diff options
| author | Guilhem Moulin <guilhem@debian.org> | 2020-12-26 23:33:12 +0100 | 
|---|---|---|
| committer | Guilhem Moulin <guilhem@debian.org> | 2020-12-26 23:33:12 +0100 | 
| commit | f4a60089cd7fdff73504a1f1f0afde642e77b735 (patch) | |
| tree | 4fbbd58649eedea0485901753406caf0beb36836 /tests | |
| parent | 2e485797d8ec91a0a74ec1f1e2e8723cf74a586e (diff) | |
| parent | 9cbaed6527c3030819976dbe41bfb4392d6a6fa2 (diff) | |
Merge tag 'v0.5.5' into debian/latest
Release version 0.5.5
Diffstat (limited to 'tests')
20 files changed, 174 insertions, 35 deletions
| diff --git a/tests/snippets/dovecot/dhparams.pem b/tests/config/dovecot/dhparams.pem index 7734d2a..7734d2a 100644 --- a/tests/snippets/dovecot/dhparams.pem +++ b/tests/config/dovecot/dhparams.pem diff --git a/tests/snippets/dovecot/imapd.conf b/tests/config/dovecot/imapd.conf index 2b26451..2b26451 100644 --- a/tests/snippets/dovecot/imapd.conf +++ b/tests/config/dovecot/imapd.conf diff --git a/tests/snippets/dovecot/interimap-required-capabilities.conf b/tests/config/dovecot/interimap-required-capabilities.conf index 10dd8e1..10dd8e1 100644 --- a/tests/snippets/dovecot/interimap-required-capabilities.conf +++ b/tests/config/dovecot/interimap-required-capabilities.conf diff --git a/tests/snippets/dovecot/lmtpd.conf b/tests/config/dovecot/lmtpd.conf index 6aa8365..6aa8365 100644 --- a/tests/snippets/dovecot/lmtpd.conf +++ b/tests/config/dovecot/lmtpd.conf diff --git a/tests/snippets/dovecot/ssl.conf b/tests/config/dovecot/ssl.conf index 2d68c80..3fd99d5 100644 --- a/tests/snippets/dovecot/ssl.conf +++ b/tests/config/dovecot/ssl.conf @@ -2,3 +2,4 @@ ssl = required  ssl_cert = <dovecot.rsa.crt  ssl_key = <dovecot.rsa.key  ssl_dh = <dhparams.pem +ssl_min_protocol = TLSv1 @@ -54,6 +54,7 @@ split-set   Split large sets to avoid extra-long command lines      tls-rsa+ecdsa           pubkey fingerprint pinning for dual-cert RSA+ECDSA      tls-sni                 TLS servername extension (SNI)      tls-protocols           force TLS protocol versions +    tls-ciphers             force TLS cipher list/suites  . Live synchronization (60s)      sync-live            local/remote simulation diff --git a/tests/preauth-plaintext/imapd b/tests/preauth-plaintext/imapd index 8f3ac30..bf2ed72 100755 --- a/tests/preauth-plaintext/imapd +++ b/tests/preauth-plaintext/imapd @@ -18,7 +18,7 @@ while (1) {          die "accept: $!";      }; -    # minimum CAPABILITY list, see tests/snippets/dovecot/interimap-required-capabilities.conf +    # minimum CAPABILITY list, see tests/config/dovecot/interimap-required-capabilities.conf      $conn->printflush("* PREAUTH [CAPABILITY IMAP4rev1 ENABLE UIDPLUS LIST-EXTENDED QRESYNC LIST-STATUS] IMAP4rev1 Server\r\n");      my $x; @@ -39,6 +39,6 @@ while (1) {  END {      if (defined $S) {          shutdown($S, SHUT_RDWR) or warn "shutdown: $!"; -        close($S) or print STDERR "Can't close: $!\n"; +        close($S) or print STDERR "close: $!\n";      }  } diff --git a/tests/preauth-plaintext/t b/tests/preauth-plaintext/t index 427d57b..bc287dd 100644 --- a/tests/preauth-plaintext/t +++ b/tests/preauth-plaintext/t @@ -10,7 +10,7 @@ grep -Fx 'remote: ERROR: PREAUTH greeting on plaintext connection? MiTM in actio  ! grep '^remote: C: ' <"$STDERR" || error "wrote command in MiTM'ed PREAUTH connection!" -# Ignore the warning when STARTTLS is explicitely disabled +# Ignore the warning when STARTTLS is explicitly disabled  echo "STARTTLS = NO" >>"$XDG_CONFIG_HOME/interimap/config"  interimap --debug || true @@ -35,6 +35,9 @@ if [ ! -d "$TESTDIR" ]; then      exit 1  fi +# cleanup environment +unset OPENSSL_CONF SSL_CERT_FILE SSL_CERT_DIR +  ROOTDIR="$(mktemp --tmpdir="${TMPDIR:-/dev/shm}" --directory "$1.XXXXXXXXXX")"  declare -a DOVECOT_SERVER=()  trap cleanup EXIT INT TERM @@ -101,7 +104,7 @@ prepare() {          if [ -f "$TESTDIR/$u.conf" ] || [ -L "$TESTDIR/$u.conf" ]; then              cat >>"$home/.dovecot/config" <"$TESTDIR/$u.conf"          fi -        cp -aT -- "$BASEDIR/snippets/dovecot" "$home/.dovecot/conf.d" +        cp -aT -- "$BASEDIR/config/dovecot" "$home/.dovecot/conf.d"          cp -at "$home/.dovecot/conf.d" -- "$BASEDIR/certs/ca.crt" "$BASEDIR/certs"/dovecot.*          proto="$(env -i "${ENVIRON[@]}" doveconf -c "$home/.dovecot/config" -h protocols)" @@ -207,6 +210,9 @@ _interimap_cmd() {      local script="$1" rv=0      shift      environ_set "local" +    [ -z "${OPENSSL_CONF+x}" ]  || ENVIRON+=( OPENSSL_CONF="$OPENSSL_CONF" ) +    [ -z "${SSL_CERT_FILE+x}" ] || ENVIRON+=( SSL_CERT_FILE="$SSL_CERT_FILE" ) +    [ -z "${SSL_CERT_DIR+x}" ]  || ENVIRON+=( SSL_CERT_DIR="$SSL_CERT_DIR" )      env -i "${ENVIRON[@]}" perl -I./lib -T "./$script" "$@" 2>"$STDERR" || rv=$?      cat <"$STDERR" >&2      return $rv diff --git a/tests/starttls-injection/imapd b/tests/starttls-injection/imapd index 15c53c7..52cbe9a 100755 --- a/tests/starttls-injection/imapd +++ b/tests/starttls-injection/imapd @@ -4,7 +4,7 @@ use warnings;  use strict;  use Errno qw/EINTR/; -use Net::SSLeay qw/die_now die_if_ssl_error/; +use Net::SSLeay qw/die_now/;  use Socket qw/INADDR_LOOPBACK AF_INET SOCK_STREAM pack_sockaddr_in      SOL_SOCKET SO_REUSEADDR SHUT_RDWR/; @@ -20,16 +20,16 @@ bind($S, pack_sockaddr_in(10143, INADDR_LOOPBACK)) or die "bind: $!\n";  listen($S, 1) or die "listen: $!";  my $CONFDIR = $ENV{HOME} =~ /\A(\p{Print}+)\z/ ? "$1/.dovecot/conf.d" : die; -my $CTX = Net::SSLeay::CTX_new() or die_now("SSL_CTX_new"); +my $CTX = Net::SSLeay::CTX_new() or die_now("SSL_CTX_new()");  Net::SSLeay::CTX_set_mode($CTX,      Net::SSLeay::MODE_ENABLE_PARTIAL_WRITE() |      Net::SSLeay::MODE_ACCEPT_MOVING_WRITE_BUFFER() |      Net::SSLeay::MODE_AUTO_RETRY() | # don't fail SSL_read on renegotiation      Net::SSLeay::MODE_RELEASE_BUFFERS() );  Net::SSLeay::CTX_use_PrivateKey_file($CTX, "$CONFDIR/dovecot.rsa.key", &Net::SSLeay::FILETYPE_PEM) -    or die_if_ssl_error("Can't load private key: $!"); +    or die_now("Can't load private key: $!");  Net::SSLeay::CTX_use_certificate_file($CTX, "$CONFDIR/dovecot.rsa.crt", &Net::SSLeay::FILETYPE_PEM) -    or die_if_ssl_error("Can't load certificate: $!"); +    or die_now("Can't load certificate: $!");  while (1) {      my $sockaddr = accept(my $conn, $S) or do { @@ -52,14 +52,14 @@ while (1) {      $conn->printf("%06d OK CAPABILITY injected\r\n", $1+1);      $conn->flush(); -    my $ssl = Net::SSLeay::new($CTX) or die_if_ssl_error("SSL_new"); -    Net::SSLeay::set_fd($ssl, $conn) or die_if_ssl_error("SSL_set_fd"); -    Net::SSLeay::accept($ssl) and die_if_ssl_error("SSL_accept"); +    my $ssl = Net::SSLeay::new($CTX) or die_now("SSL_new()"); +    die_now("SSL_set_fd()") unless Net::SSLeay::set_fd($ssl, $conn) == 1; +    die_now("SSL_accept()") unless Net::SSLeay::accept($ssl); -    Net::SSLeay::ssl_read_CRLF($ssl) =~ /\A(\S+) CAPABILITY\r\n\z/ or die_now("SSL_read"); +    Net::SSLeay::ssl_read_CRLF($ssl) =~ /\A(\S+) CAPABILITY\r\n\z/ or die_now("SSL_read()");      Net::SSLeay::ssl_write_CRLF($ssl, "* CAPABILITY IMAP4rev1 AUTH=LOGIN\r\n$1 OK CAPABILITY completed"); -    Net::SSLeay::ssl_read_CRLF($ssl) =~ /\A(\S+) LOGIN .