aboutsummaryrefslogtreecommitdiffstats
path: root/tests/tls-verify-peer
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-12-13 17:43:52 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-12-13 18:44:18 +0100
commit8c43ed9baa905d907a6aad77de2282a852ba69a9 (patch)
tree4b8ecfe08d1aafcfde68cce0fb63b1bf4ec9542d /tests/tls-verify-peer
parentba9d8af01141a6d5d5b98a0e249c311814b844a6 (diff)
libinterimap: use default locations for trusted CA certificates when neither CAfile nor CApath are set.
In particular, OpenSSL's default locations can be overridden by the SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see SSL_CTX_load_verify_locations(3ssl). This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is used).
Diffstat (limited to 'tests/tls-verify-peer')
-rw-r--r--tests/tls-verify-peer/t27
1 files changed, 24 insertions, 3 deletions
diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
index 8cc098a..8326521 100644
--- a/tests/tls-verify-peer/t
+++ b/tests/tls-verify-peer/t
@@ -46,7 +46,9 @@ with_remote_config() {
}
step_start "peer verification enabled by default"
+# assume our fake root CA is not among OpenSSL's default trusted CAs
unverified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
step_done
step_start "peer verification result honored when pinned pubkey matches"
@@ -54,13 +56,23 @@ with_remote_config <<-EOF
SSL_fingerprint = sha256\$$PKEY_SHA256
EOF
unverified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
step_done
+
capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX)
cp -T -- ~/.dovecot/conf.d/ca.crt "$capath/ca-certificates.crt"
-step_start "SSL_CAfile"
+step_start "SSL_CAfile/\$SSL_CERT_FILE"
+
+# verify that an error is raised when CAfile can't be loaded
+# (it's not the case for $SSL_CERT_FILE, cf. SSL_CTX_load_verify_locations(3ssl))
+with_remote_config <<<"SSL_CAfile = /nonexistent"
+! interimap --debug || error
+grep -Fx "remote: ERROR: SSL_CTX_load_verify_locations()" <"$STDERR" || error
+grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
+
if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
# assume our fake root CA is not there
with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt"
@@ -71,6 +83,10 @@ fi
with_remote_config <<<"SSL_CAfile = $capath/ca-certificates.crt"
verified_peer
+with_remote_config </dev/null
+SSL_CERT_FILE=~/.dovecot/conf.d/ca.crt verified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
+
# hostnames and IPs included in the subjectAltName should work as well
for host in "ip6-localhost" "127.0.0.1" "::1"; do
with_remote_config <<-EOF
@@ -80,7 +96,7 @@ for host in "ip6-localhost" "127.0.0.1" "::1"; do
verified_peer
done
-# but not for other IPs or hostnames
+# but not for other hostnames or IPs
for host in "ip6-loopback" "127.0.1.1"; do
with_remote_config <<-EOF
host = $host
@@ -92,7 +108,8 @@ done
step_done
-step_start "SSL_CApath"
+step_start "SSL_CApath/\$SSL_CERT_DIR"
+
if [ -d "/etc/ssl/certs" ]; then
# assume our fake root CA is not there
with_remote_config <<<"SSL_CApath = /etc/ssl/certs"
@@ -105,6 +122,10 @@ c_rehash "$capath"
with_remote_config <<<"SSL_CApath = $capath"
verified_peer
+with_remote_config </dev/null
+SSL_CERT_DIR="$capath" verified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
+
# hostnames and IPs included in the subjectAltName should work as well
for host in "ip6-localhost" "127.0.0.1" "::1"; do
with_remote_config <<-EOF