diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2020-12-10 19:39:10 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2020-12-11 11:20:41 +0100 |
| commit | 265f133600e9812726a52ea3067409ed3578e882 (patch) | |
| tree | a4612e7207515bf090444bb0db78ebf989842283 /tests/certs | |
| parent | 84d1829fd0f955cf9fb7add54f60fc314b0d42b1 (diff) | |
libinterimap: make SSL_verify check the hostname as well.
More precisely, ensure that the certificate Subject Alternative Name
(SAN) or Subject CommonName (CN) matches the hostname or IP literal
specified by the 'host' option. Previously it was only verifying the
chain of trust.
This bumps the minimum Net::SSLeay version to 1.83 and OpenSSL version
1.0.2.
Diffstat (limited to 'tests/certs')
| -rwxr-xr-x | tests/certs/generate | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/tests/certs/generate b/tests/certs/generate index 19463d5..6457765 100755 --- a/tests/certs/generate +++ b/tests/certs/generate @@ -20,19 +20,22 @@ SERIAL=1 new() { local key="$1" cn="$2" openssl req -new -rand /dev/urandom -key "$key" \ - -subj "/OU=$OU/CN=$cn" \ + -subj "/OU=$OU/CN=$cn" ${3+-addext subjectAltName="$3"} \ -out "$cadir/new.csr" cat >"$cadir/new-ext.cnf" <<-EOF basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = critical, serverAuth EOF + if [ -n "${3+x}" ]; then + printf "subjectAltName = %s\\n" "$3" >>"$cadir/new-ext.cnf" + fi openssl x509 -req -in "$cadir/new.csr" -CA ./ca.crt -CAkey "$cadir/ca.key" \ -CAserial "$cadir/ca.srl" -CAcreateserial -extfile "$cadir/new-ext.cnf" } openssl genpkey -algorithm RSA -out ./dovecot.rsa.key -new ./dovecot.rsa.key "localhost" >./dovecot.rsa.crt +new ./dovecot.rsa.key "localhost" "DNS:localhost,DNS:ip6-localhost,IP:127.0.0.1,IP:::1" >./dovecot.rsa.crt openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve -out ./dovecot.ecdsa.key new ./dovecot.ecdsa.key "localhost" >./dovecot.ecdsa.crt |