| Commit message (Collapse) | Author | Age | Files | |
|---|---|---|---|---|
| * | Bump version number. | Guilhem Moulin | 2020-12-27 | 1 | 
| | | ||||
| * | Merge tag 'v0.5.5' into debian/latest | Guilhem Moulin | 2020-12-26 | 32 | 
| |\ | | | | | | | Release version 0.5.5 | |||
| | * | Prepare new release v0.5.5.v0.5.5 | Guilhem Moulin | 2020-12-26 | 4 | 
| | | | ||||
| | * | typofix | Guilhem Moulin | 2020-12-17 | 1 | 
| | | | ||||
| | * | libinterimap: new option SSL_ciphersuites to set the TLSv1.3 ciphersuites. | Guilhem Moulin | 2020-12-17 | 9 | 
| | | | | | | | | | | | Also, clarify that SSL_cipherlist only applies to TLSv1.2 and below. See SSL_CTX_set_cipher_list(3ssl). | |||
| | * | manuals: Clarify that known TLS protocol versions depend on the OpenSSL ↵ | Guilhem Moulin | 2020-12-17 | 3 | 
| | | | | | | | | | version used. | |||
| | * | test suite: use stock OpenSSL config except for tests/tls-protocols. | Guilhem Moulin | 2020-12-17 | 4 | 
| | | | | | | | | | | | It's best to use a stock (clean) environment when possible. We only need to test TLS protocol version <1.2 for tests/tls-protocols. | |||
| | * | typofix | Guilhem Moulin | 2020-12-13 | 2 | 
| | | | ||||
| | * | Remove obsolete Changelog entry. | Guilhem Moulin | 2020-12-13 | 1 | 
| | | | ||||
| | * | manual: improve wording. | Guilhem Moulin | 2020-12-13 | 2 | 
| | | | ||||
| | * | libinterimap: _start_ssl() now fails immediately with OpenSSL <1.1.0. | Guilhem Moulin | 2020-12-13 | 2 | 
| | | | | | | | | | | | | | | | It could in principle still work with earlier versions if the new settings SSL_protocol_{min,max} are not used, however it's cumbersome to do individual checks for specific settings, let alone maintain test coverage with multiple OpenSSL versions. | |||
| | * | libinterimap: use default locations for trusted CA certificates when neither ↵ | Guilhem Moulin | 2020-12-13 | 8 | 
| | | | | | | | | | | | | | | | | | | | | | | | CAfile nor CApath are set. In particular, OpenSSL's default locations can be overridden by the SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see SSL_CTX_load_verify_locations(3ssl). This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is used). | |||
| | * | test suite: ensure we haven't started speaking IMAP when the SSL/TLS ↵ | Guilhem Moulin | 2020-12-13 | 4 | 
| | | | | | | | | | | | | | handshake is aborted. (Unless STARTTLS is used to upgrade the connection.) | |||
| | * | typofix | Guilhem Moulin | 2020-12-13 | 2 | 
| | | | ||||
| | * | Explicitly set SSL_verify=1 (default) only once. | Guilhem Moulin | 2020-12-13 | 1 | 
| | | | ||||
| | * | Make error messages more uniform and consistent. | Guilhem Moulin | 2020-12-13 | 5 | 
| | | | ||||
| | * | Fix broken URLs. | Guilhem Moulin | 2020-12-13 | 1 | 
| | | | ||||
| | * | README: Reflow with tw=78. | Guilhem Moulin | 2020-12-12 | 1 | 
| | | | ||||
| | * | README: suggest ControlPath=$XDG_RUNTIME_DIR/ssh-imap-%C for the SSH transport | Guilhem Moulin | 2020-12-12 | 2 | 
| | | | | | | | | | | | | | | | Not a good idea to use a world-writable directory, see ssh_config(5)… Note that variable expansion is only available in OpenSSH 8.4 and later, cf. https://bugzilla.mindrot.org/show_bug.cgi?id=3140 . | |||
| | * | README: use 'restrict' option in authorized_keys(5) snippet. | Guilhem Moulin | 2020-12-12 | 2 | 
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This is shorter and more future-proof. Quoting the manual: restrict Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation and execution of ~/.ssh/rc. If any future restriction capabilities are added to authorized_keys files they will be included in this set. Note that this won't work with Jessie's OpenSSH server. | |||
| | * | gitignore: Exclude aspell(1)'s backup copies. | Guilhem Moulin | 2020-12-12 | 1 | 
| | | | ||||
| | * | typofix, spelling | Guilhem Moulin | 2020-12-12 | 7 | 
| | | | ||||
| | * | `make release`: also bump libinterimap version and pin it in 'use' declarations. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | | | | | | | | | Also, make use the tag doesn't exist, and fail early if we can't detect the version. | |||
| | * | documentation: simplify SSL options in the sample configuration files. | Guilhem Moulin | 2020-12-11 | 3 | 
