From db8bc672514dbe4a7154698526276fd8610587c4 Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Wed, 1 Jul 2026 15:18:08 +0300 Subject: [PATCH] gh-72507: Document that imaplib does not verify TLS by default IMAP4_SSL() and IMAP4.starttls() do not verify the server certificate or hostname unless a suitable ssl_context is passed. Co-Authored-By: Claude Opus 4.8 (1M context) --- Doc/library/imaplib.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Doc/library/imaplib.rst b/Doc/library/imaplib.rst index df2468f7124e6d..3760c38c38c992 100644 --- a/Doc/library/imaplib.rst +++ b/Doc/library/imaplib.rst @@ -89,6 +89,13 @@ There's also a subclass for secure connections: (potentially long-lived) structure. Please read :ref:`ssl-security` for best practices. + .. note:: + + With the default *ssl_context*, the connection is encrypted but the + server certificate and hostname are not verified. + To verify them, pass a context created by + :func:`ssl.create_default_context`. + The optional *timeout* parameter specifies a timeout in seconds for the connection attempt. If timeout is not given or is ``None``, the global default socket timeout is used. @@ -586,6 +593,13 @@ An :class:`IMAP4` instance has the following methods: encryption on the IMAP connection. Please read :ref:`ssl-security` for best practices. + .. note:: + + With the default *ssl_context*, the connection is encrypted but the + server certificate and hostname are not verified. + To verify them, pass a context created by + :func:`ssl.create_default_context`. + .. versionadded:: 3.2 .. versionchanged:: 3.4