aboutsummaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@debian.org>2020-12-26 23:33:12 +0100
committerGuilhem Moulin <guilhem@debian.org>2020-12-26 23:33:12 +0100
commitf4a60089cd7fdff73504a1f1f0afde642e77b735 (patch)
tree4fbbd58649eedea0485901753406caf0beb36836 /tests
parent2e485797d8ec91a0a74ec1f1e2e8723cf74a586e (diff)
parent9cbaed6527c3030819976dbe41bfb4392d6a6fa2 (diff)
Merge tag 'v0.5.5' into debian/latest
Release version 0.5.5
Diffstat (limited to 'tests')
-rw-r--r--tests/config/dovecot/dhparams.pem (renamed from tests/snippets/dovecot/dhparams.pem)0
-rw-r--r--tests/config/dovecot/imapd.conf (renamed from tests/snippets/dovecot/imapd.conf)0
-rw-r--r--tests/config/dovecot/interimap-required-capabilities.conf (renamed from tests/snippets/dovecot/interimap-required-capabilities.conf)0
-rw-r--r--tests/config/dovecot/lmtpd.conf (renamed from tests/snippets/dovecot/lmtpd.conf)0
-rw-r--r--tests/config/dovecot/ssl.conf (renamed from tests/snippets/dovecot/ssl.conf)1
-rw-r--r--tests/list1
-rwxr-xr-xtests/preauth-plaintext/imapd4
-rw-r--r--tests/preauth-plaintext/t2
-rwxr-xr-xtests/run8
-rwxr-xr-xtests/starttls-injection/imapd20
-rw-r--r--tests/starttls/t3
l---------tests/tls-ciphers/interimap.remote1
l---------tests/tls-ciphers/remote.conf1
-rw-r--r--tests/tls-ciphers/t31
-rw-r--r--tests/tls-pin-fingerprint/t6
-rw-r--r--tests/tls-protocols/openssl.cnf14
-rw-r--r--tests/tls-protocols/t76
-rw-r--r--tests/tls-rsa+ecdsa/t6
-rw-r--r--tests/tls-verify-peer/t32
-rw-r--r--tests/tls/t3
20 files changed, 174 insertions, 35 deletions
diff --git a/tests/snippets/dovecot/dhparams.pem b/tests/config/dovecot/dhparams.pem
index 7734d2a..7734d2a 100644
--- a/tests/snippets/dovecot/dhparams.pem
+++ b/tests/config/dovecot/dhparams.pem
diff --git a/tests/snippets/dovecot/imapd.conf b/tests/config/dovecot/imapd.conf
index 2b26451..2b26451 100644
--- a/tests/snippets/dovecot/imapd.conf
+++ b/tests/config/dovecot/imapd.conf
diff --git a/tests/snippets/dovecot/interimap-required-capabilities.conf b/tests/config/dovecot/interimap-required-capabilities.conf
index 10dd8e1..10dd8e1 100644
--- a/tests/snippets/dovecot/interimap-required-capabilities.conf
+++ b/tests/config/dovecot/interimap-required-capabilities.conf
diff --git a/tests/snippets/dovecot/lmtpd.conf b/tests/config/dovecot/lmtpd.conf
index 6aa8365..6aa8365 100644
--- a/tests/snippets/dovecot/lmtpd.conf
+++ b/tests/config/dovecot/lmtpd.conf
diff --git a/tests/snippets/dovecot/ssl.conf b/tests/config/dovecot/ssl.conf
index 2d68c80..3fd99d5 100644
--- a/tests/snippets/dovecot/ssl.conf
+++ b/tests/config/dovecot/ssl.conf
@@ -2,3 +2,4 @@ ssl = required
ssl_cert = <dovecot.rsa.crt
ssl_key = <dovecot.rsa.key
ssl_dh = <dhparams.pem
+ssl_min_protocol = TLSv1
diff --git a/tests/list b/tests/list
index cb31a73..d1058ba 100644
--- a/tests/list
