aboutsummaryrefslogtreecommitdiffstats
path: root/tests/tls-verify-peer/t
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2019-11-10 05:39:41 +0100
committerGuilhem Moulin <guilhem@fripost.org>2019-11-13 06:23:57 +0100
commita7c364bf90a4593cfbc7911b1b7536dc66b1c879 (patch)
tree8af995ed7f8db9bcbdad33e4601775a2b80eb7e4 /tests/tls-verify-peer/t
parentb7514eeac609a7e99c66031f853f695bb82c990a (diff)
Test suite: add new tests for SSL/TLS.
SSL connections are accepted on TCP port 10993. Also, fix STARTTLS directive, broken since fba1c36…
Diffstat (limited to 'tests/tls-verify-peer/t')
-rw-r--r--tests/tls-verify-peer/t80
1 files changed, 80 insertions, 0 deletions
diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
new file mode 100644
index 0000000..d84328a
--- /dev/null
+++ b/tests/tls-verify-peer/t
@@ -0,0 +1,80 @@
+CERT=~/.dovecot/conf.d/dovecot.pem
+
+unverified_peer() {
+ ! interimap --debug || error
+
+ grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
+ sed -nr "s/remote: \[[0-9]+\] (preverify=[0-9]+)$/\1/p" <"$STDERR" >"$TMPDIR/preverify"
+ [ -s "$TMPDIR/preverify" ] || error
+ ! grep -Fvx "preverify=0" <"$TMPDIR/preverify" || error
+
+ # make sure we didn't send any credentials
+ ! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
+}
+verified_peer() {
+ local i u
+ for ((i = 0; i < 32; i++)); do
+ u="$(shuf -n1 -e "local" "remote")"
+ sample_message | deliver -u "$u"
+ done
+ interimap --debug || error
+
+ sed -nr "s/remote: \[[0-9]+\] (preverify=[0-9]+)$/\1/p" <"$STDERR" >"$TMPDIR/preverify"
+ [ -s "$TMPDIR/preverify" ] || error
+ ! grep -Fvx "preverify=1" <"$TMPDIR/preverify" || error
+
+ grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
+ grep "^remote: SSL cipher: " <"$STDERR" || error
+
+ check_mailbox_status "INBOX"
+}
+
+# backup config
+install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~"
+with_remote_config() {
+ install -m0600 "$XDG_CONFIG_HOME/interimap/config~" "$XDG_CONFIG_HOME/interimap/config"
+ cat >>"$XDG_CONFIG_HOME/interimap/config"
+}
+
+step_start "peer verification enabled by default"
+unverified_peer
+step_done
+
+step_start "peer verification result honored when pinned pubkey matches"
+pkey_sha256="$(openssl x509 -pubkey <"$CERT" | openssl pkey -pubin -outform DER \
+ | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")"
+with_remote_config <<-EOF
+ SSL_fingerprint = sha256\$$pkey_sha256
+EOF
+unverified_peer
+! grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error
+step_done
+
+
+step_start "SSL_CAfile"
+if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
+ # the self-signed cert should not be in there
+ with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt"
+ unverified_peer
+fi
+with_remote_config <<<"SSL_CAfile = $CERT"
+verified_peer
+step_done
+
+
+step_start "SSL_CApath"
+if [ -d "/etc/ssl/certs" ]; then
+ # the self-signed cert should not be in there
+ with_remote_config <<<"SSL_CApath = /etc/ssl/certs"
+ unverified_peer
+fi
+
+capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX)
+cp -t"$capath" "$CERT"
+c_rehash "$capath"
+
+with_remote_config <<<"SSL_CApath = $capath"
+verified_peer
+step_done
+
+# vim: set filetype=sh :