From 63060966756990f51ee7d18b0267e1fe852c3020 Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Thu, 2 Jul 2026 10:19:11 +0300 Subject: [PATCH] gh-72507: Document that imaplib does not verify TLS certificates by default (GH-152778) IMAP4_SSL() and IMAP4.starttls() do not verify the server certificate or hostname unless a suitable ssl_context is passed. (cherry picked from commit f3bf8abb8c0f4cb20bed3dc7d98eca4a2d668709) Co-authored-by: Serhiy Storchaka Co-authored-by: Claude Opus 4.8 (1M context) --- Doc/library/imaplib.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Doc/library/imaplib.rst b/Doc/library/imaplib.rst index 166455bae02687c..a085f630b3948cf 100644 --- a/Doc/library/imaplib.rst +++ b/Doc/library/imaplib.rst @@ -97,6 +97,13 @@ There's also a subclass for secure connections: (potentially long-lived) structure. Please read :ref:`ssl-security` for best practices. + .. note:: + + With the default *ssl_context*, the connection is encrypted but the + server certificate and hostname are not verified. + To verify them, pass a context created by + :func:`ssl.create_default_context`. + The optional *timeout* parameter specifies a timeout in seconds for the connection attempt. If timeout is not given or is ``None``, the global default socket timeout is used. @@ -589,6 +596,13 @@ An :class:`IMAP4` instance has the following methods: encryption on the IMAP connection. Please read :ref:`ssl-security` for best practices. + .. note:: + + With the default *ssl_context*, the connection is encrypted but the + server certificate and hostname are not verified. + To verify them, pass a context created by + :func:`ssl.create_default_context`. + .. versionadded:: 3.2 .. versionchanged:: 3.4