interimap/tests, branch v0.5.4 Fast bidirectional synchronization for QRESYNC-capable IMAP servers libinterimap: add support for the TLS SNI (Server Name Indication) extension. 2020-12-11T10:20:41+00:00 Guilhem Moulin guilhem@fripost.org 2020-12-10T20:52:44+00:00 4ed6f0982cc0553e31e7beadf441beb8573a07d4 This is controlled by the new 'SSL_hostname' option. The default value of that option is the value of the 'host' option when it is hostname, and the empty string (which disables SNI) when it is an IP literal. 
This is controlled by the new 'SSL_hostname' option.  The default value
of that option is the value of the 'host' option when it is hostname,
and the empty string (which disables SNI) when it is an IP literal.
libinterimap: make SSL_verify check the hostname as well. 2020-12-11T10:20:41+00:00 Guilhem Moulin guilhem@fripost.org 2020-12-10T18:39:10+00:00 265f133600e9812726a52ea3067409ed3578e882 More precisely, ensure that the certificate Subject Alternative Name (SAN) or Subject CommonName (CN) matches the hostname or IP literal specified by the 'host' option. Previously it was only verifying the chain of trust. This bumps the minimum Net::SSLeay version to 1.83 and OpenSSL version 1.0.2. 
More precisely, ensure that the certificate Subject Alternative Name
(SAN) or Subject CommonName (CN) matches the hostname or IP literal
specified by the 'host' option.  Previously it was only verifying the
chain of trust.

This bumps the minimum Net::SSLeay version to 1.83 and OpenSSL version
1.0.2.
test suite: always generate new certificates on `make test`. 2020-12-11T10:20:41+00:00 Guilhem Moulin guilhem@fripost.org 2020-12-10T13:34:48+00:00 26e5c04abfb81bdcbd4d89d9f9329b8433920b26 In addition, sign test certificates with the same root CA. Hence running `make test` now requires OpenSSL 1.1.1 or later. 
In addition, sign test certificates with the same root CA.  Hence
running `make test` now requires OpenSSL 1.1.1 or later.
libinterimap: show the matching pinned SPKI in --debug mode. 2020-12-11T10:20:37+00:00 Guilhem Moulin guilhem@fripost.org 2020-12-10T13:28:29+00:00 17b263c49df682fc45f0e50cceb01db4366ad9a7 






New test with a server offering both RSA+ECDSA certificates.
2020-12-09T14:29:59+00:00

Guilhem Moulin
guilhem@fripost.org

2020-12-09T14:11:45+00:00

51df40cf82c67ae828c325a42e28b3155fce9864

This requires dovecot-imapd 2.2.31 or later.

Certificate generated with:

      $ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve \
            -out tests/snippets/dovecot/dovecot.ecdsa.key
      $ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
            -key tests/snippets/dovecot/dovecot.ecdsa.key \
            -out tests/snippets/dovecot/dovecot.ecdsa.crt





This requires dovecot-imapd 2.2.31 or later.

Certificate generated with:

      $ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve \
            -out tests/snippets/dovecot/dovecot.ecdsa.key
      $ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
            -key tests/snippets/dovecot/dovecot.ecdsa.key \
            -out tests/snippets/dovecot/dovecot.ecdsa.crt







libinterimap: SSL_fingerprint now supports a space-separate list of digests to pin.
2020-12-09T14:29:54+00:00

Guilhem Moulin
guilhem@fripost.org

2020-12-09T14:06:37+00:00

a1ef66a76b4a6651b7371a9fd1e35f2f99e85bfa

And succeeds if, and only if, the peer certificate SPKI matches one of
the pinned digest values.  Specifying multiple digest values can key
useful in key rollover scenarios and/or when the server supports
certificates of different types (for instance RSA+ECDSA).





And succeeds if, and only if, the peer certificate SPKI matches one of
the pinned digest values.  Specifying multiple digest values can key
useful in key rollover scenarios and/or when the server supports
certificates of different types (for instance RSA+ECDSA).







test suite: use a RSA certificate rather than ECDSA.
2020-12-09T13:57:11+00:00

Guilhem Moulin
guilhem@fripost.org

2020-12-09T13:57:11+00:00

b13c9fa6f442f555af65f869b954935dae40fcc4

It's arguably the most common use-case.  Generated with

  $ openssl genpkey -algorithm RSA -out tests/snippets/dovecot/dovecot.rsa.key
  $ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
        -key tests/snippets/dovecot/dovecot.rsa.key \
        -out tests/snippets/dovecot/dovecot.rsa.crt





It's arguably the most common use-case.  Generated with

  $ openssl genpkey -algorithm RSA -out tests/snippets/dovecot/dovecot.rsa.key
  $ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
        -key tests/snippets/dovecot/dovecot.rsa.key \
        -out tests/snippets/dovecot/dovecot.rsa.crt







Upgrade URLs to secure HTTP.
2020-08-04T00:35:05+00:00

Guilhem Moulin
guilhem@fripost.org

2020-08-04T00:35:05+00:00

11cd204852f665670b5d4271eab86a3d9f5e5624












libinterimap: abort on PREAUTH greeting received on plaintext connections
2020-08-03T18:50:08+00:00

Guilhem Moulin
guilhem@fripost.org

2020-08-03T18:27:38+00:00

3b2939febdeb7f92051f95a3b08cf86e221ce21d

Set "STARTTLS = NO" to ignore.  This is similar to CVE-2020-12398 and
CVE-2020-14093.





Set "STARTTLS = NO" to ignore.  This is similar to CVE-2020-12398 and
CVE-2020-14093.







libinterimap: Fix response injection vulnerability after STARTTLS.
2020-08-03T18:30:46+00:00

Guilhem Moulin
guilhem@fripost.org

2020-08-03T17:20:05+00:00

bc43c0d9468a8d50ba141c8a965f9f07ed0456ff

For background see https://gitlab.com/muttmua/mutt/-/issues/248 .





For background see https://gitlab.com/muttmua/mutt/-/issues/248 .