diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2020-12-09 15:34:00 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2020-12-09 15:34:00 +0100 |
| commit | 96c540042718e05161f03dd7edeaf0ae8820d3ce (patch) | |
| tree | 44e65a9b7e477d1a414426f71e936c6533c26297 /tests/tls-rsa+ecdsa | |
| parent | 34142cae2430d7b38a2542939709bbbc4a509703 (diff) | |
| parent | bb58678ba034e56f88db7202bf4e29ef3bd1bebd (diff) | |
Merge tag 'upstream/0.5.3' into debian
Upstream version 0.5.3
Diffstat (limited to 'tests/tls-rsa+ecdsa')
| l--------- | tests/tls-rsa+ecdsa/interimap.remote | 1 | ||||
| -rw-r--r-- | tests/tls-rsa+ecdsa/remote.conf | 5 | ||||
| -rw-r--r-- | tests/tls-rsa+ecdsa/t | 49 |
3 files changed, 55 insertions, 0 deletions
diff --git a/tests/tls-rsa+ecdsa/interimap.remote b/tests/tls-rsa+ecdsa/interimap.remote new file mode 120000 index 0000000..daf3741 --- /dev/null +++ b/tests/tls-rsa+ecdsa/interimap.remote @@ -0,0 +1 @@ +../tls/interimap.remote
\ No newline at end of file diff --git a/tests/tls-rsa+ecdsa/remote.conf b/tests/tls-rsa+ecdsa/remote.conf new file mode 100644 index 0000000..72ca135 --- /dev/null +++ b/tests/tls-rsa+ecdsa/remote.conf @@ -0,0 +1,5 @@ +!include conf.d/imapd.conf +!include conf.d/ssl.conf + +ssl_alt_cert = <conf.d/dovecot.ecdsa.crt +ssl_alt_key = <conf.d/dovecot.ecdsa.key diff --git a/tests/tls-rsa+ecdsa/t b/tests/tls-rsa+ecdsa/t new file mode 100644 index 0000000..29352e9 --- /dev/null +++ b/tests/tls-rsa+ecdsa/t @@ -0,0 +1,49 @@ +doveconf_remote() { + doveconf -c "$HOME_remote/.dovecot/config" -hx "$1" +} +pkey_sha256() { + openssl x509 -pubkey | openssl pkey -pubin -outform DER \ + | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}" +} +x509_sha256() { + openssl x509 -noout -fingerprint -sha256 \ + | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]" +} + +PKEY_SHA256="$(doveconf_remote ssl_cert | pkey_sha256)" +X509_SHA256="$(doveconf_remote ssl_cert | x509_sha256)" +PKEY_ALT_SHA256="$(doveconf_remote ssl_alt_cert | pkey_sha256)" +X509_ALT_SHA256="$(doveconf_remote ssl_alt_cert | x509_sha256)" + +# pinned valid fingerprints +cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF + SSL_fingerprint = sha256\$$PKEY_SHA256 sha256\$$PKEY_ALT_SHA256 +EOF + +for ((i = 0; i < 32; i++)); do + u="$(shuf -n1 -e "local" "remote")" + sample_message | deliver -u "$u" +done +interimap_init +check_mailbox_status "INBOX" + +interimap --debug || error +# which peer certificate is used is up to libssl +grep -Fx -e "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" \ + -e "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" \ + <"$STDERR" || error + +# force RSA (XXX do we really have to force TLSv1.2 here?) +cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF + SSL_protocols = TLSv1.2 + SSL_cipherlist = EECDH+AESGCM+aRSA +EOF +interimap --debug || error +grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error + +# force ECDSA +sed -i "s/^SSL_cipherlist\\s*=.*/SSL_cipherlist = EECDH+AESGCM+aECDSA/" "$XDG_CONFIG_HOME/interimap/config" +interimap --debug || error +grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" <"$STDERR" || error + +# vim: set filetype=sh : |