| | | | ||||
| | * | libinterimap: deprecate SSL_protocols and introduce SSL_protocol_{min,max}. | Guilhem Moulin | 2020-12-11 | 6 | 
| | | | | | | | | | | | | | | | | | Using the libssl interface simplifies our protocol black/whitelist greatly; this only allows simple min/max bounds, but holes are arguably not very useful here. Using the new settings bumps the required libssl version to 1.1.0. | |||
| | * | test suite: supply our own OpenSSL configuration file with MinProtocol=None. | Guilhem Moulin | 2020-12-11 | 7 | 
| | | | | | | | | | | | | | | | | | So we can test TLSv1 as well, not just TLSv1.2 and later. Also, explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration file (the default as of 2.3.11.3), hence running TLS tests now require Dovecot 2.3 or later. | |||
| | * | test suite: `mv tests/snippets tests/config` | Guilhem Moulin | 2020-12-11 | 8 | 
| | | | ||||
| | * | libinterimap: use Net::SSLeay::get_version() to get the protocol version string. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | | | | | | | This avoids maintaing our own map. | |||
| | * | libinterimap: make $OPENSSL_VERSION global. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | ||||
| | * | libinterimap: remove default SSL_protocols value. | Guilhem Moulin | 2020-12-11 | 7 | 
| | | | | | | | | | | | | | | | | | Namely, use the system default instead of "!SSLv2 !SSLv3 !TLSv1 !TLSv1.1". As of Debian Buster (OpenSSL 1.1.1) this does not make a difference, however using the system default provides better compatibility with future libssl versions. | |||
| | * | Remove incorrect affirmation from 0.5.4 changelog. | Guilhem Moulin | 2020-12-11 | 1 | 
| | | | | | | | | | | | The test suite already required OpenSSL ≥1.1.1 as some tests are using TLSv1.3. | |||
| | * | manpages: improve wording. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | ||||
| | * | typofix | Guilhem Moulin | 2020-12-11 | 1 | 
| | | | ||||
| | * | Update copyright years. | Guilhem Moulin | 2020-12-11 | 4 | 
| | | | ||||
| * | | Prepare new release.debian/0.5.4-1 | Guilhem Moulin | 2020-12-11 | 1 | 
| | | | ||||
| * | | d/salsa-ci.yml: run .test-reprotest with DEB_BUILD_OPTIONS=nocheck. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | ||||
| * | | d/rules: Run test suite with TMPDIR=/var/tmp. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | | | | | | | | | | | Ssome systems (such as salsa's CI runners) mount /dev/shm with the 'noexec' option. /var/tmp is probably safer in that regard since it's what mkinitramfs(8) defaults to. | |||
| * | | Add debian/salsa-ci.yml file. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | ||||
| * | | d/control: Point Vcs-* to salsa. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | ||||
| * | | Bump minimum libnet-ssleay-perl version from 1.73 to 1.83. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | | | | | | | And alsa openssl to 1.1.1 in Build-Depends. | |||
| * | | Refresh patches and bump version number. | Guilhem Moulin | 2020-12-11 | 3 | 
| | | | ||||
| * | | Merge tag 'v0.5.4' into debian/latest | Guilhem Moulin | 2020-12-11 | 25 | 
| |\| | | | | | | | Release version 0.5.4 | |||
| | * | Prepare new release v0.5.4.v0.5.4 | Guilhem Moulin | 2020-12-11 | 1 | 
| | | | ||||
| | * | Prepare new release v0.5.4. | Guilhem Moulin | 2020-12-11 | 3 | 
| | | | ||||
| | * | rename 'debian' branch to 'debian/latest' for DEP-14 compliance. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | ||||
| | * | documentation: improve wording. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | ||||
| | * | typofix | Guilhem Moulin | 2020-12-11 | 1 | 
| | | | ||||
| | * | Makefile: new 'release' target. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | | | | | | | Also, change the tag format from upstream/$VERSION to v$VERSION. | |||
| | * | libinterimap: add support for the TLS SNI (Server Name Indication) extension. | Guilhem Moulin | 2020-12-11 | 9 | 
| | | | | | | | | | | | | | This is controlled by the new 'SSL_hostname' option. The default value of that option is the value of the 'host' option when it is hostname, and the empty string (which disables SNI) when it is an IP literal. | |||
| | * | typofix | Guilhem Moulin | 2020-12-11 | 1 | 
| | | | ||||