+++ b/tests/list
@@ -54,6 +54,7 @@ split-set Split large sets to avoid extra-long command lines
tls-rsa+ecdsa pubkey fingerprint pinning for dual-cert RSA+ECDSA
tls-sni TLS servername extension (SNI)
tls-protocols force TLS protocol versions
+ tls-ciphers force TLS cipher list/suites
. Live synchronization (60s)
sync-live local/remote simulation
diff --git a/tests/preauth-plaintext/imapd b/tests/preauth-plaintext/imapd
index 8f3ac30..bf2ed72 100755
--- a/tests/preauth-plaintext/imapd
+++ b/tests/preauth-plaintext/imapd
@@ -18,7 +18,7 @@ while (1) {
die "accept: $!";
};
- # minimum CAPABILITY list, see tests/snippets/dovecot/interimap-required-capabilities.conf
+ # minimum CAPABILITY list, see tests/config/dovecot/interimap-required-capabilities.conf
$conn->printflush("* PREAUTH [CAPABILITY IMAP4rev1 ENABLE UIDPLUS LIST-EXTENDED QRESYNC LIST-STATUS] IMAP4rev1 Server\r\n");
my $x;
@@ -39,6 +39,6 @@ while (1) {
END {
if (defined $S) {
shutdown($S, SHUT_RDWR) or warn "shutdown: $!";
- close($S) or print STDERR "Can't close: $!\n";
+ close($S) or print STDERR "close: $!\n";
}
}
diff --git a/tests/preauth-plaintext/t b/tests/preauth-plaintext/t
index 427d57b..bc287dd 100644
--- a/tests/preauth-plaintext/t
+++ b/tests/preauth-plaintext/t
@@ -10,7 +10,7 @@ grep -Fx 'remote: ERROR: PREAUTH greeting on plaintext connection? MiTM in actio
! grep '^remote: C: ' <"$STDERR" || error "wrote command in MiTM'ed PREAUTH connection!"
-# Ignore the warning when STARTTLS is explicitely disabled
+# Ignore the warning when STARTTLS is explicitly disabled
echo "STARTTLS = NO" >>"$XDG_CONFIG_HOME/interimap/config"
interimap --debug || true
diff --git a/tests/run b/tests/run
index d216591..1eaad54 100755
--- a/tests/run
+++ b/tests/run
@@ -35,6 +35,9 @@ if [ ! -d "$TESTDIR" ]; then
exit 1
fi
+# cleanup environment
+unset OPENSSL_CONF SSL_CERT_FILE SSL_CERT_DIR
+
ROOTDIR="$(mktemp --tmpdir="${TMPDIR:-/dev/shm}" --directory "$1.XXXXXXXXXX")"
declare -a DOVECOT_SERVER=()
trap cleanup EXIT INT TERM
@@ -101,7 +104,7 @@ prepare() {
if [ -f "$TESTDIR/$u.conf" ] || [ -L "$TESTDIR/$u.conf" ]; then
cat >>"$home/.dovecot/config" <"$TESTDIR/$u.conf"
fi
- cp -aT -- "$BASEDIR/snippets/dovecot" "$home/.dovecot/conf.d"
+ cp -aT -- "$BASEDIR/config/dovecot" "$home/.dovecot/conf.d"
cp -at "$home/.dovecot/conf.d" -- "$BASEDIR/certs/ca.crt" "$BASEDIR/certs"/dovecot.*
proto="$(env -i "${ENVIRON[@]}" doveconf -c "$home/.dovecot/config" -h protocols)"
@@ -207,6 +210,9 @@ _interimap_cmd() {
local script="$1" rv=0
shift
environ_set "local"
+ [ -z "${OPENSSL_CONF+x}" ] || ENVIRON+=( OPENSSL_CONF="$OPENSSL_CONF" )
+ [ -z "${SSL_CERT_FILE+x}" ] || ENVIRON+=( SSL_CERT_FILE="$SSL_CERT_FILE" )
+ [ -z "${SSL_CERT_DIR+x}" ] || ENVIRON+=( SSL_CERT_DIR="$SSL_CERT_DIR" )
env -i "${ENVIRON[@]}" perl -I./lib -T "./$script" "$@" 2>"$STDERR" || rv=$?
