aboutsummaryrefslogtreecommitdiffstats
path: root/Changelog
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@debian.org>2020-12-26 23:33:12 +0100
committerGuilhem Moulin <guilhem@debian.org>2020-12-26 23:33:12 +0100
commitf4a60089cd7fdff73504a1f1f0afde642e77b735 (patch)
tree4fbbd58649eedea0485901753406caf0beb36836 /Changelog
parent2e485797d8ec91a0a74ec1f1e2e8723cf74a586e (diff)
parent9cbaed6527c3030819976dbe41bfb4392d6a6fa2 (diff)
Merge tag 'v0.5.5' into debian/latest
Release version 0.5.5
Diffstat (limited to 'Changelog')
-rw-r--r--Changelog67
1 files changed, 58 insertions, 9 deletions
diff --git a/Changelog b/Changelog
index 28a1ef4..cba8719 100644
--- a/Changelog
+++ b/Changelog
@@ -1,18 +1,67 @@
+interimap (0.5.5) upstream;
+
+ * libinterimap: remove default SSL_protocols value "!SSLv2 !SSLv3
+ !TLSv1 !TLSv1.1" and use the system default instead. As of Debian
+ Buster (OpenSSL 1.1.1) this does not make a difference, however using
+ the system default provides better compatibility with future libssl
+ versions.
+ * libinterimap: deprecate SSL_protocols, obsoleted by new settings
+ SSL_protocol_{min,max}. Using the libssl interface simplifies our
+ protocol black/whitelist greatly; this only allows simple min/max
+ bounds, but holes are arguably not very useful here.
+ * libinterimap: use default locations for trusted CA certificates when
+ neither CAfile nor CApath are set. In particular, OpenSSL's default
+ locations can be overridden by the SSL_CERT_FILE resp. SSL_CERT_DIR
+ environment variables, see SSL_CTX_load_verify_locations(3ssl).
+ * libinterimap: _start_ssl() now fails immediately with OpenSSL <1.1.0.
+ It could in principle still work with earlier versions if the new
+ settings SSL_protocol_{min,max} are not used, however it's cumbersome
+ to do individual checks for specific settings, let alone maintain
+ test coverage with multiple OpenSSL versions.
+ * libinterimap: new option SSL_ciphersuites to set the TLSv1.3
+ ciphersuites; also, clarify that SSL_cipherlist only applies to
+ TLSv1.2 and below, see SSL_CTX_set_cipher_list(3ssl).
+ + `make release`: also bump libinterimap version and pin it in 'use'
+ declarations.
+ + Make error messages more uniform and consistent.
+ - libinterimap: use Net::SSLeay::get_version() to get the protocol
+ version string.
+ - test suite: `mv tests/snippets tests/config`
+ - tests/tls-protocols: use custom OpenSSL configuration file with
+ MinProtocol=None so we can test TLSv1 as well, not just TLSv1.2 and
+ later.
+ - test suite: explicitly set ssl_min_protocol=TLSv1 in the Dovecot
+ configuration file (the default as of 2.3.11.3), hence running TLS
+ tests now require Dovecot 2.3 or later.
+ - documentation: simplify SSL options in the sample configuration files.
+ - README: suggest 'restrict,command="/usr/bin/doveadm exec imap"' as
+ authorized_keys(5) options.
+ - README: suggest ControlPath=$XDG_RUNTIME_DIR/ssh-imap-%C for the SSH
+ transport (note that variable expansion is only available in OpenSSH
+ 8.4 and later).
+ - test suite: ensure we haven't started speaking IMAP when the SSL/TLS
+ handshake is aborted (unless STARTTLS is used to upgrade to
+ connection).
+ - documentation: clarify that known TLS protocol versions depend on the
+ OpenSSL version used.
