aboutsummaryrefslogtreecommitdiffstats
path: root/tests/tls-verify-peer/t
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@debian.org>2020-12-26 23:33:12 +0100
committerGuilhem Moulin <guilhem@debian.org>2020-12-26 23:33:12 +0100
commitf4a60089cd7fdff73504a1f1f0afde642e77b735 (patch)
tree4fbbd58649eedea0485901753406caf0beb36836 /tests/tls-verify-peer/t
parent2e485797d8ec91a0a74ec1f1e2e8723cf74a586e (diff)
parent9cbaed6527c3030819976dbe41bfb4392d6a6fa2 (diff)
Merge tag 'v0.5.5' into debian/latest
Release version 0.5.5
Diffstat (limited to 'tests/tls-verify-peer/t')
-rw-r--r--tests/tls-verify-peer/t32
1 files changed, 27 insertions, 5 deletions
diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
index 2461a1f..8326521 100644
--- a/tests/tls-verify-peer/t
+++ b/tests/tls-verify-peer/t
@@ -15,8 +15,9 @@ unverified_peer() {
[ -s "$TMPDIR/preverify" ] || error
! grep -Fvx "preverify=0" <"$TMPDIR/preverify" || error
- # make sure we didn't send any credentials
+ # make sure we didn't send any credentials or started speaking IMAP
! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
+ grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
}
verified_peer() {
local i u
@@ -31,7 +32,7 @@ verified_peer() {
[ -s "$TMPDIR/preverify" ] || error
! grep -Fvx "preverify=1" <"$TMPDIR/preverify" || error
- grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
+ grep "^remote: SSL protocol: TLSv" <"$STDERR" || error
grep "^remote: SSL cipher: " <"$STDERR" || error
check_mailbox_status "INBOX"
@@ -45,7 +46,9 @@ with_remote_config() {
}
step_start "peer verification enabled by default"
+# assume our fake root CA is not among OpenSSL's default trusted CAs
unverified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
step_done
step_start "peer verification result honored when pinned pubkey matches"
@@ -53,13 +56,23 @@ with_remote_config <<-EOF
SSL_fingerprint = sha256\$$PKEY_SHA256
EOF
unverified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
step_done
+
capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX)
cp -T -- ~/.dovecot/conf.d/ca.crt "$capath/ca-certificates.crt"
-step_start "SSL_CAfile"
+step_start "SSL_CAfile/\$SSL_CERT_FILE"
+
+# verify that an error is raised when CAfile can't be loaded
+# (it's not the case for $SSL_CERT_FILE, cf. SSL_CTX_load_verify_locations(3ssl))
+with_remote_config <<<"SSL_CAfile = /nonexistent"
+! interimap --debug || error
+grep -Fx "remote: ERROR: SSL_CTX_load_verify_locations()" <"$STDERR" || error
+grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
+
if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
# assume our fake root CA is not there
with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt"
@@ -70,6 +83,10 @@ fi
with_remote_config <<<"SSL_CAfile = $capath/ca-certificates.crt"
verified_peer
+with_remote_config </dev/null
+SSL_CERT_FILE=~/.dovecot/conf.d/ca.crt verified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
+
# hostnames and IPs included in the subjectAltName should work as well
for host in "ip6-localhost" "127.0.0.1" "::1"; do
with_remote_config <<-EOF
@@ -79,7 +96,7 @@ for host in "ip6-localhost" "127.0.0.1" "::1"; do
verified_peer
done
-# but not for other IPs or hostnames
+# but not for other hostnames or IPs
for host in "ip6-loopback" "127.0.1.1"; do
with_remote_config <<-EOF
host = $host
@@ -91,7 +108,8 @@ done
step_done
-step_start "SSL_CApath"
+step_start "SSL_CApath/\$SSL_CERT_DIR"
+
if [ -d "/etc/ssl/certs" ]; then
# assume our fake root CA is not there
with_remote_config <<<"SSL_CApath = /etc/ssl/certs"
@@ -104,6 +122,10 @@ c_rehash "$capath"
with_remote_config <<<"SSL_CApath = $capath"
verified_peer
+with_remote_config </dev/null
+SSL_CERT_DIR="$capath" verified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
+
# hostnames and IPs included in the subjectAltName should work as well
for host in "ip6-localhost" "127.0.0.1" "::1"; do
with_remote_config <<-EOF