cat <"$STDERR" >&2
return $rv
diff --git a/tests/starttls-injection/imapd b/tests/starttls-injection/imapd
index 15c53c7..52cbe9a 100755
--- a/tests/starttls-injection/imapd
+++ b/tests/starttls-injection/imapd
@@ -4,7 +4,7 @@ use warnings;
use strict;
use Errno qw/EINTR/;
-use Net::SSLeay qw/die_now die_if_ssl_error/;
+use Net::SSLeay qw/die_now/;
use Socket qw/INADDR_LOOPBACK AF_INET SOCK_STREAM pack_sockaddr_in
SOL_SOCKET SO_REUSEADDR SHUT_RDWR/;
@@ -20,16 +20,16 @@ bind($S, pack_sockaddr_in(10143, INADDR_LOOPBACK)) or die "bind: $!\n";
listen($S, 1) or die "listen: $!";
my $CONFDIR = $ENV{HOME} =~ /\A(\p{Print}+)\z/ ? "$1/.dovecot/conf.d" : die;
-my $CTX = Net::SSLeay::CTX_new() or die_now("SSL_CTX_new");
+my $CTX = Net::SSLeay::CTX_new() or die_now("SSL_CTX_new()");
Net::SSLeay::CTX_set_mode($CTX,
Net::SSLeay::MODE_ENABLE_PARTIAL_WRITE() |
Net::SSLeay::MODE_ACCEPT_MOVING_WRITE_BUFFER() |
Net::SSLeay::MODE_AUTO_RETRY() | # don't fail SSL_read on renegotiation
Net::SSLeay::MODE_RELEASE_BUFFERS() );
Net::SSLeay::CTX_use_PrivateKey_file($CTX, "$CONFDIR/dovecot.rsa.key", &Net::SSLeay::FILETYPE_PEM)
- or die_if_ssl_error("Can't load private key: $!");
+ or die_now("Can't load private key: $!");
Net::SSLeay::CTX_use_certificate_file($CTX, "$CONFDIR/dovecot.rsa.crt", &Net::SSLeay::FILETYPE_PEM)
- or die_if_ssl_error("Can't load certificate: $!");
+ or die_now("Can't load certificate: $!");
while (1) {
my $sockaddr = accept(my $conn, $S) or do {
@@ -52,14 +52,14 @@ while (1) {
$conn->printf("%06d OK CAPABILITY injected\r\n", $1+1);
$conn->flush();
- my $ssl = Net::SSLeay::new($CTX) or die_if_ssl_error("SSL_new");
- Net::SSLeay::set_fd($ssl, $conn) or die_if_ssl_error("SSL_set_fd");
- Net::SSLeay::accept($ssl) and die_if_ssl_error("SSL_accept");
+ my $ssl = Net::SSLeay::new($CTX) or die_now("SSL_new()");
+ die_now("SSL_set_fd()") unless Net::SSLeay::set_fd($ssl, $conn) == 1;
+ die_now("SSL_accept()") unless Net::SSLeay::accept($ssl);
- Net::SSLeay::ssl_read_CRLF($ssl) =~ /\A(\S+) CAPABILITY\r\n\z/ or die_now("SSL_read");
+ Net::SSLeay::ssl_read_CRLF($ssl) =~ /\A(\S+) CAPABILITY\r\n\z/ or die_now("SSL_read()");
Net::SSLeay::ssl_write_CRLF($ssl, "* CAPABILITY IMAP4rev1 AUTH=LOGIN\r\n$1 OK CAPABILITY completed");
- Net::SSLeay::ssl_read_CRLF($ssl) =~ /\A(\S+) LOGIN .*\r\n\z/ or die_now("SSL_read");
+ Net::SSLeay::ssl_read_CRLF($ssl) =~ /\A(\S+) LOGIN .*\r\n\z/ or die_now("SSL_read()");
Net::SSLeay::ssl_write_CRLF($ssl, "$1 OK [CAPABILITY IMAP4rev1] LOGIN completed");
Net::SSLeay::free($ssl);
@@ -72,6 +72,6 @@ END {
Net::SSLeay::CTX_free($CTX) if defined $CTX;
if (defined $S) {
shutdown($S, SHUT_RDWR) or warn "shutdown: $!";
- close($S) or print STDERR "Can't close: $!\n";
+ close($S) or print STDERR "close: $!\n";
}
}
diff --git a/tests/starttls/t b/tests/starttls/t
index 5f9bd4f..62b2151 100644
--- a/tests/starttls/t
+++ b/tests/starttls/t
@@ -21,9 +21,8 @@ grep -Fx "STARTTLS" <"$TMPDIR/capabilities" || error
grep -Fx "remote: C: 000000 STARTTLS" <"$STDERR" || error
grep -Fx "remote: C: 000001 CAPABILITY" <"$STDERR" || error
-grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error
grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
-grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
+grep "^remote: SSL protocol: TLSv" <"$STDERR" || error
grep "^remote: SSL cipher: " <"$STDERR" || error
check_mailbox_status "INBOX"
diff --git a/tests/tls-ciphers/interimap.remote b/tests/tls-ciphers/interimap.remote
new file mode 120000
index 0000000..daf3741
--- /dev/null
+++ b/tests/tls-ciphers/interimap.remote
@@ -0,0 +1 @@
+../tls/interimap.remote \ No newline at end of file
diff --git a/tests/tls-ciphers/remote.conf b/tests/tls-ciphers/remote.conf
new file mode 120000
index 0000000..6029749
--- /dev/null
+++ b/tests/tls-ciphers/remote.conf
@@ -0,0 +1 @@
+../tls/remote.conf \ No newline at end of file
