aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-12-17 17:38:17 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-12-17 17:41:30 +0100
commit57988c83bb4b3f1780f045880ac4a8f36a51c55c (patch)
treed456a8526a72381f320864df6009cdaed07951fc
parent1a19feb7a4b3d70f44e4e1fb0f9920b063842422 (diff)
libinterimap: new option SSL_ciphersuites to set the TLSv1.3 ciphersuites.
Also, clarify that SSL_cipherlist only applies to TLSv1.2 and below. See SSL_CTX_set_cipher_list(3ssl).
-rw-r--r--Changelog3
-rw-r--r--doc/interimap.1.md12
-rw-r--r--doc/pullimap.1.md12
-rw-r--r--lib/Net/IMAP/InterIMAP.pm4
-rw-r--r--tests/list1
l---------tests/tls-ciphers/interimap.remote1
l---------tests/tls-ciphers/remote.conf1
-rw-r--r--tests/tls-ciphers/t31
-rw-r--r--tests/tls-rsa+ecdsa/t4
9 files changed, 58 insertions, 11 deletions
diff --git a/Changelog b/Changelog
index afee1ca..29ca360 100644
--- a/Changelog
+++ b/Changelog
@@ -18,6 +18,9 @@ interimap (0.5.5) upstream;
settings SSL_protocol_{min,max} are not used, however it's cumbersome
to do individual checks for specific settings, let alone maintain
test coverage with multiple OpenSSL versions.
+ * libinterimap: new option SSL_ciphersuites to set the TLSv1.3
+ ciphersuites; also, clarify that SSL_cipherlist only applies to
+ TLSv1.2 and below, see SSL_CTX_set_cipher_list(3ssl).
+ `make release`: also bump libinterimap version and pin it in 'use'
declarations.
+ Make error messages more uniform and consistent.
diff --git a/doc/interimap.1.md b/doc/interimap.1.md
index ae6224b..2d588ae 100644
--- a/doc/interimap.1.md
+++ b/doc/interimap.1.md
@@ -401,12 +401,14 @@ Valid options are:
`TLSv1.1`, `TLSv1.2`, and `TLSv1.3`, depending on the OpenSSL
version used.
-*SSL_cipherlist*
+*SSL_cipherlist*, *SSL_ciphersuites*
-: The cipher list to send to the server. Although the server
- determines which cipher suite is used, it should take the first
- supported cipher in the list sent by the client. See
- [`ciphers`(1ssl)] for more information.
+: Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites.
+ The combination of these lists is sent to the server, which then
+ determines which cipher to use (normally the first supported one
+ from the list sent by the client). The default suites depend on the
+ OpenSSL version and its configuration, see [`ciphers`(1ssl)] for
+ more information.
*SSL_fingerprint*
diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md
index b0bc2fd..89969b2 100644
--- a/doc/pullimap.1.md
+++ b/doc/pullimap.1.md
@@ -220,12 +220,14 @@ Valid options are:
`TLSv1.1`, `TLSv1.2`, and `TLSv1.3`, depending on the OpenSSL
version used.
-*SSL_cipherlist*
+*SSL_cipherlist*, *SSL_ciphersuites*
-: The cipher list to send to the server. Although the server
- determines which cipher suite is used, it should take the first
- supported cipher in the list sent by the client. See
- [`ciphers`(1ssl)] for more information.
+: Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites.
+ The combination of these lists is sent to the server, which then
+ determines which cipher to use (normally the first supported one
+ from the list sent by the client). The default suites depend on the
+ OpenSSL version and its configuration, see [`ciphers`(1ssl)] for
+ more information.
