Skip to content

Commit f3bf8ab

Browse files
gh-72507: Document that imaplib does not verify TLS certificates by default (GH-152778)
IMAP4_SSL() and IMAP4.starttls() do not verify the server certificate or hostname unless a suitable ssl_context is passed. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 50ae0be commit f3bf8ab

1 file changed

Lines changed: 14 additions & 0 deletions

File tree

Doc/library/imaplib.rst

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,13 @@ There's also a subclass for secure connections:
8989
(potentially long-lived) structure. Please read :ref:`ssl-security` for
9090
best practices.
9191

92+
.. note::
93+
94+
With the default *ssl_context*, the connection is encrypted but the
95+
server certificate and hostname are not verified.
96+
To verify them, pass a context created by
97+
:func:`ssl.create_default_context`.
98+
9299
The optional *timeout* parameter specifies a timeout in seconds for the
93100
connection attempt. If timeout is not given or is ``None``, the global default
94101
socket timeout is used.
@@ -586,6 +593,13 @@ An :class:`IMAP4` instance has the following methods:
586593
encryption on the IMAP connection. Please read :ref:`ssl-security` for
587594
best practices.
588595

596+
.. note::
597+
598+
With the default *ssl_context*, the connection is encrypted but the
599+
server certificate and hostname are not verified.
600+
To verify them, pass a context created by
601+
:func:`ssl.create_default_context`.
602+
589603
.. versionadded:: 3.2
590604

591605
.. versionchanged:: 3.4

0 commit comments

Comments
 (0)