diff --git a/tests/tls-ciphers/t b/tests/tls-ciphers/t
new file mode 100644
index 0000000..0dfc771
--- /dev/null
+++ b/tests/tls-ciphers/t
@@ -0,0 +1,31 @@
+# backup config
+install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~"
+with_remote_config() {
+ install -m0600 "$XDG_CONFIG_HOME/interimap/config~" "$XDG_CONFIG_HOME/interimap/config"
+ cat >>"$XDG_CONFIG_HOME/interimap/config"
+}
+
+with_remote_config <<-EOF
+ SSL_protocol_max = TLSv1.2
+ SSL_cipherlist = DHE-RSA-AES128-SHA256:ALL:!COMPLEMENTOFDEFAULT:!eNULL
+EOF
+interimap --debug || error
+grep -Fx "remote: SSL cipher: DHE-RSA-AES128-SHA256 (128 bits)" <"$STDERR" || error
+
+with_remote_config <<-EOF
+ SSL_protocol_max = TLSv1.2
+ SSL_cipherlist = NONEXISTENT:ECDHE-RSA-AES256-SHA384:ALL:!COMPLEMENTOFDEFAULT:!eNULL
+ SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+EOF
+interimap --debug || error
+grep -Fx "remote: SSL cipher: ECDHE-RSA-AES256-SHA384 (256 bits)" <"$STDERR" || error
+
+with_remote_config <<-EOF
+ SSL_protocol_min = TLSv1.3
+ SSL_cipherlist = DHE-RSA-AES128-SHA256
+ SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+EOF
+interimap --debug || error
+grep -Fx "remote: SSL cipher: TLS_CHACHA20_POLY1305_SHA256 (256 bits)" <"$STDERR" || error
+
+# vim: set filetype=sh :
diff --git a/tests/tls-pin-fingerprint/t b/tests/tls-pin-fingerprint/t
index 6716833..883a887 100644
--- a/tests/tls-pin-fingerprint/t
+++ b/tests/tls-pin-fingerprint/t
@@ -41,8 +41,9 @@ EOF
grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error
grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
-# make sure we didn't send any credentials
+# make sure we didn't send any credentials or started speaking IMAP
! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
+grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
# two invalid ones
with_remote_config <<-EOF
@@ -53,8 +54,9 @@ EOF
grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error
grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
-# make sure we didn't send any credentials
+# make sure we didn't send any credentials or started speaking IMAP
! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
+grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
# valid + invalid
diff --git a/tests/tls-protocols/openssl.cnf b/tests/tls-protocols/openssl.cnf
new file mode 100644
index 0000000..980097d
--- /dev/null
+++ b/tests/tls-protocols/openssl.cnf
@@ -0,0 +1,14 @@
+# as we want to test TLSv1 we need to set MinProtocol=None, see
+# see /usr/share/doc/libssl1.1/NEWS.Debian.gz
+
+openssl_conf = default_conf
+
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+MinProtocol = None
+CipherString = DEFAULT
diff --git a/tests/tls-protocols/t b/tests/tls-protocols/t
index f34a95b..72f7db2 100644
--- a/tests/tls-protocols/t
+++ b/tests/tls-protocols/t
@@ -1,3 +1,13 @@
+# system default
+interimap --debug || error
+! grep -E "^remote: Disabling SSL protocols: " <"$STDERR" || error # TODO deprecated
+! grep -E "^remote: Minimum SSL/TLS protocol version: " <"$STDERR" || error
+! grep -E "^remote: Maximum SSL/TLS protocol version: " <"$STDERR" || error
+grep -E "^remote: SSL protocol: TLSv" <"$STDERR" || error
+
+# load custom OpenSSL configuration to allow TLS protocol version <=1.1
+export OPENSSL_CONF="$TESTDIR/openssl.cnf"
+
# backup config
install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~"
with_remote_tls_protocols() {
@@ -5,17 +15,15 @@ with_remote_tls_protocols() {
printf "SSL_protocols = %s\\n" "$*" >>"$XDG_CONFIG_HOME/interimap/config"
}
-# default
-interimap --debug || error
-grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error
-grep -E "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
-
-# also disable TLSv1.2
+# disable TLSv1.2 and earlier
with_remote_tls_protocols "!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"
interimap --debug || error
grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2" <"$STDERR" || error
grep -E "^remote: SSL protocol: TLSv1\.3 " <"$STDERR" || error
+interimap || error
+grep -E "^remote: WARNING: SSL_protocols is deprecated " <"$STDERR" || error "no deprecation warning"
+
# force TLSv1.2
with_remote_tls_protocols "TLSv1.2"
interimap --debug || error
@@ -28,12 +36,64 @@ interimap --debug || error
grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1.3" <"$STDERR" || error
grep -E "^remote: SSL protocol: TLSv(1\.[12])? " <"$STDERR" || error
-# force SSLv2 and SSLv3, fails as it's disabled server side
+# force SSLv2 and SSLv3; this fails due to dovecot's ssl_min_protocol=TLSv1
with_remote_tls_protocols "SSLv2" "SSLv3"
! interimap --debug || error
grep -Fx "remote: Disabling SSL protocols: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3" <"$STDERR" || error
grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
-# make sure we didn't send any credentials
+# make sure we didn't send any credentials or started speaking IMAP
+! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
+grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
+
+
+# new interface: SSL_protocol_{min,max}
+with_remote_tls_protocol_min_max() {
+ install -m0600 "$XDG_CONFIG_HOME/interimap/config~" "$XDG_CONFIG_HOME/interimap/config"
+ if [ -n "${1-}" ]; then
+ printf "SSL_protocol_min = %s\\n" "$1" >>"$XDG_CONFIG_HOME/interimap/config"
+ fi
+ if [ -n "${2-}" ]; then
+ printf "SSL_protocol_max = %s\\n" "$2" >>"$XDG_CONFIG_HOME/interimap/config"
+ fi
+}
+
+# disable TLSv1.2 and earlier
+# XXX this test assumes that TLSv1.3 is the highest version supported
+with_remote_tls_protocol_min_max "TLSv1.3"
+interimap --debug || error
+grep -Fx "remote: Minimum SSL/TLS protocol version: TLSv1.3" <"$STDERR" || error
+! grep -E "^remote: Maximum SSL/TLS protocol version: " <"$STDERR" || error
+grep -E "^remote: SSL protocol: TLSv1\.3 " <"$STDERR" || error
+
+# force TLSv1.2
+with_remote_tls_protocol_min_max "TLSv1.2" "TLSv1.2"
+interimap --debug || error
+grep -Fx "remote: Minimum SSL/TLS protocol version: TLSv1.2" <"$STDERR" || error
+grep -Fx "remote: Maximum SSL/TLS protocol version: TLSv1.2" <"$STDERR" || error
+grep -E "^remote: SSL protocol: TLSv1\.2 " <"$STDERR" || error
+
+# disable TLSv1.2 and later
+with_remote_tls_protocol_min_max "" "TLSv1.1"
+interimap --debug || error
+! grep -E "^remote: Minimum SSL/TLS protocol version: " <"$STDERR" || error
+grep -Fx "remote: Maximum SSL/TLS protocol version: TLSv1.1" <"$STDERR" || error
+grep -E "^remote: SSL protocol: TLSv1\.1 " <"$STDERR" || error
+
+# force SSLv3 to to TLSv1.1
+with_remote_tls_protocol_min_max "SSLv3" "TLSv1.1"
+interimap --debug || error
+grep -Fx "remote: Minimum SSL/TLS protocol version: SSLv3" <"$STDERR" || error
+grep -Fx "remote: Maximum SSL/TLS protocol version: TLSv1.1" <"$STDERR" || error
+grep -E "^remote: SSL protocol: TLSv1(\.1)? " <"$STDERR" || error
+
+# force SSLv3; this fails due to dovecot's ssl_min_protocol=TLSv1
+with_remote_tls_protocol_min_max "SSLv3" "SSLv3"
+! interimap --debug || error
+grep -Fx "remote: Minimum SSL/TLS protocol version: SSLv3" <"$STDERR" || error
+grep -Fx "remote: Maximum SSL/TLS protocol version: SSLv3" <"$STDERR" || error
+grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
+# make sure we didn't send any credentials or started speaking IMAP
! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
+grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
# vim: set filetype=sh :
diff --git a/tests/tls-rsa+ecdsa/t b/tests/tls-rsa+ecdsa/t
index 2adf930..c9f5b96 100644
--- a/tests/tls-rsa+ecdsa/t
+++ b/tests/tls-rsa+ecdsa/t
@@ -36,9 +36,11 @@ grep -Fx -e "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_S
-e "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_ALT_SHA256" \
<"$STDERR" || error
-# force RSA (XXX do we really have to force TLSv1.2 here?)
