview

📚 cpython-previews | 🛠️ Build #33392908 | 📁 Comparing db8bc67 against main (b52bc56)

  🔍 Preview build  

1 file changed
± library/imaplib.html

@serhiy-storchaka serhiy-storchaka merged commit f3bf8ab into python:main Jul 2, 2026
42 checks passed
@github-project-automation github-project-automation Bot moved this from Todo to Done in Docs PRs Jul 2, 2026
@miss-islington-app

Copy link
Copy Markdown

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14, 3.15.
🐍🍒⛏🤖

@serhiy-storchaka serhiy-storchaka deleted the imaplib-ssl-noverify-doc branch July 2, 2026 07:19
@bedevere-app

bedevere-app Bot commented Jul 2, 2026

Copy link
Copy Markdown

GH-152862 is a backport of this pull request to the 3.15 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.15 pre-release feature fixes, bugs and security fixes label Jul 2, 2026
@bedevere-app

bedevere-app Bot commented Jul 2, 2026

Copy link
Copy Markdown

GH-152863 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.14 bugs and security fixes label Jul 2, 2026
@bedevere-app

bedevere-app Bot commented Jul 2, 2026

Copy link
Copy Markdown

GH-152864 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.13 bugs and security fixes label Jul 2, 2026
serhiy-storchaka added a commit that referenced this pull request Jul 2, 2026
…es by default (GH-152778) (GH-152864)

IMAP4_SSL() and IMAP4.starttls() do not verify the server certificate or
hostname unless a suitable ssl_context is passed.
(cherry picked from commit f3bf8ab)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
serhiy-storchaka added a commit that referenced this pull request Jul 2, 2026
…es by default (GH-152778) (GH-152863)

IMAP4_SSL() and IMAP4.starttls() do not verify the server certificate or
hostname unless a suitable ssl_context is passed.
(cherry picked from commit f3bf8ab)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
serhiy-storchaka added a commit that referenced this pull request Jul 2, 2026
…es by default (GH-152778) (GH-152862)

IMAP4_SSL() and IMAP4.starttls() do not verify the server certificate or
hostname unless a suitable ssl_context is passed.
(cherry picked from commit f3bf8ab)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs Documentation in the Doc dir skip news

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

1 participant