diff options
author | Guilhem Moulin <guilhem@debian.org> | 2020-12-26 23:33:12 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@debian.org> | 2020-12-26 23:33:12 +0100 |
commit | f4a60089cd7fdff73504a1f1f0afde642e77b735 (patch) | |
tree | 4fbbd58649eedea0485901753406caf0beb36836 /tests/tls-verify-peer/t | |
parent | 2e485797d8ec91a0a74ec1f1e2e8723cf74a586e (diff) | |
parent | 9cbaed6527c3030819976dbe41bfb4392d6a6fa2 (diff) |
Merge tag 'v0.5.5' into debian/latest
Release version 0.5.5
Diffstat (limited to 'tests/tls-verify-peer/t')
-rw-r--r-- | tests/tls-verify-peer/t | 32 |
1 files changed, 27 insertions, 5 deletions
diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t index 2461a1f..8326521 100644 --- a/tests/tls-verify-peer/t +++ b/tests/tls-verify-peer/t @@ -15,8 +15,9 @@ unverified_peer() { [ -s "$TMPDIR/preverify" ] || error ! grep -Fvx "preverify=0" <"$TMPDIR/preverify" || error - # make sure we didn't send any credentials + # make sure we didn't send any credentials or started speaking IMAP ! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error + grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error } verified_peer() { local i u @@ -31,7 +32,7 @@ verified_peer() { [ -s "$TMPDIR/preverify" ] || error ! grep -Fvx "preverify=1" <"$TMPDIR/preverify" || error - grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error + grep "^remote: SSL protocol: TLSv" <"$STDERR" || error grep "^remote: SSL cipher: " <"$STDERR" || error check_mailbox_status "INBOX" @@ -45,7 +46,9 @@ with_remote_config() { } step_start "peer verification enabled by default" +# assume our fake root CA is not among OpenSSL's default trusted CAs unverified_peer +grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error step_done step_start "peer verification result honored when pinned pubkey matches" @@ -53,13 +56,23 @@ with_remote_config <<-EOF SSL_fingerprint = sha256\$$PKEY_SHA256 EOF unverified_peer +grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error step_done + capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX) cp -T -- ~/.dovecot/conf.d/ca.crt "$capath/ca-certificates.crt" -step_start "SSL_CAfile" +step_start "SSL_CAfile/\$SSL_CERT_FILE" + +# verify that an error is raised when CAfile can't be loaded +# (it's not the case for $SSL_CERT_FILE, cf. SSL_CTX_load_verify_locations(3ssl)) +with_remote_config <<<"SSL_CAfile = /nonexistent" +! interimap --debug || error +grep -Fx "remote: ERROR: SSL_CTX_load_verify_locations()" <"$STDERR" || error +grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error + if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then # assume our fake root CA is not there with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt" @@ -70,6 +83,10 @@ fi with_remote_config <<<"SSL_CAfile = $capath/ca-certificates.crt" verified_peer +with_remote_config </dev/null +SSL_CERT_FILE=~/.dovecot/conf.d/ca.crt verified_peer +grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error + # hostnames and IPs included in the subjectAltName should work as well for host in "ip6-localhost" "127.0.0.1" "::1"; do with_remote_config <<-EOF @@ -79,7 +96,7 @@ for host in "ip6-localhost" "127.0.0.1" "::1"; do verified_peer done -# but not for other IPs or hostnames +# but not for other hostnames or IPs for host in "ip6-loopback" "127.0.1.1"; do with_remote_config <<-EOF host = $host @@ -91,7 +108,8 @@ done step_done -step_start "SSL_CApath" +step_start "SSL_CApath/\$SSL_CERT_DIR" + if [ -d "/etc/ssl/certs" ]; then # assume our fake root CA is not there with_remote_config <<<"SSL_CApath = /etc/ssl/certs" @@ -104,6 +122,10 @@ c_rehash "$capath" with_remote_config <<<"SSL_CApath = $capath" verified_peer +with_remote_config </dev/null +SSL_CERT_DIR="$capath" verified_peer +grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error + # hostnames and IPs included in the subjectAltName should work as well for host in "ip6-localhost" "127.0.0.1" "::1"; do with_remote_config <<-EOF |