diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-12-11 18:28:32 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-12-11 18:44:13 +0100 |
commit | ed263d4a380036b654525ee268db615c17d0d216 (patch) | |
tree | 5c85ed20e3405a994293d4e0b8cc688b7fd2c3ee | |
parent | b99cd2fd12bc3a2c6b858e65182a47a4ef27dba2 (diff) |
test suite: supply our own OpenSSL configuration file with MinProtocol=None.
So we can test TLSv1 as well, not just TLSv1.2 and later.
Also, explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration
file (the default as of 2.3.11.3), hence running TLS tests now require
Dovecot 2.3 or later.
-rw-r--r-- | Changelog | 6 | ||||
-rw-r--r-- | tests/config/dovecot/ssl.conf | 1 | ||||
-rw-r--r-- | tests/config/openssl.cnf | 14 | ||||
-rwxr-xr-x | tests/run | 4 | ||||
-rw-r--r-- | tests/starttls/t | 2 | ||||
-rw-r--r-- | tests/tls-verify-peer/t | 2 | ||||
-rw-r--r-- | tests/tls/t | 2 |
7 files changed, 27 insertions, 4 deletions
@@ -9,6 +9,12 @@ interimap (0.5.5) upstream; - libinterimap: use Net::SSLeay::get_version() to get the protocol version string. - test suite: `mv tests/snippets tests/config` + - test suite: supply our own OpenSSL configuration file with + MinProtocol=None so we can test TLSv1 as well, not just TLSv1.2 and + later. + - test suite: explicitly set ssl_min_protocol=TLSv1 in the Dovecot + configuration file (the default as of 2.3.11.3), hence running TLS + tests now require Dovecot 2.3 or later. -- Guilhem Moulin <guilhem@fripost.org> Fri, 11 Dec 2020 14:55:53 +0100 diff --git a/tests/config/dovecot/ssl.conf b/tests/config/dovecot/ssl.conf index 2d68c80..3fd99d5 100644 --- a/tests/config/dovecot/ssl.conf +++ b/tests/config/dovecot/ssl.conf @@ -2,3 +2,4 @@ ssl = required ssl_cert = <dovecot.rsa.crt ssl_key = <dovecot.rsa.key ssl_dh = <dhparams.pem +ssl_min_protocol = TLSv1 diff --git a/tests/config/openssl.cnf b/tests/config/openssl.cnf new file mode 100644 index 0000000..980097d --- /dev/null +++ b/tests/config/openssl.cnf @@ -0,0 +1,14 @@ +# as we want to test TLSv1 we need to set MinProtocol=None, see +# see /usr/share/doc/libssl1.1/NEWS.Debian.gz + +openssl_conf = default_conf + +[default_conf] +ssl_conf = ssl_sect + +[ssl_sect] +system_default = system_default_sect + +[system_default_sect] +MinProtocol = None +CipherString = DEFAULT @@ -57,11 +57,13 @@ mkdir -- "$TMPDIR" "$ROOTDIR/home" declare -a REMOTES=() # Set environment for the given user +OPENSSL_CONF="$BASEDIR/config/openssl.cnf" environ_set() { local user="$1" home eval home="\$HOME_$user" ENVIRON=( PATH="$PATH" + OPENSSL_CONF="$OPENSSL_CONF" USER="$user" HOME="$home" XDG_CONFIG_HOME="$home/.config" @@ -443,7 +445,7 @@ passed() { # Run test in a sub-shell declare -a ENVIRON=() environ_set "local" -export TMPDIR TESTDIR STDERR "${ENVIRON[@]}" +export TMPDIR TESTDIR STDERR "${ENVIRON[@]}" OPENSSL_CONF export -f environ_set doveadm interimap interimap_init pullimap _interimap_cmd export -f sqlite3 sample_message deliver ptree_abort step_start step_done passed export -f check_mailbox_status check_mailbox_status_values check_mailbox_status2 diff --git a/tests/starttls/t b/tests/starttls/t index 55caf99..62b2151 100644 --- a/tests/starttls/t +++ b/tests/starttls/t @@ -22,7 +22,7 @@ grep -Fx "remote: C: 000000 STARTTLS" <"$STDERR" || error grep -Fx "remote: C: 000001 CAPABILITY" <"$STDERR" || error grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error -grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error +grep "^remote: SSL protocol: TLSv" <"$STDERR" || error grep "^remote: SSL cipher: " <"$STDERR" || error check_mailbox_status "INBOX" diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t index 2461a1f..17018a6 100644 --- a/tests/tls-verify-peer/t +++ b/tests/tls-verify-peer/t @@ -31,7 +31,7 @@ verified_peer() { [ -s "$TMPDIR/preverify" ] || error ! grep -Fvx "preverify=1" <"$TMPDIR/preverify" || error - grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error + grep "^remote: SSL protocol: TLSv" <"$STDERR" || error grep "^remote: SSL cipher: " <"$STDERR" || error check_mailbox_status "INBOX" diff --git a/tests/tls/t b/tests/tls/t index 76f7c14..a674b28 100644 --- a/tests/tls/t +++ b/tests/tls/t @@ -9,7 +9,7 @@ done interimap --debug || error grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error -grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error +grep "^remote: SSL protocol: TLSv" <"$STDERR" || error grep "^remote: SSL cipher: " <"$STDERR" || error check_mailbox_status "INBOX" |