Skip to content

Commit 69fcc3f

Browse files
miss-islingtonserhiy-storchakaclaude
authored
[3.13] gh-72507: Document that imaplib does not verify TLS certificates by default (GH-152778) (GH-152864)
IMAP4_SSL() and IMAP4.starttls() do not verify the server certificate or hostname unless a suitable ssl_context is passed. (cherry picked from commit f3bf8ab) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent cbb2535 commit 69fcc3f

1 file changed

Lines changed: 14 additions & 0 deletions

File tree

Doc/library/imaplib.rst

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,13 @@ There's also a subclass for secure connections:
9696
(potentially long-lived) structure. Please read :ref:`ssl-security` for
9797
best practices.
9898

99+
.. note::
100+
101+
With the default *ssl_context*, the connection is encrypted but the
102+
server certificate and hostname are not verified.
103+
To verify them, pass a context created by
104+
:func:`ssl.create_default_context`.
105+
99106
The optional *timeout* parameter specifies a timeout in seconds for the
100107
connection attempt. If timeout is not given or is ``None``, the global default
101108
socket timeout is used.
@@ -501,6 +508,13 @@ An :class:`IMAP4` instance has the following methods:
501508
encryption on the IMAP connection. Please read :ref:`ssl-security` for
502509
best practices.
503510

511+
.. note::
512+
513+
With the default *ssl_context*, the connection is encrypted but the
514+
server certificate and hostname are not verified.
515+
To verify them, pass a context created by
516+
:func:`ssl.create_default_context`.
517+
504518
.. versionadded:: 3.2
505519

506520
.. versionchanged:: 3.4

0 commit comments

Comments
 (0)