| Commit message (Collapse) | Author | Age | Files | |
|---|---|---|---|---|
| * | Merge tag 'v0.5.5' into debian/latest | Guilhem Moulin | 2020-12-26 | 32 | 
| |\ | | | | | | | Release version 0.5.5 | |||
| | * | Prepare new release v0.5.5.v0.5.5 | Guilhem Moulin | 2020-12-26 | 4 | 
| | | | ||||
| | * | typofix | Guilhem Moulin | 2020-12-17 | 1 | 
| | | | ||||
| | * | libinterimap: new option SSL_ciphersuites to set the TLSv1.3 ciphersuites. | Guilhem Moulin | 2020-12-17 | 9 | 
| | | | | | | | | | | | Also, clarify that SSL_cipherlist only applies to TLSv1.2 and below. See SSL_CTX_set_cipher_list(3ssl). | |||
| | * | manuals: Clarify that known TLS protocol versions depend on the OpenSSL ↵ | Guilhem Moulin | 2020-12-17 | 3 | 
| | | | | | | | | | version used. | |||
| | * | test suite: use stock OpenSSL config except for tests/tls-protocols. | Guilhem Moulin | 2020-12-17 | 4 | 
| | | | | | | | | | | | It's best to use a stock (clean) environment when possible. We only need to test TLS protocol version <1.2 for tests/tls-protocols. | |||
| | * | typofix | Guilhem Moulin | 2020-12-13 | 2 | 
| | | | ||||
| | * | Remove obsolete Changelog entry. | Guilhem Moulin | 2020-12-13 | 1 | 
| | | | ||||
| | * | manual: improve wording. | Guilhem Moulin | 2020-12-13 | 2 | 
| | | | ||||
| | * | libinterimap: _start_ssl() now fails immediately with OpenSSL <1.1.0. | Guilhem Moulin | 2020-12-13 | 2 | 
| | | | | | | | | | | | | | | | It could in principle still work with earlier versions if the new settings SSL_protocol_{min,max} are not used, however it's cumbersome to do individual checks for specific settings, let alone maintain test coverage with multiple OpenSSL versions. | |||
| | * | libinterimap: use default locations for trusted CA certificates when neither ↵ | Guilhem Moulin | 2020-12-13 | 8 | 
| | | | | | | | | | | | | | | | | | | | | | | | CAfile nor CApath are set. In particular, OpenSSL's default locations can be overridden by the SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see SSL_CTX_load_verify_locations(3ssl). This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is used). | |||
| | * | test suite: ensure we haven't started speaking IMAP when the SSL/TLS ↵ | Guilhem Moulin | 2020-12-13 | 4 | 
| | | | | | | | | | | | | | handshake is aborted. (Unless STARTTLS is used to upgrade the connection.) | |||
| | * | typofix | Guilhem Moulin | 2020-12-13 | 2 | 
| | | | ||||
| | * | Explicitly set SSL_verify=1 (default) only once. | Guilhem Moulin | 2020-12-13 | 1 | 
| | | | ||||
| | * | Make error messages more uniform and consistent. | Guilhem Moulin | 2020-12-13 | 5 | 
| | | | ||||
| | * | Fix broken URLs. | Guilhem Moulin | 2020-12-13 | 1 | 
| | | | ||||
| | * | README: Reflow with tw=78. | Guilhem Moulin | 2020-12-12 | 1 | 
| | | | ||||
| | * | README: suggest ControlPath=$XDG_RUNTIME_DIR/ssh-imap-%C for the SSH transport | Guilhem Moulin | 2020-12-12 | 2 | 
| | | | | | | | | | | | | | | | Not a good idea to use a world-writable directory, see ssh_config(5)… Note that variable expansion is only available in OpenSSH 8.4 and later, cf. https://bugzilla.mindrot.org/show_bug.cgi?id=3140 . | |||
| | * | README: use 'restrict' option in authorized_keys(5) snippet. | Guilhem Moulin | 2020-12-12 | 2 | 
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This is shorter and more future-proof. Quoting the manual: restrict Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation and execution of ~/.ssh/rc. If any future restriction capabilities are added to authorized_keys files they will be included in this set. Note that this won't work with Jessie's OpenSSH server. | |||
| | * | gitignore: Exclude aspell(1)'s backup copies. | Guilhem Moulin | 2020-12-12 | 1 | 
| | | | ||||
| | * | typofix, spelling | Guilhem Moulin | 2020-12-12 | 7 | 
| | | | ||||
| | * | `make release`: also bump libinterimap version and pin it in 'use' declarations. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | | | | | | | | | Also, make use the tag doesn't exist, and fail early if we can't detect the version. | |||
| | * | documentation: simplify SSL options in the sample configuration files. | Guilhem Moulin | 2020-12-11 | 3 | 
| | | | ||||
| | * | libinterimap: deprecate SSL_protocols and introduce SSL_protocol_{min,max}. | Guilhem Moulin | 2020-12-11 | 6 | 
