0

I have some code that uses Exchangelib to process emails. For various reasons, the certificate validation fails and I have to use the usual NoVerifyHTTPAdapter:

from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter
# Tell exchangelib to use this adapter class instead of the default
BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter

This leads me to two questions:

  1. I am now wondering, am I sending and receiving in plain text without encryption? I know that the servers I am using only have port 443 open.

  2. If I am not sending in plain text, is there a way to get the name of the certificate that I am using?

If this question is answered somewhere else, sorry for the inconvenience, it must have slipped in my initial search.

Dataguy
  • 3
  • 2

1 Answers1

0

You are not sending in plain text. Your data is still encrypted since you are communicating over HTTPS.

When certificate validation fails, it means that the certificate of the server cannot be validated using any of the root certificates on your local machine that you (or your OS vendor) have chosen to trust, or that the certificate does not match the server that you are communicating with, that the certificate has expired, or any of the other reasons that may cause failure to validate a certificate.

This means that you have no guarantee that the server you are communicating with is in fact the correct server, which leaves you vulnerable to man-in-the-middle attacks and exposing your data to an untrusted server. But the communication channel itself is still encrypted.

There's some more discussion at What are the implications of ignoring SSL certificate verification?

If you absolutely cannot fix the causes of the invalid certificate, your best option is to accept the certificate locally: How to get Python requests to trust a self signed SSL certificate?

Erik Cederstrand
  • 9,643
  • 8
  • 39
  • 63