*\r\n\z/ or die_now("SSL_read"); +    Net::SSLeay::ssl_read_CRLF($ssl) =~ /\A(\S+) LOGIN .*\r\n\z/ or die_now("SSL_read()");      Net::SSLeay::ssl_write_CRLF($ssl, "$1 OK [CAPABILITY IMAP4rev1] LOGIN completed");      Net::SSLeay::free($ssl); @@ -72,6 +72,6 @@ END {      Net::SSLeay::CTX_free($CTX) if defined $CTX;      if (defined $S) {          shutdown($S, SHUT_RDWR) or warn "shutdown: $!"; -        close($S) or print STDERR "Can't close: $!\n"; +        close($S) or print STDERR "close: $!\n";      }  } diff --git a/tests/starttls/t b/tests/starttls/t index 5f9bd4f..62b2151 100644 --- a/tests/starttls/t +++ b/tests/starttls/t @@ -21,9 +21,8 @@ grep -Fx "STARTTLS"  <"$TMPDIR/capabilities" || error  grep -Fx "remote: C: 000000 STARTTLS"   <"$STDERR" || error  grep -Fx "remote: C: 000001 CAPABILITY" <"$STDERR" || error -grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error  grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error -grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error +grep "^remote: SSL protocol: TLSv" <"$STDERR" || error  grep "^remote: SSL cipher: " <"$STDERR" || error  check_mailbox_status "INBOX" diff --git a/tests/tls-ciphers/interimap.remote b/tests/tls-ciphers/interimap.remote new file mode 120000 index 0000000..daf3741 --- /dev/null +++ b/tests/tls-ciphers/interimap.remote @@ -0,0 +1 @@ +../tls/interimap.remote
\ No newline at end of file diff --git a/tests/tls-ciphers/remote.conf b/tests/tls-ciphers/remote.conf new file mode 120000 index 0000000..6029749 --- /dev/null +++ b/tests/tls-ciphers/remote.conf @@ -0,0 +1 @@ +../tls/remote.conf
\ No newline at end of file diff --git a/tests/tls-ciphers/t b/tests/tls-ciphers/t new file mode 100644 index 0000000..0dfc771 --- /dev/null +++ b/tests/tls-ciphers/t @@ -0,0 +1,31 @@ +# backup config +install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~" +with_remote_config() { +    install -m0600 "$XDG_CONFIG_HOME/interimap/config~" "$XDG_CONFIG_HOME/interimap/config" +    cat >>"$XDG_CONFIG_HOME/interimap/config" +} + +with_remote_config <<-EOF +	SSL_protocol_max = TLSv1.2 +	SSL_cipherlist = DHE-RSA-AES128-SHA256:ALL:!COMPLEMENTOFDEFAULT:!eNULL +EOF +interimap --debug || error +grep -Fx "remote: SSL cipher: DHE-RSA-AES128-SHA256 (128 bits)" <"$STDERR" || error + +with_remote_config <<-EOF +	SSL_protocol_max = TLSv1.2 +	SSL_cipherlist = NONEXISTENT:ECDHE-RSA-AES256-SHA384:ALL:!COMPLEMENTOFDEFAULT:!eNULL +	SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +EOF +interimap --debug || error +grep -Fx "remote: SSL cipher: ECDHE-RSA-AES256-SHA384 (256 bits)" <"$STDERR" || error + +with_remote_config <<-EOF +	SSL_protocol_min = TLSv1.3 +	SSL_cipherlist = DHE-RSA-AES128-SHA256 +	SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +EOF +interimap --debug || error +grep -Fx "remote: SSL cipher: TLS_CHACHA20_POLY1305_SHA256 (256 bits)" <"$STDERR" || error + +# vim: set filetype=sh : diff --git a/tests/tls-pin-fingerprint/t b/tests/tls-pin-fingerprint/t index 6716833..883a887 100644 --- a/tests/tls-pin-fingerprint/t +++ b/tests/tls-pin-fingerprint/t @@ -41,8 +41,9 @@ EOF  grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error  grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error  grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error -# make sure we didn't send any credentials +# make sure we didn't send any credentials or started speaking IMAP  ! