| Commit message (Collapse) | Author | Age | Files |
| |
|
|
|
|
|
| |
And pass CA:TRUE as basic constraint. This fixes the test suite with
OpenSSL 3.2 with defaults to X.509v3 and CA:FALSE.
|
| |
|
| |
|
|
|
|
| |
To avoid depending on the system default.
|
|
|
|
| |
That way we can avoid using autopkgtest's 'allow-stderr' restriction.
|
| |
|
|
|
|
|
|
|
| |
It wasn't the case for interimap(1), see https://bugs.debian.org/608604 …
Fortunately we create $XDG_DATA_HOME/interimap with a secure mode, but
there is no reason to have the DB world-readable. Since we can't rely
on SQLITE_OPEN_CREATE for secure mode we use sysopen(,,O_CREAT,0600).
|
| |
|
|
|
|
|
|
|
|
|
| |
And make the installation path configurable at `make` time. Moreover,
adjust the 'test' target so the site directory and interimap/pullimap
path are configurable with INTERIMAP_I and INTERIMAP_PATH respectively.
That way one can run `tests/run foo` to check the source, `make test` to
check what's been built, and we also have the possibility to check the
installed program e.g. for autopkgtests.
|
|
|
|
|
| |
And use security level 2 for ssl_cipher_list. As of dovecot 2.3.18
ssl_min_protocol defaults to TLSv1.2.
|
|
|
|
|
|
| |
This is required to test TLS version <1.2 on systems with higher
security levels, see SSL_CTX_set_security_level(3ssl). Addapted from a
patch from <xnox> for Unbuntu.
|
|
|
|
|
| |
Also, clarify that SSL_cipherlist only applies to TLSv1.2 and below.
See SSL_CTX_set_cipher_list(3ssl).
|
|
|
|
|
| |
It's best to use a stock (clean) environment when possible. We only
need to test TLS protocol version <1.2 for tests/tls-protocols.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
CAfile nor CApath are set.
In particular, OpenSSL's default locations can be overridden by the
SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see
SSL_CTX_load_verify_locations(3ssl).
This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is
used).
|
|
|
|
|
|
| |
handshake is aborted.
(Unless STARTTLS is used to upgrade the connection.)
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Using the libssl interface simplifies our protocol black/whitelist
greatly; this only allows simple min/max bounds, but holes are arguably
not very useful here.
Using the new settings bumps the required libssl version to 1.1.0.
|
|
|
|
|
|
|
|
| |
So we can test TLSv1 as well, not just TLSv1.2 and later.
Also, explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration
file (the default as of 2.3.11.3), hence running TLS tests now require
Dovecot 2.3 or later.
|
| |
|
|
|
|
|
|
|
|
| |
Namely, use the system default instead of "!SSLv2 !SSLv3 !TLSv1 !TLSv1.1".
As of Debian Buster (OpenSSL 1.1.1) this does not make a difference,
however using the system default provides better compatibility with
future libssl versions.
|
|
|
|
|
|
| |
This is controlled by the new 'SSL_hostname' option. The default value
of that option is the value of the 'host' option when it is hostname,
and the empty string (which disables SNI) when it is an IP literal.
|
|
|
|
|
|
|
|
|
|
| |
More precisely, ensure that the certificate Subject Alternative Name
(SAN) or Subject CommonName (CN) matches the hostname or IP literal
specified by the 'host' option. Previously it was only verifying the
chain of trust.
This bumps the minimum Net::SSLeay version to 1.83 and OpenSSL version
1.0.2.
|
|
|
|
|
| |
In addition, sign test certificates with the same root CA. Hence
running `make test` now requires OpenSSL 1.1.1 or later.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This requires dovecot-imapd 2.2.31 or later.
Certificate generated with:
$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve \
-out tests/snippets/dovecot/dovecot.ecdsa.key
$ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
-key tests/snippets/dovecot/dovecot.ecdsa.key \
-out tests/snippets/dovecot/dovecot.ecdsa.crt
|
|
|
|
|
|
|
|
|
| |
to pin.
