| Commit message (Collapse) | Author | Age | Files |
... | |
| |
| |
| |
| | |
Cf. https://www.gnu.org/prep/standards/html_node/Directory-Variables.html .
|
| |
| |
| |
| |
| | |
And use security level 2 for ssl_cipher_list. As of dovecot 2.3.18
ssl_min_protocol defaults to TLSv1.2.
|
| |
| |
| |
| |
| |
| | |
This is required to test TLS version <1.2 on systems with higher
security levels, see SSL_CTX_set_security_level(3ssl). Addapted from a
patch from <xnox> for Unbuntu.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Per RFC3501 §6.3.1 and §6.3.2 ‘UIDNEXT’ must be returned in an OK
untagged response. See also Appendix B#34.
However §6.3.1 suggests that it's in fact optional: “If this is missing,
the client can not make any assumptions about the next unique identifier
value.”
A correction was proposed in Errata ID 3445 https://www.rfc-editor.org/errata/eid3445 ,
and rejected on the ground that clients SHOULD support the implement
default behavior for missing data.
We heavily rely on the ‘UIDNEXT’ presence and won't implement a
workaround for its absence; instead we panic() with a more informative
message.
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
Namely OfflineIMAP for InterIMAP, and fetchmail/getmail for PullIMAP.
This should improve visibility.
|
| | |
|
| |
| |
| |
| |
| |
| | |
Changes-By: lintian-brush
Fixes: lintian: out-of-date-standards-version
See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html
|
| |
| |
| |
| | |
Changes-By: lintian-brush
|
| | |
|
| |
| |
| |
| |
| | |
Next stable upstream release after developer release 1.86_06, and also
earliest version available in Debian.
|
|\|
| |
| |
| | |
Release version 0.5.6
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
That's when get_version() was introduced. Unfortunately the manual
doesn't mention it, but 1.85 is lacking the function, see
https://github.com/radiator-software/p5-net-ssleay/blob/1.88/Changes#L216
https://github.com/radiator-software/p5-net-ssleay/commit/ae33bb5405dadde973bc25a0c5e3941d5c83f8b1
Compatibility with Net::SSLeay 1.83 can be restored by reverting this
commit and 35f4ecefa9c9ff55acfdb337b215e3d13345c86d.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
We're using ssl_min_protocol in the test suite, see
feeb91998a29ca040f6e5dd103e09507a6355e32 .
|
| |
| |
| |
| |
| | |
The components are tightly tied together and libinterimap makes no
promise of API stability.
|
| | |
|
|\|
| |
| |
| | |
Release version 0.5.5
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
Also, clarify that SSL_cipherlist only applies to TLSv1.2 and below.
See SSL_CTX_set_cipher_list(3ssl).
|
| |
| |
| |
| | |
version used.
|
| |
| |
| |
| |
| | |
It's best to use a stock (clean) environment when possible. We only
need to test TLS protocol version <1.2 for tests/tls-protocols.
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
It could in principle still work with earlier versions if the new
settings SSL_protocol_{min,max} are not used, however it's cumbersome to
do individual checks for specific settings, let alone maintain test
coverage with multiple OpenSSL versions.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
CAfile nor CApath are set.
In particular, OpenSSL's default locations can be overridden by the
SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see
SSL_CTX_load_verify_locations(3ssl).
This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is
used).
|
| |
| |
| |
| |
| |
| | |
handshake is aborted.
(Unless STARTTLS is used to upgrade the connection.)
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
Not a good idea to use a world-writable directory, see ssh_config(5)…
Note that variable expansion is only available in OpenSSH 8.4 and later,
cf. https://bugzilla.mindrot.org/show_bug.cgi?id=3140 .
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is shorter and more future-proof. Quoting the manual:
restrict
Enable all restrictions, i.e. disable port, agent and X11
forwarding, as well as disabling PTY allocation and execution of
~/.ssh/rc. If any future restriction capabilities are added to
authorized_keys files they will be included in this set.
Note that this won't work with Jessie's OpenSSH server.
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
Also, make use the tag doesn't exist, and fail early if we can't detect
the version.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Using the libssl interface simplifies our protocol black/whitelist
greatly; this only allows simple min/max bounds, but holes are arguably
not very useful here.
Using the new settings bumps the required libssl version to 1.1.0.
|
| |
| |
| |
| |
| |
| |
| |
| | |
So we can test TLSv1 as well, not just TLSv1.2 and later.
Also, explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration
file (the default as of 2.3.11.3), hence running TLS tests now require
Dovecot 2.3 or later.
|