diff --git a/lib/net/imap.rb b/lib/net/imap.rb
index 3eb72c2c6..16a143831 100644
--- a/lib/net/imap.rb
+++ b/lib/net/imap.rb
@@ -759,6 +759,19 @@ class << self
alias default_imap_port default_port
alias default_imaps_port default_tls_port
alias default_ssl_port default_tls_port
+
+ # The default value for the +tls+ option of ::new, when +port+ is
+ # unspecified or non-standard.
+ #
+ # *Note*: A future release of Net::IMAP will set the default to +true+, as
+ # per RFC7525[https://tools.ietf.org/html/rfc7525],
+ # RFC7817[https://tools.ietf.org/html/rfc7817], and
+ # RFC8314[https://tools.ietf.org/html/rfc8314].
+ #
+ # Set to +true+ for the secure default without warnings. Set to
+ # +false+ to globally silence warnings and use insecure defaults.
+ attr_accessor :default_tls
+ alias default_ssl default_tls
end
# Returns the initial greeting the server, an UntaggedResponse.
@@ -801,16 +814,28 @@ class << self
# Accepts the following options:
#
# [port]
- # Port number. Defaults to 993 when +ssl+ is truthy, and 143 otherwise.
+ # Port number. Defaults to 143 when +tls+ is false, 993 when +tls+ is
+ # truthy. Based on ::default_tls when both +port+ and +tls+ are nil.
#
- # [ssl]
+ # [tls]
# If +true+, the connection will use TLS with the default params set by
# {OpenSSL::SSL::SSLContext#set_params}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html#method-i-set_params].
- # If +ssl+ is a hash, it's passed to
+ # If +tls+ is a hash, it's passed to
# {OpenSSL::SSL::SSLContext#set_params}[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html#method-i-set_params];
# the keys are names of attribute assignment methods on
# SSLContext[https://docs.ruby-lang.org/en/master/OpenSSL/SSL/SSLContext.html].
#
+ # When port: 993, +tls+ defaults to +true+.
+ # When port: 143, +tls+ defaults to +false+.
+ # When port is unspecified or non-standard, +tls+ defaults to
+ # ::default_tls. When ::default_tls is also +nil+, a warning is printed
+ # and the connection does _not_ use TLS.
+ #
+ # When +nil+ or unassigned a default value is assigned: the default is
+ # +true+ if port: 993, +false+ if port: 143, and
+ # ::default_tls when +port+ is unspecified or non-standard. When
+ # ::default_tls is +nil+, a back
+ #
# [open_timeout]
# Seconds to wait until a connection is opened
# [idle_response_timeout]
@@ -871,15 +896,15 @@ class << self
# [Net::IMAP::ByeResponseError]
# Connected to the host successfully, but it immediately said goodbye.
#
- def initialize(host, port: nil, ssl: nil,
+ def initialize(host, port: nil, tls: nil,
open_timeout: 30, idle_response_timeout: 5)
super()
# Config options
@host = host
- @port = port || (ssl ? SSL_PORT : PORT)
+ tls, @port = default_tls_and_port(tls, port)
@open_timeout = Integer(open_timeout)
@idle_response_timeout = Integer(idle_response_timeout)
- @ssl_ctx_params, @ssl_ctx = build_ssl_ctx(ssl)
+ @ssl_ctx_params, @ssl_ctx = build_ssl_ctx(tls)
# Basic Client State
@utf8_strings = false
@@ -994,7 +1019,7 @@ def capabilities
# servers will drop all AUTH= mechanisms from #capabilities after
# the connection has authenticated.
#
- # imap = Net::IMAP.new(hostname, ssl: false)
+ # imap = Net::IMAP.new(hostname, tls: false)
# imap.capabilities # => ["IMAP4REV1", "LOGINDISABLED"]
# imap.auth_mechanisms # => []
#
@@ -2584,6 +2609,27 @@ def remove_response_handler(handler)
@@debug = false
+ def default_tls_and_port(tls, port)
+ if tls.nil? && port
+ tls = true if port == SSL_PORT || /\Aimaps\z/i === port
+ tls = false if port == PORT
+ elsif port.nil? && !tls.nil?
