interimap/tests/tls-verify-peer, branch debian/0.5.7-4 Fast bidirectional synchronization for QRESYNC-capable IMAP servers libinterimap: use default locations for trusted CA certificates when neither CAfile nor CApath are set. 2020-12-13T17:44:18+00:00 Guilhem Moulin guilhem@fripost.org 2020-12-13T16:43:52+00:00 8c43ed9baa905d907a6aad77de2282a852ba69a9 In particular, OpenSSL's default locations can be overridden by the SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see SSL_CTX_load_verify_locations(3ssl). This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is used). 
In particular, OpenSSL's default locations can be overridden by the
SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see
SSL_CTX_load_verify_locations(3ssl).

This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is
used).
test suite: ensure we haven't started speaking IMAP when the SSL/TLS handshake is aborted. 2020-12-13T16:38:07+00:00 Guilhem Moulin guilhem@fripost.org 2020-12-13T16:37:32+00:00 ba9d8af01141a6d5d5b98a0e249c311814b844a6 (Unless STARTTLS is used to upgrade the connection.) 
(Unless STARTTLS is used to upgrade the connection.)
test suite: supply our own OpenSSL configuration file with MinProtocol=None. 2020-12-11T17:44:13+00:00 Guilhem Moulin guilhem@fripost.org 2020-12-11T17:28:32+00:00 ed263d4a380036b654525ee268db615c17d0d216 So we can test TLSv1 as well, not just TLSv1.2 and later. Also, explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration file (the default as of 2.3.11.3), hence running TLS tests now require Dovecot 2.3 or later. 
So we can test TLSv1 as well, not just TLSv1.2 and later.

Also, explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration
file (the default as of 2.3.11.3), hence running TLS tests now require
Dovecot 2.3 or later.
libinterimap: make SSL_verify check the hostname as well. 2020-12-11T10:20:41+00:00 Guilhem Moulin guilhem@fripost.org 2020-12-10T18:39:10+00:00 265f133600e9812726a52ea3067409ed3578e882 More precisely, ensure that the certificate Subject Alternative Name (SAN) or Subject CommonName (CN) matches the hostname or IP literal specified by the 'host' option. Previously it was only verifying the chain of trust. This bumps the minimum Net::SSLeay version to 1.83 and OpenSSL version 1.0.2. 
More precisely, ensure that the certificate Subject Alternative Name
(SAN) or Subject CommonName (CN) matches the hostname or IP literal
specified by the 'host' option.  Previously it was only verifying the
chain of trust.

This bumps the minimum Net::SSLeay version to 1.83 and OpenSSL version
1.0.2.
test suite: always generate new certificates on `make test`. 2020-12-11T10:20:41+00:00 Guilhem Moulin guilhem@fripost.org 2020-12-10T13:34:48+00:00 26e5c04abfb81bdcbd4d89d9f9329b8433920b26 In addition, sign test certificates with the same root CA. Hence running `make test` now requires OpenSSL 1.1.1 or later. 
In addition, sign test certificates with the same root CA.  Hence
running `make test` now requires OpenSSL 1.1.1 or later.
libinterimap: show the matching pinned SPKI in --debug mode. 2020-12-11T10:20:37+00:00 Guilhem Moulin guilhem@fripost.org 2020-12-10T13:28:29+00:00 17b263c49df682fc45f0e50cceb01db4366ad9a7 






test suite: use a RSA certificate rather than ECDSA.
2020-12-09T13:57:11+00:00

Guilhem Moulin
guilhem@fripost.org

2020-12-09T13:57:11+00:00

b13c9fa6f442f555af65f869b954935dae40fcc4

It's arguably the most common use-case.  Generated with

  $ openssl genpkey -algorithm RSA -out tests/snippets/dovecot/dovecot.rsa.key
  $ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
        -key tests/snippets/dovecot/dovecot.rsa.key \
        -out tests/snippets/dovecot/dovecot.rsa.crt





It's arguably the most common use-case.  Generated with

  $ openssl genpkey -algorithm RSA -out tests/snippets/dovecot/dovecot.rsa.key
  $ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
        -key tests/snippets/dovecot/dovecot.rsa.key \
        -out tests/snippets/dovecot/dovecot.rsa.crt







Test suite: add new tests for SSL/TLS.
2019-11-13T05:23:57+00:00

Guilhem Moulin
guilhem@fripost.org

2019-11-10T04:39:41+00:00

a7c364bf90a4593cfbc7911b1b7536dc66b1c879

SSL connections are accepted on TCP port 10993.  Also, fix STARTTLS
directive, broken since fba1c36…





SSL connections are accepted on TCP port 10993.  Also, fix STARTTLS
directive, broken since fba1c36…