From 71036c068c7c33291e06303f29a2fa9ad3f61db3 Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Thu, 2 Jul 2026 10:19:11 +0300 Subject: [PATCH] gh-72507: Document that imaplib does not verify TLS certificates by default (GH-152778) IMAP4_SSL() and IMAP4.starttls() do not verify the server certificate or hostname unless a suitable ssl_context is passed. (cherry picked from commit f3bf8abb8c0f4cb20bed3dc7d98eca4a2d668709) Co-authored-by: Serhiy Storchaka Co-authored-by: Claude Opus 4.8 (1M context) --- Doc/library/imaplib.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Doc/library/imaplib.rst b/Doc/library/imaplib.rst index b002f4978123e6d..cce3d704d0e2fd1 100644 --- a/Doc/library/imaplib.rst +++ b/Doc/library/imaplib.rst @@ -89,6 +89,13 @@ There's also a subclass for secure connections: (potentially long-lived) structure. Please read :ref:`ssl-security` for best practices. + .. note:: + + With the default *ssl_context*, the connection is encrypted but the + server certificate and hostname are not verified. + To verify them, pass a context created by + :func:`ssl.create_default_context`. + The optional *timeout* parameter specifies a timeout in seconds for the connection attempt. If timeout is not given or is ``None``, the global default socket timeout is used. @@ -581,6 +588,13 @@ An :class:`IMAP4` instance has the following methods: encryption on the IMAP connection. Please read :ref:`ssl-security` for best practices. + .. note:: + + With the default *ssl_context*, the connection is encrypted but the + server certificate and hostname are not verified. + To verify them, pass a context created by + :func:`ssl.create_default_context`. + .. versionadded:: 3.2 .. versionchanged:: 3.4