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error +grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error  # two invalid ones  with_remote_config <<-EOF @@ -53,8 +54,9 @@ EOF  grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error  grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error  grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error -# make sure we didn't send any credentials +# make sure we didn't send any credentials or started speaking IMAP  ! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error +grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error  # valid + invalid diff --git a/tests/tls-protocols/openssl.cnf b/tests/tls-protocols/openssl.cnf new file mode 100644 index 0000000..980097d --- /dev/null +++ b/tests/tls-protocols/openssl.cnf @@ -0,0 +1,14 @@ +# as we want to test TLSv1 we need to set MinProtocol=None, see +# see /usr/share/doc/libssl1.1/NEWS.Debian.gz + +openssl_conf = default_conf + +[default_conf] +ssl_conf = ssl_sect + +[ssl_sect] +system_default = system_default_sect + +[system_default_sect] +MinProtocol = None +CipherString = DEFAULT diff --git a/tests/tls-protocols/t b/tests/tls-protocols/t index f34a95b..72f7db2 100644 --- a/tests/tls-protocols/t +++ b/tests/tls-protocols/t @@ -1,3 +1,13 @@ +# system default +interimap --debug || error +! grep -E "^remote: Disabling SSL protocols: " <"$STDERR" || error # TODO deprecated +! grep -E "^remote: Minimum SSL/TLS protocol version: " <"$STDERR" || error +! grep -E "^remote: Maximum SSL/TLS protocol version: " <"$STDERR" || error +grep -E "^remote: SSL protocol: TLSv" <"$STDERR" || error + +# load custom OpenSSL configuration to allow TLS protocol version <=1.1 +export OPENSSL_CONF="$TESTDIR/openssl.cnf" +  # backup config  install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~"  with_remote_tls_protocols() { @@ -5,17 +15,15 @@ with_remote_tls_protocols() {      printf "SSL_protocols = %s\\n" "$*" >>"$XDG_CONFIG_HOME/interimap/config"  } -# default -interimap --debug || error -grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error -grep -E "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error - -# also disable TLSv1.2 +# disable TLSv1.2 and earlier  with_remote_tls_protocols "!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"  interimap --debug || error  grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2" <"$STDERR" || error  grep -E "^remote: SSL protocol: TLSv1\.3 " <"$STDERR" || error +interimap || error +grep -E "^remote: WARNING: SSL_protocols is deprecated " <"$STDERR" || error "no deprecation warning" +  # force TLSv1.2  with_remote_tls_protocols "TLSv1.2"  interimap --debug || error @@ -28,12 +36,64 @@ interimap --debug || error  grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1.3" <"$STDERR" || error  grep -E "^remote: SSL protocol: TLSv(1\.[12])? " <"$STDERR" || error -# force SSLv2 and SSLv3, fails as it's disabled server side +# force SSLv2 and SSLv3; this fails due to dovecot's ssl_min_protocol=TLSv1  with_remote_tls_protocols "SSLv2" "SSLv3"  ! interimap --debug || error  grep -Fx "remote: Disabling SSL protocols: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3" <"$STDERR" || error  grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error -# make sure we didn't send any credentials +# make sure we didn't send any credentials or started speaking IMAP +! