| Commit message (Collapse) | Author | Age | Files |
|
|
|
|
|
|
| |
It wasn't the case for interimap(1), see https://bugs.debian.org/608604 …
Fortunately we create $XDG_DATA_HOME/interimap with a secure mode, but
there is no reason to have the DB world-readable. Since we can't rely
on SQLITE_OPEN_CREATE for secure mode we use sysopen(,,O_CREAT,0600).
|
|
|
|
|
| |
And make location for systemd user unit files configurable with
systemd_userunitdir=.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Update instructions/documentation obsolete since
a1c089b997ebf705a9023b4f0f97327e5bd2814e and
733ed91162b02cd0fa5d7d1c443c780d3d4405e9.
|
| |
|
| |
|
|
|
|
| |
Per convention, cf. https://www.gnu.org/prep/standards/html_node/Standard-Targets.html .
|
|
|
|
| |
This is useful for Debian packages built under ‘nodoc’ profile.
|
|
|
|
|
|
|
|
|
| |
And make the installation path configurable at `make` time. Moreover,
adjust the 'test' target so the site directory and interimap/pullimap
path are configurable with INTERIMAP_I and INTERIMAP_PATH respectively.
That way one can run `tests/run foo` to check the source, `make test` to
check what's been built, and we also have the possibility to check the
installed program e.g. for autopkgtests.
|
| |
|
| |
|
|
|
|
|
| |
Defaulting to ‘build’. Also, remove BUILD_DOCDIR= (replaced with
‘$(builddir)/doc’).
|
|
|
|
| |
Per https://www.gnu.org/prep/standards/html_node/Standard-Targets.html#Standard-Targets .
|
|
|
|
| |
Per https://www.gnu.org/prep/standards/html_node/DESTDIR.html .
|
|
|
|
| |
Cf. https://www.gnu.org/prep/standards/html_node/Command-Variables.html .
|
|
|
|
| |
Cf. https://www.gnu.org/prep/standards/html_node/Directory-Variables.html .
|
|
|
|
|
| |
And use security level 2 for ssl_cipher_list. As of dovecot 2.3.18
ssl_min_protocol defaults to TLSv1.2.
|
|
|
|
|
|
| |
This is required to test TLS version <1.2 on systems with higher
security levels, see SSL_CTX_set_security_level(3ssl). Addapted from a
patch from <xnox> for Unbuntu.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per RFC3501 §6.3.1 and §6.3.2 ‘UIDNEXT’ must be returned in an OK
untagged response. See also Appendix B#34.
However §6.3.1 suggests that it's in fact optional: “If this is missing,
the client can not make any assumptions about the next unique identifier
value.”
A correction was proposed in Errata ID 3445 https://www.rfc-editor.org/errata/eid3445 ,
and rejected on the ground that clients SHOULD support the implement
default behavior for missing data.
We heavily rely on the ‘UIDNEXT’ presence and won't implement a
workaround for its absence; instead we panic() with a more informative
message.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
That's when get_version() was introduced. Unfortunately the manual
doesn't mention it, but 1.85 is lacking the function, see
https://github.com/radiator-software/p5-net-ssleay/blob/1.88/Changes#L216
https://github.com/radiator-software/p5-net-ssleay/commit/ae33bb5405dadde973bc25a0c5e3941d5c83f8b1
Compatibility with Net::SSLeay 1.83 can be restored by reverting this
commit and 35f4ecefa9c9ff55acfdb337b215e3d13345c86d.
|
| |
|
| |
|
|
|
|
|
| |
Also, clarify that SSL_cipherlist only applies to TLSv1.2 and below.
See SSL_CTX_set_cipher_list(3ssl).
|
|
|
|
| |
version used.
|
|
|
|
|
| |
It's best to use a stock (clean) environment when possible. We only
need to test TLS protocol version <1.2 for tests/tls-protocols.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
It could in principle still work with earlier versions if the new
settings SSL_protocol_{min,max} are not used, however it's cumbersome to
do individual checks for specific settings, let alone maintain test
coverage with multiple OpenSSL versions.
|
|
|
|
|
|
|
|
|
|
|
| |
CAfile nor CApath are set.
In particular, OpenSSL's default locations can be overridden by the
SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see
SSL_CTX_load_verify_locations(3ssl).
This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is
used).
|
|
|
|
|
|
| |
handshake is aborted.
(Unless STARTTLS is used to upgrade the connection.)
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Not a good idea to use a world-writable directory, see ssh_config(5)…
Note that variable expansion is only available in OpenSSH 8.4 and later,
cf. https://bugzilla.mindrot.org/show_bug.cgi?id=3140 .
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is shorter and more future-proof. Quoting the manual:
restrict
Enable all restrictions, i.e. disable port, agent and X11
forwarding, as well as disabling PTY allocation and execution of
~/.ssh/rc. If any future restriction capabilities are added to
authorized_keys files they will be included in this set.
Note that this won't work with Jessie's OpenSSH server.
|
| |
|
| |
|
|
|
|
|
| |
Also, make use the tag doesn't exist, and fail early if we can't detect
the version.
|
| |
|
|
|
|
|
|
|
|
| |
Using the libssl interface simplifies our protocol black/whitelist
greatly; this only allows simple min/max bounds, but holes are arguably
not very useful here.
Using the new settings bumps the required libssl version to 1.1.0.
|
|
|
|
|
|
|
|
| |
So we can test TLSv1 as well, not just TLSv1.2 and later.
Also, explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration
file (the default as of 2.3.11.3), hence running TLS tests now require
Dovecot 2.3 or later.
|
| |
|
|
|
|
| |
This avoids maintaing our own map.
|