aboutsummaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-12-10 19:39:10 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-12-11 11:20:41 +0100
commit265f133600e9812726a52ea3067409ed3578e882 (patch)
treea4612e7207515bf090444bb0db78ebf989842283 /doc
parent84d1829fd0f955cf9fb7add54f60fc314b0d42b1 (diff)
libinterimap: make SSL_verify check the hostname as well.
More precisely, ensure that the certificate Subject Alternative Name (SAN) or Subject CommonName (CN) matches the hostname or IP literal specified by the 'host' option. Previously it was only verifying the chain of trust. This bumps the minimum Net::SSLeay version to 1.83 and OpenSSL version 1.0.2.
Diffstat (limited to 'doc')
-rw-r--r--doc/build.md2
-rw-r--r--doc/interimap.1.md14
-rw-r--r--doc/pullimap.1.md14
3 files changed, 19 insertions, 11 deletions
diff --git a/doc/build.md b/doc/build.md
index 4a4f80d..47d1a89 100644
--- a/doc/build.md
+++ b/doc/build.md
@@ -24,7 +24,7 @@ following Perl modules:
* [`Getopt::Long`](https://perldoc.perl.org/Getopt/Long.html) (*core module*)
* [`MIME::Base64`](https://perldoc.perl.org/MIME/Base64.html) (*core module*) — if authentication is required
* [`List::Util`](https://perldoc.perl.org/List/Util.html) (*core module*)
- * [`Net::SSLeay`](https://metacpan.org/pod/Net::SSLeay) ≥1.73
+ * [`Net::SSLeay`](https://metacpan.org/pod/Net::SSLeay) ≥1.83
* [`POSIX`](https://perldoc.perl.org/POSIX.html) (*core module*)
* [`Socket`](https://perldoc.perl.org/Socket.html) (*core module*)
* [`Time::HiRes`](https://perldoc.perl.org/Time/HiRes.html) (*core module*) — if `logfile` is set
diff --git a/doc/interimap.1.md b/doc/interimap.1.md
index ab35275..d21424b 100644
--- a/doc/interimap.1.md
+++ b/doc/interimap.1.md
@@ -420,15 +420,19 @@ Valid options are:
*SSL_verify*
-: Whether to verify the server certificate chain.
+: Whether to verify the server certificate chain, and match its
+ Subject Alternative Name (SAN) or Subject CommonName (CN) against
+ the value of the *host* option.
+ (Default: `YES`.)
+
Note that using *SSL_fingerprint* to specify the fingerprint of the
server certificate provides an independent server authentication
- measure as it ignores the CA chain.
- (Default: `YES`.)
+ measure as it pins directly its key material and ignore its chain of
+ trust.
*SSL_CApath*
-: Directory to use for server certificate verification if
+: Directory to use for server certificate verification when
`SSL_verify=YES`.
This directory must be in “hash format”, see [`verify`(1ssl)] for
more information.
@@ -436,7 +440,7 @@ Valid options are:
*SSL_CAfile*
: File containing trusted certificates to use during server
- certificate verification if `SSL_verify=YES`.
+ certificate verification when `SSL_verify=YES`.
Supported extensions {#supported-extensions}
====================
diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md
index 57790a6..bcf5ade 100644
--- a/doc/pullimap.1.md
+++ b/doc/pullimap.1.md
@@ -239,15 +239,19 @@ Valid options are:
*SSL_verify*
-: Whether to verify the server certificate chain.
+: Whether to verify the server certificate chain, and match its
+ Subject Alternative Name (SAN) or Subject CommonName (CN) against
+ the value of the *host* option.
+ (Default: `YES`.)
+
Note that using *SSL_fingerprint* to specify the fingerprint of the
server certificate provides an independent server authentication
- measure as it ignores the CA chain.
- (Default: `YES`.)
+ measure as it pins directly its key material and ignore its chain of
+ trust.
*SSL_CApath*
-: Directory to use for server certificate verification if
+: Directory to use for server certificate verification when
`SSL_verify=YES`.
This directory must be in “hash format”, see [`verify`(1ssl)] for
more information.
@@ -255,7 +259,7 @@ Valid options are:
*SSL_CAfile*
: File containing trusted certificates to use during server
- certificate verification if `SSL_verify=YES`.
+ certificate verification when `SSL_verify=YES`.
Control flow {#control-flow}
============