diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-12-09 14:57:11 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-12-09 14:57:11 +0100 |
commit | b13c9fa6f442f555af65f869b954935dae40fcc4 (patch) | |
tree | 18134835502271153c51fa7d0fb60e1c454016e7 /tests/tls-verify-peer | |
parent | 1630f2387c52a0ac460922eda6535165fdb279d1 (diff) |
test suite: use a RSA certificate rather than ECDSA.
It's arguably the most common use-case. Generated with
$ openssl genpkey -algorithm RSA -out tests/snippets/dovecot/dovecot.rsa.key
$ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
-key tests/snippets/dovecot/dovecot.rsa.key \
-out tests/snippets/dovecot/dovecot.rsa.crt
Diffstat (limited to 'tests/tls-verify-peer')
-rw-r--r-- | tests/tls-verify-peer/t | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t index d84328a..9e4d9fa 100644 --- a/tests/tls-verify-peer/t +++ b/tests/tls-verify-peer/t @@ -1,5 +1,3 @@ -CERT=~/.dovecot/conf.d/dovecot.pem - unverified_peer() { ! interimap --debug || error @@ -41,36 +39,38 @@ unverified_peer step_done step_start "peer verification result honored when pinned pubkey matches" -pkey_sha256="$(openssl x509 -pubkey <"$CERT" | openssl pkey -pubin -outform DER \ +PKEY_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \ + | openssl x509 -pubkey | openssl pkey -pubin -outform DER \ | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")" with_remote_config <<-EOF - SSL_fingerprint = sha256\$$pkey_sha256 + SSL_fingerprint = sha256\$$PKEY_SHA256 EOF unverified_peer ! grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error step_done +capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX) step_start "SSL_CAfile" if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then - # the self-signed cert should not be in there + # our self-signed test cert should not be in there with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt" unverified_peer fi -with_remote_config <<<"SSL_CAfile = $CERT" + +doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert >"$capath/ca-certificates.crt" +with_remote_config <<<"SSL_CAfile = $capath/ca-certificates.crt" verified_peer step_done step_start "SSL_CApath" if [ -d "/etc/ssl/certs" ]; then - # the self-signed cert should not be in there + # our self-signed test cert should not be in there with_remote_config <<<"SSL_CApath = /etc/ssl/certs" unverified_peer fi -capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX) -cp -t"$capath" "$CERT" c_rehash "$capath" with_remote_config <<<"SSL_CApath = $capath" |