aboutsummaryrefslogtreecommitdiffstats
path: root/tests/tls-verify-peer
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@debian.org>2021-01-01 12:44:17 +0100
committerGuilhem Moulin <guilhem@debian.org>2021-01-01 12:44:17 +0100
commitd782c12d603fcbcc8bcf7b18860e9a16a27f4b1b (patch)
tree789fa2c3e7d08b08e82b6e5fa999ac7584fe3416 /tests/tls-verify-peer
parent2ce885e19f4a5f18da30c35dc7da7a204e2ceb58 (diff)
parent3d818bf7e24f0757bcd13f30118d229e5a6b5448 (diff)
Merge tag 'debian/0.5.5-1' into debian/buster-backports
interimap Debian release 0.5.5-1
Diffstat (limited to 'tests/tls-verify-peer')
-rw-r--r--tests/tls-verify-peer/t32
1 files changed, 27 insertions, 5 deletions
diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
index 2461a1f..8326521 100644
--- a/tests/tls-verify-peer/t
+++ b/tests/tls-verify-peer/t
@@ -15,8 +15,9 @@ unverified_peer() {
[ -s "$TMPDIR/preverify" ] || error
! grep -Fvx "preverify=0" <"$TMPDIR/preverify" || error
- # make sure we didn't send any credentials
+ # make sure we didn't send any credentials or started speaking IMAP
! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
+ grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
}
verified_peer() {
local i u
@@ -31,7 +32,7 @@ verified_peer() {
[ -s "$TMPDIR/preverify" ] || error
! grep -Fvx "preverify=1" <"$TMPDIR/preverify" || error
- grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
+ grep "^remote: SSL protocol: TLSv" <"$STDERR" || error
grep "^remote: SSL cipher: " <"$STDERR" || error
check_mailbox_status "INBOX"
@@ -45,7 +46,9 @@ with_remote_config() {
}
step_start "peer verification enabled by default"
+# assume our fake root CA is not among OpenSSL's default trusted CAs
unverified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
step_done
step_start "peer verification result honored when pinned pubkey matches"
@@ -53,13 +56,23 @@ with_remote_config <<-EOF
SSL_fingerprint = sha256\$$PKEY_SHA256
EOF
unverified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
step_done
+
capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX)
cp -T -- ~/.dovecot/conf.d/ca.crt "$capath/ca-certificates.crt"
-step_start "SSL_CAfile"
+step_start "SSL_CAfile/\$SSL_CERT_FILE"
+
+# verify that an error is raised when CAfile can't be loaded
+# (it's not the case for $SSL_CERT_FILE, cf. SSL_CTX_load_verify_locations(3ssl))
+with_remote_config <<<"SSL_CAfile = /nonexistent"
+! interimap --debug || error
+grep -Fx "remote: ERROR: SSL_CTX_load_verify_locations()" <"$STDERR" || error
+grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
+
if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
# assume our fake root CA is not there
with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt"
@@ -70,6 +83,10 @@ fi
with_remote_config <<<"SSL_CAfile = $capath/ca-certificates.crt"
verified_peer
+with_remote_config </dev/null
+SSL_CERT_FILE=~/.dovecot/conf.d/ca.crt verified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
+
# hostnames and IPs included in the subjectAltName should work as well
for host in "ip6-localhost" "127.0.0.1" "::1"; do
with_remote_config <<-EOF
@@ -79,7 +96,7 @@ for host in "ip6-localhost" "127.0.0.1" "::1"; do
verified_peer
done
-# but not for other IPs or hostnames
+# but not for other hostnames or IPs
for host in "ip6-loopback" "127.0.1.1"; do
with_remote_config <<-EOF
host = $host
@@ -91,7 +108,8 @@ done
step_done
-step_start "SSL_CApath"
+step_start "SSL_CApath/\$SSL_CERT_DIR"
+
if [ -d "/etc/ssl/certs" ]; then
# assume our fake root CA is not there
with_remote_config <<<"SSL_CApath = /etc/ssl/certs"
@@ -104,6 +122,10 @@ c_rehash "$capath"
with_remote_config <<<"SSL_CApath = $capath"
verified_peer
+with_remote_config </dev/null
+SSL_CERT_DIR="$capath" verified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
+
# hostnames and IPs included in the subjectAltName should work as well
for host in "ip6-localhost" "127.0.0.1" "::1"; do
with_remote_config <<-EOF