And succeeds if, and only if, the peer certificate SPKI matches one of
the pinned digest values. Specifying multiple digest values can key
useful in key rollover scenarios and/or when the server supports
certificates of different types (for instance RSA+ECDSA).
|
|
|
|
|
|
|
|
|
| |
It's arguably the most common use-case. Generated with
$ openssl genpkey -algorithm RSA -out tests/snippets/dovecot/dovecot.rsa.key
$ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
-key tests/snippets/dovecot/dovecot.rsa.key \
-out tests/snippets/dovecot/dovecot.rsa.crt
|
| |
|
|
|
|
|
| |
Set "STARTTLS = NO" to ignore. This is similar to CVE-2020-12398 and
CVE-2020-14093.
|
|
|
|
| |
For background see https://gitlab.com/muttmua/mutt/-/issues/248 .
|
|
|
|
|
|
| |
Honor BUILD_DOCDIR and DESTDIR variables.
Also, remove the `use lib` statement from our executables.
|
|
|
|
| |
comparison tests.
|
|
|
|
| |
This seems to cause timing issues.
|
| |
|
|
|
|
|
|
|
| |
Cf. https://www.imapwiki.org/ClientImplementation/MailboxList#Hierarchy_separators
“Some clients cache the hierarchy separator forever. This has problems
if the server configuration is changed (e.g. server software changed).
Try to avoid this problem.”
|
|
|
|
|
|
|
| |
Some LMTP servers, Dovecot's in particular, trims leading dots that are
not doubled (e.g. “.foo” would become “foo”). In RFC 5322 sec. 4.5.2
explicitly says that when an RFC 5322 line starts with a '.', the
character needs to be doubled.
|
|
|
|
|
| |
Mention the name of the problematic mailbox. (We may detect the
violation while not in SELECTED state.)
|
|
|
|
|
| |
This adds a dependency on Dovecot's LMTPd, which will bind to
to TCP port 10024 on the loopback interface.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
UID EXPUNGE|FETCH|STORE commands are now split into multiple (sequential)
commands when their set representation exceeds 4096 bytes in size. Without
splitting logic set representations could grow arbitrarily large, and
exceed the server's maximum command size.
This adds roundtrips which could be eliminated by pipelining, but it's
unlikely to make any difference in typical synchronization work. While set
representations seem to remain small in practice, they might grow
significantly if many non-contiguous UIDs were flagged and/or expunged, and
later synchronized at once.
Furthermore, for MULTIAPPEND-capable servers, the number of messages is
limited to 128 per APPEND command (also subject to a combined literal size of
1MiB like before).
These numbers are currently not configurable. They're intentionally lower
than Dovecot's default maximum command size (64k) in order to avoid a
deadlock situation after sending 8k-long commands under COMPRESS=DEFLATE:
https://dovecot.org/pipermail/dovecot/2019-November/117522.html .
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The UNCHANGEDSINCE test from the CONDSTORE extension was incorrectly
placed after the flag list in UID STORE commands. In practice this
meant the server didn't add the MODIFIED code when needed.
The server won't send an untagged FETCH command (and won't increase the
message's MODSEQ) if no change was made to the flag list. A panic() was
incorrectly triggered in that case.
When the flag list was set (by another client) to a superset of the UID
STORE command currently processed, the extra flags were not synchronized.
Cf. RFC 7162 sec. 3.1.3 ex. 10.
|
|
|
|
|
| |
An imapd is required as `doveadm exec imap` won't offer COMPRESS=DEFLATE
in its capability list.
|
|
|
|
|
| |
SSL connections are accepted on TCP port 10993. Also, fix STARTTLS
directive, broken since fba1c36…
|
|
|
|
|
| |
`test -f` deferences paths so fails on broken symlinks, yielding an
incorrect test environment and perhaps even a false negative.
|
|
|
|
|
|
|
|
|
| |
This can't be done with `doveadm exec imap`, so the IMAPd needs to bind
to TCP port 10143 on the loopback interface.
Also, no longer pass ‘imap_capability’ Dovecot setting explicitely to
`doveadm exec imap`; changed tests/sync-live-crippled to use type=imap
instead of type=tunnel.
|
| |
|
|
|
|
|
|
|
| |
Also, introduce new option 'logger-prefix' to determine the prefix of
each log line.
Closes: #942725.
|
| |
|