+ port = tls ? SSL_PORT : PORT
+ end
+ if tls.nil? && port.nil?
+ tls = self.class.default_tls.dup.freeze
+ port = tls ? SSL_PORT : PORT
+ if tls.nil?
+ warn "A future version of Net::IMAP.default_tls " \
+ "will default to 'true', for secure connections by default. " \
+ "Use 'Net::IMAP.new(host, tls: false)' or set " \
+ "Net::IMAP.default_tls = false' to silence this warning."
+ end
+ end
+ tls &&= tls.respond_to?(:to_hash) ? tls.to_hash : {}
+ [tls, port]
+ end
+
def start_imap_connection
@greeting = get_server_greeting
@capabilities = capabilities_from_resp_code @greeting
diff --git a/lib/net/imap/deprecated_client_options.rb b/lib/net/imap/deprecated_client_options.rb
index d747d68b1..341df4ef1 100644
--- a/lib/net/imap/deprecated_client_options.rb
+++ b/lib/net/imap/deprecated_client_options.rb
@@ -5,9 +5,12 @@ class IMAP < Protocol
# This module handles deprecated arguments to various Net::IMAP methods.
module DeprecatedClientOptions
+ UNDEF = Module.new.freeze
+ private_constant :UNDEF
# :call-seq:
# Net::IMAP.new(host, **options) # standard keyword options
+ # Net::IMAP.new(host, ssl: nil, **options) # ssl => tls
# Net::IMAP.new(host, options) # obsolete hash options
# Net::IMAP.new(host, port) # obsolete port argument
# Net::IMAP.new(host, port, usessl, certs = nil, verify = true) # deprecated SSL arguments
@@ -19,6 +22,13 @@ module DeprecatedClientOptions
# Using obsolete arguments does not a warning. Obsolete arguments will be
# deprecated by a future release.
#
+ # If +ssl+ is given, it is silently converted to the +tls+ keyword
+ # argument. Combining both +ssl+ and +tls+ raises an ArgumentError. Both
+ # of the following behave identically:
+ #
+ # Net::IMAP.new("imap.example.com", port: 993, ssl: {ca_path: "path/to/certs"})
+ # Net::IMAP.new("imap.example.com", port: 993, tls: {ca_path: "path/to/certs"})
+ #
# If a second positional argument is given and it is a hash (or is
# convertable via +#to_hash+), it is converted to keyword arguments.
#
@@ -71,6 +81,7 @@ module DeprecatedClientOptions
#
def initialize(host, port_or_options = nil, *deprecated, **options)
if port_or_options.nil? && deprecated.empty?
+ translate_ssl_to_tls(options)
super host, **options
elsif options.any?
# Net::IMAP.new(host, *__invalid__, **options)
@@ -79,15 +90,17 @@ def initialize(host, port_or_options = nil, *deprecated, **options)
# Net::IMAP.new(host, options, *__invalid__)
raise ArgumentError, "Do not use deprecated SSL params with options hash"
elsif port_or_options.respond_to?(:to_hash)
- super host, **Hash.try_convert(port_or_options)
+ options = Hash.try_convert(port_or_options)
+ translate_ssl_to_tls(options)
+ super host, **options
elsif deprecated.empty?
super host, port: port_or_options
elsif deprecated.shift
warn "DEPRECATED: Call Net::IMAP.new with keyword options", uplevel: 1
- super host, port: port_or_options, ssl: create_ssl_params(*deprecated)
+ super host, port: port_or_options, tls: create_ssl_params(*deprecated)
else
warn "DEPRECATED: Call Net::IMAP.new with keyword options", uplevel: 1
- super host, port: port_or_options, ssl: false
+ super host, port: port_or_options, tls: false
end
end
@@ -120,7 +133,17 @@ def starttls(*deprecated, **options)
private
+ def translate_ssl_to_tls(options)
+ return unless options.key?(:ssl)
+ if options.key?(:tls)
+ raise ArgumentError, "conflicting :ssl and :tls keyword arguments"
+ end
+ options.merge!(tls: options.delete(:ssl))
+ end
+
def create_ssl_params(certs = nil, verify = true)
+ certs = nil if certs == UNDEF
+ verify = true if verify == UNDEF
params = {}
if certs
if File.file?(certs)