+# force RSA
+# XXX we also have to force TLS <=1.2 here as the TLSv1.3 ciphersuites
+# don't specify the certificate type (nor key exchange)
cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
- SSL_protocols = TLSv1.2
+ SSL_protocol_max = TLSv1.2
SSL_cipherlist = EECDH+AESGCM+aRSA
EOF
interimap --debug || error
diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
index 2461a1f..8326521 100644
--- a/tests/tls-verify-peer/t
+++ b/tests/tls-verify-peer/t
@@ -15,8 +15,9 @@ unverified_peer() {
[ -s "$TMPDIR/preverify" ] || error
! grep -Fvx "preverify=0" <"$TMPDIR/preverify" || error
- # make sure we didn't send any credentials
+ # make sure we didn't send any credentials or started speaking IMAP
! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
+ grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
}
verified_peer() {
local i u
@@ -31,7 +32,7 @@ verified_peer() {
[ -s "$TMPDIR/preverify" ] || error
! grep -Fvx "preverify=1" <"$TMPDIR/preverify" || error
- grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
+ grep "^remote: SSL protocol: TLSv" <"$STDERR" || error
grep "^remote: SSL cipher: " <"$STDERR" || error
check_mailbox_status "INBOX"
@@ -45,7 +46,9 @@ with_remote_config() {
}
step_start "peer verification enabled by default"
+# assume our fake root CA is not among OpenSSL's default trusted CAs
unverified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
step_done
step_start "peer verification result honored when pinned pubkey matches"
@@ -53,13 +56,23 @@ with_remote_config <<-EOF
SSL_fingerprint = sha256\$$PKEY_SHA256
EOF
unverified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
step_done
+
capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX)
cp -T -- ~/.dovecot/conf.d/ca.crt "$capath/ca-certificates.crt"
-step_start "SSL_CAfile"
+step_start "SSL_CAfile/\$SSL_CERT_FILE"
+
+# verify that an error is raised when CAfile can't be loaded
+# (it's not the case for $SSL_CERT_FILE, cf. SSL_CTX_load_verify_locations(3ssl))
+with_remote_config <<<"SSL_CAfile = /nonexistent"
+! interimap --debug || error
+grep -Fx "remote: ERROR: SSL_CTX_load_verify_locations()" <"$STDERR" || error
+grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
+
if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
# assume our fake root CA is not there
with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt"
@@ -70,6 +83,10 @@ fi
with_remote_config <<<"SSL_CAfile = $capath/ca-certificates.crt"
verified_peer
+with_remote_config </dev/null
+SSL_CERT_FILE=~/.dovecot/conf.d/ca.crt verified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
+
# hostnames and IPs included in the subjectAltName should work as well
for host in "ip6-localhost" "127.0.0.1" "::1"; do
with_remote_config <<-EOF
@@ -79,7 +96,7 @@ for host in "ip6-localhost" "127.0.0.1" "::1"; do
verified_peer
done
-# but not for other IPs or hostnames
+# but not for other hostnames or IPs
for host in "ip6-loopback" "127.0.1.1"; do
with_remote_config <<-EOF
host = $host
@@ -91,7 +108,8 @@ done
step_done
-step_start "SSL_CApath"
+step_start "SSL_CApath/\$SSL_CERT_DIR"
+
if [ -d "/etc/ssl/certs" ]; then
# assume our fake root CA is not there
with_remote_config <<<"SSL_CApath = /etc/ssl/certs"
@@ -104,6 +122,10 @@ c_rehash "$capath"
with_remote_config <<<"SSL_CApath = $capath"
verified_peer
+with_remote_config </dev/null
+SSL_CERT_DIR="$capath" verified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
+
# hostnames and IPs included in the subjectAltName should work as well
for host in "ip6-localhost" "127.0.0.1" "::1"; do
with_remote_config <<-EOF
diff --git a/tests/tls/t b/tests/tls/t
index 9fdd399..a674b28 100644
--- a/tests/tls/t
+++ b/tests/tls/t
@@ -8,9 +8,8 @@ for ((i = 0; i < 32; i++)); do
done
interimap --debug || error
-grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error
grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
-grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
+grep "^remote: SSL protocol: TLSv" <"$STDERR" || error
grep "^remote: SSL cipher: " <"$STDERR" || error
check_mailbox_status "INBOX"