| | | | | | | | | | | | | | | | | | Using the libssl interface simplifies our protocol black/whitelist greatly; this only allows simple min/max bounds, but holes are arguably not very useful here. Using the new settings bumps the required libssl version to 1.1.0. | |||
| | * | test suite: supply our own OpenSSL configuration file with MinProtocol=None. | Guilhem Moulin | 2020-12-11 | 7 | 
| | | | | | | | | | | | | | | | | | So we can test TLSv1 as well, not just TLSv1.2 and later. Also, explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration file (the default as of 2.3.11.3), hence running TLS tests now require Dovecot 2.3 or later. | |||
| | * | test suite: `mv tests/snippets tests/config` | Guilhem Moulin | 2020-12-11 | 8 | 
| | | | ||||
| | * | libinterimap: use Net::SSLeay::get_version() to get the protocol version string. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | | | | | | | This avoids maintaing our own map. | |||
| | * | libinterimap: make $OPENSSL_VERSION global. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | ||||
| | * | libinterimap: remove default SSL_protocols value. | Guilhem Moulin | 2020-12-11 | 7 | 
| | | | | | | | | | | | | | | | | | Namely, use the system default instead of "!SSLv2 !SSLv3 !TLSv1 !TLSv1.1". As of Debian Buster (OpenSSL 1.1.1) this does not make a difference, however using the system default provides better compatibility with future libssl versions. | |||
| | * | Remove incorrect affirmation from 0.5.4 changelog. | Guilhem Moulin | 2020-12-11 | 1 | 
| | | | | | | | | | | | The test suite already required OpenSSL ≥1.1.1 as some tests are using TLSv1.3. | |||
| | * | manpages: improve wording. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | ||||
| | * | typofix | Guilhem Moulin | 2020-12-11 | 1 | 
| | | | ||||
| | * | Update copyright years. | Guilhem Moulin | 2020-12-11 | 4 | 
| | | | ||||
| * | | Prepare new release.debian/0.5.4-1 | Guilhem Moulin | 2020-12-11 | 1 | 
| | | | ||||
| * | | d/salsa-ci.yml: run .test-reprotest with DEB_BUILD_OPTIONS=nocheck. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | ||||
| * | | d/rules: Run test suite with TMPDIR=/var/tmp. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | | | | | | | | | | | Ssome systems (such as salsa's CI runners) mount /dev/shm with the 'noexec' option. /var/tmp is probably safer in that regard since it's what mkinitramfs(8) defaults to. | |||
| * | | Add debian/salsa-ci.yml file. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | ||||
| * | | d/control: Point Vcs-* to salsa. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | ||||
| * | | Bump minimum libnet-ssleay-perl version from 1.73 to 1.83. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | | | | | | | And alsa openssl to 1.1.1 in Build-Depends. | |||
| * | | Refresh patches and bump version number. | Guilhem Moulin | 2020-12-11 | 3 | 
| | | | ||||
| * | | Merge tag 'v0.5.4' into debian/latest | Guilhem Moulin | 2020-12-11 | 25 | 
| |\| | | | | | | | Release version 0.5.4 | |||
| | * | Prepare new release v0.5.4.v0.5.4 | Guilhem Moulin | 2020-12-11 | 1 | 
| | | | ||||
| | * | Prepare new release v0.5.4. | Guilhem Moulin | 2020-12-11 | 3 | 
| | | | ||||
| | * | rename 'debian' branch to 'debian/latest' for DEP-14 compliance. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | ||||
| | * | documentation: improve wording. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | ||||
| | * | typofix | Guilhem Moulin | 2020-12-11 | 1 | 
| | | | ||||
| | * | Makefile: new 'release' target. | Guilhem Moulin | 2020-12-11 | 2 | 
| | | | | | | | | | Also, change the tag format from upstream/$VERSION to v$VERSION. | |||
| | * | libinterimap: add support for the TLS SNI (Server Name Indication) extension. | Guilhem Moulin | 2020-12-11 | 9 | 
| | | | | | | | | | | | | | This is controlled by the new 'SSL_hostname' option. The default value of that option is the value of the 'host' option when it is hostname, and the empty string (which disables SNI) when it is an IP literal. | |||
| | * | typofix | Guilhem Moulin | 2020-12-11 | 1 | 
| | | | ||||
| | * | libinterimap: make SSL_verify check the hostname as well. | Guilhem Moulin | 2020-12-11 | 9 | 
| | | | | | | | | | | | | | | | | | | | | | More precisely, ensure that the certificate Subject Alternative Name (SAN) or Subject CommonName (CN) matches the hostname or IP literal specified by the 'host' option. Previously it was only verifying the chain of trust. This bumps the minimum Net::SSLeay version to 1.83 and OpenSSL version 1.0.2. | |||
