Opened 4 years ago
Closed 21 months ago
#31885 closed Bug (fixed)
Update SMTP Email Backend to use an SSLContext.
| Reported by: | Luis Saavedra | Owned by: | Luis Saavedra |
|---|---|---|---|
| Component: | Core (Mail) | Version: | dev |
| Severity: | Normal | Keywords: | SSL |
| Cc: | Carlton Gibson | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Setting SSL cert and key in `SMTP.starttls()` is deprecated (since Python 3.6) in favour of passing an SSLContext. Update the SMTP backend to use the newer API.
Change History (7)
comment:1 by , 4 years ago
| Description: | modified (diff) |
|---|---|
| Has patch: | set |
| Needs documentation: | set |
| Needs tests: | set |
| Owner: | changed from to |
| Patch needs improvement: | set |
| Status: | new → assigned |
| Summary: | add EmalBackend CA parameters #13305 → Update SMTP Email Backend to use an SSLContext. |
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 4 years ago
The old settings are good because set the authenticity credentials of a client, this pull request add the CA parameters to check the authenticity of the server. A man in the midle attack can pass any certificate to the client and the client can't check the authenticity because dont have CA parameters.
comment:3 by , 4 years ago
| Needs documentation: | unset |
|---|---|
| Needs tests: | unset |
| Patch needs improvement: | unset |
Updating flags to put back in the review queue
comment:4 by , 4 years ago
| Patch needs improvement: | set |
|---|
PR looks good. Just needs to add deprecations for the old keyfile and certfile way of doing things.
comment:5 by , 4 years ago
So conclusion on the PR is that we should add the option to accept the parameters for an SSLContext on EmailBackend but not add them as settings. (The default is to use the system CA certs which is what most people want/need.)
We will then recommend subclassing in the docs for more control.
At the same time we should deprecate EMAIL_SSL_CERTFILE and EMAIL_SSL_KEYFILE for the same reasons.
comment:6 by , 21 months ago
| Cc: | added |
|---|
EmailBackend uses SSLContext since 2848e5d0ce5cf3c31fe87525536093b21d570f69. Users can subclass EmailBackend and override the ssl_context property to use custom cart/key files. Maybe it's enough to consider this ticket as fixed 🤔
comment:7 by , 21 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
...override the ssl_context property to use custom crt/key files.
The ssl_context still uses the settings, so not sure they need to subclass even.
(I still we expose too much of smtplib through the settings here, but progress there is likely Jacob's proposal from https://groups.google.com/g/django-developers/c/R8ebGynQjK0/m/kc-zggaxAgAJ)
I agree the narrow ticket here was resolved in 2848e5d0ce5cf3c31fe87525536093b21d570f69. 👍
Thanks for the report. Yes, an update here sounds good.
We'll need docs and tests for the changes. You've added new settings, those will need documenting too.
Then, do we need to deprecate the old settings, as no longer appropriate?