| Commit message (Collapse) | Author | Age | Files |
|
|
|
| |
Cf. https://www.gnu.org/prep/standards/html_node/Command-Variables.html .
|
|
|
|
| |
Cf. https://www.gnu.org/prep/standards/html_node/Directory-Variables.html .
|
|
|
|
|
| |
And use security level 2 for ssl_cipher_list. As of dovecot 2.3.18
ssl_min_protocol defaults to TLSv1.2.
|
|
|
|
|
|
| |
This is required to test TLS version <1.2 on systems with higher
security levels, see SSL_CTX_set_security_level(3ssl). Addapted from a
patch from <xnox> for Unbuntu.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per RFC3501 §6.3.1 and §6.3.2 ‘UIDNEXT’ must be returned in an OK
untagged response. See also Appendix B#34.
However §6.3.1 suggests that it's in fact optional: “If this is missing,
the client can not make any assumptions about the next unique identifier
value.”
A correction was proposed in Errata ID 3445 https://www.rfc-editor.org/errata/eid3445 ,
and rejected on the ground that clients SHOULD support the implement
default behavior for missing data.
We heavily rely on the ‘UIDNEXT’ presence and won't implement a
workaround for its absence; instead we panic() with a more informative
message.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
That's when get_version() was introduced. Unfortunately the manual
doesn't mention it, but 1.85 is lacking the function, see
https://github.com/radiator-software/p5-net-ssleay/blob/1.88/Changes#L216
https://github.com/radiator-software/p5-net-ssleay/commit/ae33bb5405dadde973bc25a0c5e3941d5c83f8b1
Compatibility with Net::SSLeay 1.83 can be restored by reverting this
commit and 35f4ecefa9c9ff55acfdb337b215e3d13345c86d.
|
| |
|
| |
|
|
|
|
|
| |
Also, clarify that SSL_cipherlist only applies to TLSv1.2 and below.
See SSL_CTX_set_cipher_list(3ssl).
|
|
|
|
| |
version used.
|
|
|
|
|
| |
It's best to use a stock (clean) environment when possible. We only
need to test TLS protocol version <1.2 for tests/tls-protocols.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
It could in principle still work with earlier versions if the new
settings SSL_protocol_{min,max} are not used, however it's cumbersome to
do individual checks for specific settings, let alone maintain test
coverage with multiple OpenSSL versions.
|
|
|
|
|
|
|
|
|
|
|
| |
CAfile nor CApath are set.
In particular, OpenSSL's default locations can be overridden by the
SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see
SSL_CTX_load_verify_locations(3ssl).
This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is
used).
|
|
|
|
|
|
| |
handshake is aborted.
(Unless STARTTLS is used to upgrade the connection.)
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Not a good idea to use a world-writable directory, see ssh_config(5)…
Note that variable expansion is only available in OpenSSH 8.4 and later,
cf. https://bugzilla.mindrot.org/show_bug.cgi?id=3140 .
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is shorter and more future-proof. Quoting the manual:
restrict
Enable all restrictions, i.e. disable port, agent and X11
forwarding, as well as disabling PTY allocation and execution of
~/.ssh/rc. If any future restriction capabilities are added to
authorized_keys files they will be included in this set.
Note that this won't work with Jessie's OpenSSH server.
|
| |
|
| |
|
|
|
|
|
| |
Also, make use the tag doesn't exist, and fail early if we can't detect
the version.
|
| |
|
|
|
|
|
|
|
|
| |
Using the libssl interface simplifies our protocol black/whitelist
greatly; this only allows simple min/max bounds, but holes are arguably
not very useful here.
Using the new settings bumps the required libssl version to 1.1.0.
|
|
|
|
|
|
|
|
| |
So we can test TLSv1 as well, not just TLSv1.2 and later.
Also, explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration
file (the default as of 2.3.11.3), hence running TLS tests now require
Dovecot 2.3 or later.
|
| |
|
|
|
|
| |
This avoids maintaing our own map.
|
| |
|
|
|
|
|
|
|
|
| |
Namely, use the system default instead of "!SSLv2 !SSLv3 !TLSv1 !TLSv1.1".
As of Debian Buster (OpenSSL 1.1.1) this does not make a difference,
however using the system default provides better compatibility with
future libssl versions.
|
|
|
|
|
| |
The test suite already required OpenSSL ≥1.1.1 as some tests are using
TLSv1.3.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Also, change the tag format from upstream/$VERSION to v$VERSION.
|
|
|
|
|
|
| |
This is controlled by the new 'SSL_hostname' option. The default value
of that option is the value of the 'host' option when it is hostname,
and the empty string (which disables SNI) when it is an IP literal.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
More precisely, ensure that the certificate Subject Alternative Name
(SAN) or Subject CommonName (CN) matches the hostname or IP literal
specified by the 'host' option. Previously it was only verifying the
chain of trust.
This bumps the minimum Net::SSLeay version to 1.83 and OpenSSL version
1.0.2.
|
|
|
|
|
| |
Also, document that enclosing 'host' value in square brackets forces its
interpretation as an IP literal (hence skips name resolution).
|