|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| | 
| 
| 
| 
| | Namely OfflineIMAP for InterIMAP, and fetchmail/getmail for PullIMAP.
This should improve visibility. | 
| | |  | 
| | 
| 
| 
| 
| 
| | Changes-By: lintian-brush
Fixes: lintian: out-of-date-standards-version
See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html | 
| | 
| 
| 
| | Changes-By: lintian-brush | 
| | |  | 
| | 
| 
| 
| 
| | Next stable upstream release after developer release 1.86_06, and also
earliest version available in Debian. | 
| |\  
| | 
| | 
| | | Release version 0.5.6 | 
| | | |  | 
| | | |  | 
| | | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | | That's when get_version() was introduced.  Unfortunately the manual
doesn't mention it, but 1.85 is lacking the function, see
    https://github.com/radiator-software/p5-net-ssleay/blob/1.88/Changes#L216
    https://github.com/radiator-software/p5-net-ssleay/commit/ae33bb5405dadde973bc25a0c5e3941d5c83f8b1
Compatibility with Net::SSLeay 1.83 can be restored by reverting this
commit and 35f4ecefa9c9ff55acfdb337b215e3d13345c86d. | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | 
| | 
| | 
| | 
| | | We're using ssl_min_protocol in the test suite, see
feeb91998a29ca040f6e5dd103e09507a6355e32 . | 
| | | 
| | 
| | 
| | 
| | | The components are tightly tied together and libinterimap makes no
promise of API stability. | 
| | | |  | 
| |\| 
| | 
| | 
| | | Release version 0.5.5 | 
| | | |  | 
| | | |  | 
| | | 
| | 
| | 
| | 
| | | Also, clarify that SSL_cipherlist only applies to TLSv1.2 and below.
See SSL_CTX_set_cipher_list(3ssl). | 
| | | 
| | 
| | 
| | | version used. | 
| | | 
| | 
| | 
| | 
| | | It's best to use a stock (clean) environment when possible.  We only
need to test TLS protocol version <1.2 for tests/tls-protocols. | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | 
| | 
| | 
| | 
| | 
| | 
| | | It could in principle still work with earlier versions if the new
settings SSL_protocol_{min,max} are not used, however it's cumbersome to
do individual checks for specific settings, let alone maintain test
coverage with multiple OpenSSL versions. | 
| | | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | | CAfile nor CApath are set.
In particular, OpenSSL's default locations can be overridden by the
SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see
SSL_CTX_load_verify_locations(3ssl).
This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is
used). | 
| | | 
| | 
| | 
| | 
| | 
| | | handshake is aborted.
(Unless STARTTLS is used to upgrade the connection.) | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | 
| | 
| | 
| | 
| | 
| | 
| | | Not a good idea to use a world-writable directory, see ssh_config(5)…
Note that variable expansion is only available in OpenSSH 8.4 and later,
cf. https://bugzilla.mindrot.org/show_bug.cgi?id=3140 . | 
| | | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | | This is shorter and more future-proof.  Quoting the manual:
    restrict
        Enable all restrictions, i.e. disable port, agent and X11
        forwarding, as well as disabling PTY allocation and execution of
        ~/.ssh/rc.  If any future restriction capabilities are added to
        authorized_keys files they will be included in this set.
Note that this won't work with Jessie's OpenSSH server. | 
| | | |  | 
| | | |  | 
| | | 
| | 
| | 
| | 
| | | Also, make use the tag doesn't exist, and fail early if we can't detect
the version. | 
| | | |  | 
| | | 
| | 
| | 
| | 
| | 
| | 
| | 
| | | Using the libssl interface simplifies our protocol black/whitelist
greatly; this only allows simple min/max bounds, but holes are arguably
not very useful here.
Using the new settings bumps the required libssl version to 1.1.0. | 
| | | 
| | 
| | 
| | 
| | 
| | 
| | 
| | | So we can test TLSv1 as well, not just TLSv1.2 and later.
Also, explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration
file (the default as of 2.3.11.3), hence running TLS tests now require
Dovecot 2.3 or later. | 
| | | |  | 
| | | 
| | 
| | 
| | | This avoids maintaing our own map. | 
| | | |  | 
| | | 
| | 
| | 
| | 
| | 
| | 
| | 
| | | Namely, use the system default instead of "!SSLv2 !SSLv3 !TLSv1 !TLSv1.1".
As of Debian Buster (OpenSSL 1.1.1) this does not make a difference,
however using the system default provides better compatibility with
future libssl versions. | 
| | | 
| | 
| | 
| | 
| | | The test suite already required OpenSSL ≥1.1.1 as some tests are using
TLSv1.3. | 
| | | |  |