*SSL_fingerprint*
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index 856c5c8..09f510f 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -67,6 +67,7 @@ my %OPTIONS = (
SSL_protocol_max => qr/\A(\P{Control}+)\z/,
SSL_fingerprint => qr/\A((?:[A-Za-z0-9]+\$)?\p{AHex}+(?: (?:[A-Za-z0-9]+\$)?\p{AHex}+)*)\z/,
SSL_cipherlist => qr/\A(\P{Control}+)\z/,
+ SSL_ciphersuites => qr/\A(\P{Control}*)\z/, # "an empty list is permissible"
SSL_hostname => qr/\A(\P{Control}*)\z/,
SSL_verify => qr/\A(YES|NO)\z/i,
SSL_CApath => qr/\A(\P{Control}+)\z/,
@@ -1766,6 +1767,9 @@ sub _start_ssl($$) {
if (defined (my $str = $self->{SSL_cipherlist})) {
$self->_ssl_error("SSL_CTX_set_cipher_list()") unless Net::SSLeay::CTX_set_cipher_list($ctx, $str) == 1;
}
+ if (defined (my $str = $self->{SSL_ciphersuites})) {
+ $self->_ssl_error("SSL_CTX_set_ciphersuites()") unless Net::SSLeay::CTX_set_ciphersuites($ctx, $str) == 1;
+ }
my $vpm = Net::SSLeay::X509_VERIFY_PARAM_new() or $self->_ssl_error("X509_VERIFY_PARAM_new()");
my $purpose = Net::SSLeay::X509_PURPOSE_SSL_SERVER();
diff --git a/tests/list b/tests/list
index cb31a73..d1058ba 100644
--- a/tests/list
+++ b/tests/list
@@ -54,6 +54,7 @@ split-set Split large sets to avoid extra-long command lines
tls-rsa+ecdsa pubkey fingerprint pinning for dual-cert RSA+ECDSA
tls-sni TLS servername extension (SNI)
tls-protocols force TLS protocol versions
+ tls-ciphers force TLS cipher list/suites
. Live synchronization (60s)
sync-live local/remote simulation
diff --git a/tests/tls-ciphers/interimap.remote b/tests/tls-ciphers/interimap.remote
new file mode 120000
index 0000000..daf3741
--- /dev/null
+++ b/tests/tls-ciphers/interimap.remote
@@ -0,0 +1 @@
+../tls/interimap.remote \ No newline at end of file
diff --git a/tests/tls-ciphers/remote.conf b/tests/tls-ciphers/remote.conf
new file mode 120000
index 0000000..6029749
--- /dev/null
+++ b/tests/tls-ciphers/remote.conf
@@ -0,0 +1 @@
+../tls/remote.conf \ No newline at end of file
diff --git a/tests/tls-ciphers/t b/tests/tls-ciphers/t
new file mode 100644
index 0000000..0dfc771
--- /dev/null
+++ b/tests/tls-ciphers/t
@@ -0,0 +1,31 @@
+# backup config
+install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~"
+with_remote_config() {
+ install -m0600 "$XDG_CONFIG_HOME/interimap/config~" "$XDG_CONFIG_HOME/interimap/config"
+ cat >>"$XDG_CONFIG_HOME/interimap/config"
+}
+
+with_remote_config <<-EOF
+ SSL_protocol_max = TLSv1.2
+ SSL_cipherlist = DHE-RSA-AES128-SHA256:ALL:!COMPLEMENTOFDEFAULT:!eNULL
+EOF
+interimap --debug || error
+grep -Fx "remote: SSL cipher: DHE-RSA-AES128-SHA256 (128 bits)" <"$STDERR" || error
+
+with_remote_config <<-EOF
+ SSL_protocol_max = TLSv1.2
+ SSL_cipherlist = NONEXISTENT:ECDHE-RSA-AES256-SHA384:ALL:!COMPLEMENTOFDEFAULT:!eNULL
+ SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+EOF
+interimap --debug || error
+grep -Fx "remote: SSL cipher: ECDHE-RSA-AES256-SHA384 (256 bits)" <"$STDERR" || error
+
+with_remote_config <<-EOF
+ SSL_protocol_min = TLSv1.3
+ SSL_cipherlist = DHE-RSA-AES128-SHA256
+ SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+EOF
+interimap --debug || error
+grep -Fx "remote: SSL cipher: TLS_CHACHA20_POLY1305_SHA256 (256 bits)" <"$STDERR" || error
+
+# vim: set filetype=sh :
diff --git a/tests/tls-rsa+ecdsa/t b/tests/tls-rsa+ecdsa/t
index 8b811fd..c9f5b96 100644
--- a/tests/tls-rsa+ecdsa/t
+++ b/tests/tls-rsa+ecdsa/t
@@ -36,7 +36,9 @@ grep -Fx -e "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_S
-e "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_ALT_SHA256" \
<"$STDERR" || error
-# force RSA (XXX do we really have to force TLSv1.2 here?)
+# force RSA
+# XXX we also have to force TLS <=1.2 here as the TLSv1.3 ciphersuites
+# don't specify the certificate type (nor key exchange)
cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
SSL_protocol_max = TLSv1.2
SSL_cipherlist = EECDH+AESGCM+aRSA