+
+ -- Guilhem Moulin <guilhem@fripost.org> Sat, 26 Dec 2020 23:11:10 +0100
+
interimap (0.5.4) upstream;
* libinterimap: make SSL_verify also checks that the certificate
Subject Alternative Name (SAN) or Subject CommonName (CN) matches the
hostname or IP literal specified by the 'host' option. Previously it
was only checking the chain of trust. This bumps the minimum
- Net::SSLeay version to 1.83 and OpenSSL version 1.0.2.
+ Net::SSLeay version to 1.83 and OpenSSL version to 1.0.2 (when
+ SSL_verify is used).
* libinterimap: add support for the TLS SNI (Server Name Indication)
extension, controlled by the new 'SSL_hostname' option. The default
value of that option is the value of the 'host' option when it is
hostname, and the empty string (which disables SNI) when it is an IP
literal.
+ libinterimap: show the matching pinned SPKI in --debug mode.
- + test suite: always generate new certificates on `make test`. Hence
- running `make test` now requires OpenSSL 1.1.1 or later.
+ + test suite: always generate new certificates on `make test`.
+ test suite: sign all test certificates with the same root CA.
+ libinterimap: factor out hostname/IP parsing.
+ document that enclosing 'host' value in square brackets forces its
@@ -26,7 +75,7 @@ interimap (0.5.4) upstream;
interimap (0.5.3) upstream;
- * libinterimap: SSL_fingerprint now supports a space-separate list of
+ * libinterimap: SSL_fingerprint now supports a space-separated list of
digests to pin, and succeeds if, and only if, the peer certificate
SPKI matches one of the pinned digest values. Specifying multiple
digest values can key useful in key rollover scenarios and/or when
@@ -75,7 +124,7 @@ interimap (0.5) upstream;
(regardless of the hierarchy delimiter in use).
Other changes:
- * interimap: the space-speparated list of names and/or patterns in
+ * interimap: the space-separated list of names and/or patterns in
'list-mailbox' can now contain C-style escape sequences (backslash
and hexadecimal escape).
* interimap: fail when two non-INBOX LIST replies return different
@@ -83,7 +132,7 @@ interimap (0.5) upstream;
happen if mailboxes from different namespaces are being listed. The
workaround here is to run a new interimap instance for each
namespace.
- * libinterimap: in tunnel mode, use a socketpair rather than two pipes
+ * libinterimap: in tunnel mode, use a socket pair rather than two pipes
for IPC between the interimap and the IMAP server. Also, use
SOCK_CLOEXEC to save an fcntl() call when setting the close-on-exec
flag on the socket.
@@ -146,7 +195,7 @@ interimap (0.5) upstream;
- libinterimap: use directories relative to $HOME for the XDG
environment variables default values. Previously getpwuid() was
called to determine the user's home directory, while the XDG
- specification explicitely mentions $HOME. Conveniently our docs
+ specification explicitly mentions $HOME. Conveniently our docs
always mentioned ~/, which on POSIX-compliant systems expands to the
value of the variable HOME. (Cf. Shell and Utilities volume of
POSIX.1-2017, sec. 2.6.1.)
@@ -160,7 +209,7 @@ interimap (0.5) upstream;
- libinterimap: push_flag_updates(): ignore UIDs for which no untagged
FETCH response was received.
- libinterimap: push_flag_updates(): don't ignores received updates (by
- another client) to a superset of the desigred flag list.
+ another client) to a superset of the desired flag list.
- libinterimap: avoid sending large UID EXPUNGE|FETCH|STORE commands as
they might exceed the server's max acceptable command size; these
commands are now split into multiple (sequential) commands when their
@@ -170,7 +219,7 @@ interimap (0.5) upstream;
This is a also a workaround for a bug in Dovecot 2.3.4:
https://dovecot.org/pipermail/dovecot/2019-November/117522.html
- interimap: for the reason explained above, limit number of messages
- to 128 per APPEND command (only on servers advertizing MULTIAPPEND,
+ to 128 per APPEND command (only on servers advertising MULTIAPPEND,
for other servers the number remains 1).
- interimap: gracefully ignore messages with a NIL RFC822 attribute.
- pullimap: treat messages with a NIL RFC822 attribute as empty.