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error +grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error + + +# new interface: SSL_protocol_{min,max} +with_remote_tls_protocol_min_max() { +    install -m0600 "$XDG_CONFIG_HOME/interimap/config~" "$XDG_CONFIG_HOME/interimap/config" +    if [ -n "${1-}" ]; then +        printf "SSL_protocol_min = %s\\n" "$1" >>"$XDG_CONFIG_HOME/interimap/config" +    fi +    if [ -n "${2-}" ]; then +        printf "SSL_protocol_max = %s\\n" "$2" >>"$XDG_CONFIG_HOME/interimap/config" +    fi +} + +# disable TLSv1.2 and earlier +# XXX this test assumes that TLSv1.3 is the highest version supported +with_remote_tls_protocol_min_max "TLSv1.3" +interimap --debug || error +grep -Fx "remote: Minimum SSL/TLS protocol version: TLSv1.3" <"$STDERR" || error +! grep -E "^remote: Maximum SSL/TLS protocol version: " <"$STDERR" || error +grep -E "^remote: SSL protocol: TLSv1\.3 " <"$STDERR" || error + +# force TLSv1.2 +with_remote_tls_protocol_min_max "TLSv1.2" "TLSv1.2" +interimap --debug || error +grep -Fx "remote: Minimum SSL/TLS protocol version: TLSv1.2" <"$STDERR" || error +grep -Fx "remote: Maximum SSL/TLS protocol version: TLSv1.2" <"$STDERR" || error +grep -E "^remote: SSL protocol: TLSv1\.2 " <"$STDERR" || error + +# disable TLSv1.2 and later +with_remote_tls_protocol_min_max "" "TLSv1.1" +interimap --debug || error +! grep -E "^remote: Minimum SSL/TLS protocol version: " <"$STDERR" || error +grep -Fx "remote: Maximum SSL/TLS protocol version: TLSv1.1" <"$STDERR" || error +grep -E "^remote: SSL protocol: TLSv1\.1 " <"$STDERR" || error + +# force SSLv3 to to TLSv1.1 +with_remote_tls_protocol_min_max "SSLv3" "TLSv1.1" +interimap --debug || error +grep -Fx "remote: Minimum SSL/TLS protocol version: SSLv3" <"$STDERR" || error +grep -Fx "remote: Maximum SSL/TLS protocol version: TLSv1.1" <"$STDERR" || error +grep -E "^remote: SSL protocol: TLSv1(\.1)? " <"$STDERR" || error + +# force SSLv3; this fails due to dovecot's ssl_min_protocol=TLSv1 +with_remote_tls_protocol_min_max "SSLv3" "SSLv3" +! interimap --debug || error +grep -Fx "remote: Minimum SSL/TLS protocol version: SSLv3" <"$STDERR" || error +grep -Fx "remote: Maximum SSL/TLS protocol version: SSLv3" <"$STDERR" || error +grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error +# make sure we didn't send any credentials or started speaking IMAP  ! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error +grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error  # vim: set filetype=sh : diff --git a/tests/tls-rsa+ecdsa/t b/tests/tls-rsa+ecdsa/t index 2adf930..c9f5b96 100644 --- a/tests/tls-rsa+ecdsa/t +++ b/tests/tls-rsa+ecdsa/t @@ -36,9 +36,11 @@ grep -Fx -e "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_S           -e "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_ALT_SHA256" \           <"$STDERR" || error -# force RSA (XXX do we really have to force TLSv1.2 here?) +# force RSA +# XXX we also have to force TLS <=1.2 here as the TLSv1.3 ciphersuites +# don't specify the certificate type (nor key exchange)  cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF -	SSL_protocols = TLSv1.2 +	SSL_protocol_max = TLSv1.2  	SSL_cipherlist = EECDH+AESGCM+aRSA  EOF  interimap --debug || error diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t index 2461a1f..8326521 100644 --- a/tests/tls-verify-peer/t +++ b/tests/tls-verify-peer/t @@ -15,8 +15,9 @@ unverified_peer() {      [ -s "$TMPDIR/preverify" ] || error      ! grep -Fvx "preverify=0" <"$TMPDIR/preverify" || error -    # make sure we didn't send any credentials +    # make sure we didn't send any credentials or started speaking IMAP      ! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error +    grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error  }  verified_peer() {      local i u @@ -31,7 +32,7 @@ verified_peer() {      [ -s "$TMPDIR/preverify" ] || error      ! grep -Fvx "preverify=1" <"$TMPDIR/preverify" || error -    grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error +    grep "^remote: SSL protocol: TLSv" <"$STDERR" || error      grep "^remote: SSL cipher: " <"$STDERR" || error      check_mailbox_status "INBOX" @@ -45,7 +46,9 @@ with_remote_config() {  }  step_start "peer verification enabled by default" +# assume our fake root CA is not among OpenSSL's default trusted CAs  unverified_peer +grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error  step_done  step_start "peer verification result honored when pinned pubkey matches" @@ -53,13 +56,23 @@ with_remote_config <<-EOF  	SSL_fingerprint = sha256\$$PKEY_SHA256  EOF  unverified_peer +grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error  grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error  step_done +  capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX)  cp -T -- ~/.dovecot/conf.d/ca.crt "$capath/ca-certificates.crt" -step_start "SSL_CAfile" +step_start "SSL_CAfile/\$SSL_CERT_FILE" + +# verify that an error is raised when CAfile can't be loaded +# (it's not the case for $SSL_CERT_FILE, cf. SSL_CTX_load_verify_locations(3ssl)) +with_remote_config <<<"SSL_CAfile = /nonexistent" +! interimap --debug || error +grep -Fx "remote: ERROR: SSL_CTX_load_verify_locations()" <"$STDERR" || error +grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error +  if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then      # assume our fake root CA is not there      with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt" @@ -70,6 +83,10 @@ fi  with_remote_config <<<"SSL_CAfile = $capath/ca-certificates.crt"  verified_peer +with_remote_config </dev/null +SSL_CERT_FILE=~/.dovecot/conf.d/ca.crt verified_peer +grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error +  # hostnames and IPs included in the subjectAltName should work as well  for host in "ip6-localhost" "127.0.0.1" "::1"; do      with_remote_config <<-EOF @@ -79,7 +96,7 @@ for host in "ip6-localhost" "127.0.0.1" "::1"; do      verified_peer  done -# but not for other IPs or hostnames +# but not for other hostnames or IPs  for host in "ip6-loopback" "127.0.1.1"; do      with_remote_config <<-EOF  		host = $host @@ -91,7 +108,8 @@ done  step_done -step_start "SSL_CApath" +step_start "SSL_CApath/\$SSL_CERT_DIR" +  if [ -d "/etc/ssl/certs" ]; then      # assume our fake root CA is not there      with_remote_config <<<"SSL_CApath = /etc/ssl/certs" @@ -104,6 +122,10 @@ c_rehash "$capath"  with_remote_config <<<"SSL_CApath = $capath"  verified_peer +with_remote_config </dev/null +SSL_CERT_DIR="$capath" verified_peer +grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error +  # hostnames and IPs included in the subjectAltName should work as well  for host in "ip6-localhost" "127.0.0.1" "::1"; do      with_remote_config <<-EOF diff --git a/tests/tls/t b/tests/tls/t index 9fdd399..a674b28 100644 --- a/tests/tls/t +++ b/tests/tls/t @@ -8,9 +8,8 @@ for ((i = 0; i < 32; i++)); do  done  interimap --debug || error -grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error  grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error -grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error +grep "^remote: SSL protocol: TLSv" <"$STDERR" || error  grep "^remote: SSL cipher: " <"$STDERR" || error  check_mailbox_status "INBOX" | 
