From e6bc060ec4c2577eed285215537f85047a5d3c10 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 11 Dec 2020 12:38:19 +0100 Subject: typofix --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 28a1ef4..d41906b 100644 --- a/Changelog +++ b/Changelog @@ -4,7 +4,7 @@ interimap (0.5.4) upstream; Subject Alternative Name (SAN) or Subject CommonName (CN) matches the hostname or IP literal specified by the 'host' option. Previously it was only checking the chain of trust. This bumps the minimum - Net::SSLeay version to 1.83 and OpenSSL version 1.0.2. + Net::SSLeay version to 1.83 and OpenSSL version to 1.0.2. * libinterimap: add support for the TLS SNI (Server Name Indication) extension, controlled by the new 'SSL_hostname' option. The default value of that option is the value of the 'host' option when it is -- cgit v1.2.3 From 79463a5972229686a10c6fb39eaf3c27b85b165c Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 11 Dec 2020 14:54:00 +0100 Subject: Remove incorrect affirmation from 0.5.4 changelog. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The test suite already required OpenSSL ≥1.1.1 as some tests are using TLSv1.3. --- Changelog | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index d41906b..42cac7a 100644 --- a/Changelog +++ b/Changelog @@ -11,8 +11,7 @@ interimap (0.5.4) upstream; hostname, and the empty string (which disables SNI) when it is an IP literal. + libinterimap: show the matching pinned SPKI in --debug mode. - + test suite: always generate new certificates on `make test`. Hence - running `make test` now requires OpenSSL 1.1.1 or later. + + test suite: always generate new certificates on `make test`. + test suite: sign all test certificates with the same root CA. + libinterimap: factor out hostname/IP parsing. + document that enclosing 'host' value in square brackets forces its -- cgit v1.2.3 From e3b95b0da424e55682c8c7b025d9d272a4a35ffe Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 11 Dec 2020 15:09:15 +0100 Subject: libinterimap: remove default SSL_protocols value. Namely, use the system default instead of "!SSLv2 !SSLv3 !TLSv1 !TLSv1.1". As of Debian Buster (OpenSSL 1.1.1) this does not make a difference, however using the system default provides better compatibility with future libssl versions. --- Changelog | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 42cac7a..b809cd3 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,13 @@ +interimap (0.5.5) upstream; + + * libinterimap: remove default SSL_protocols value "!SSLv2 !SSLv3 + !TLSv1 !TLSv1.1" and use the system default instead. As of Debian + Buster (OpenSSL 1.1.1) this does not make a difference, however using + the system default provides better compatibility with future libssl + versions. + + -- Guilhem Moulin Fri, 11 Dec 2020 14:55:53 +0100 + interimap (0.5.4) upstream; * libinterimap: make SSL_verify also checks that the certificate -- cgit v1.2.3 From 7d7a28bc77908d05983a3c3fcfed79616a1614ce Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 11 Dec 2020 15:47:08 +0100 Subject: libinterimap: make $OPENSSL_VERSION global. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index b809cd3..d880a0f 100644 --- a/Changelog +++ b/Changelog @@ -5,6 +5,7 @@ interimap (0.5.5) upstream; Buster (OpenSSL 1.1.1) this does not make a difference, however using the system default provides better compatibility with future libssl versions. + - libinterimap: make $OPENSSL_VERSION global. -- Guilhem Moulin Fri, 11 Dec 2020 14:55:53 +0100 -- cgit v1.2.3 From 35f4ecefa9c9ff55acfdb337b215e3d13345c86d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 11 Dec 2020 16:23:12 +0100 Subject: libinterimap: use Net::SSLeay::get_version() to get the protocol version string. This avoids maintaing our own map. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index d880a0f..83dea70 100644 --- a/Changelog +++ b/Changelog @@ -6,6 +6,8 @@ interimap (0.5.5) upstream; the system default provides better compatibility with future libssl versions. - libinterimap: make $OPENSSL_VERSION global. + - libinterimap: use Net::SSLeay::get_version() to get the protocol + version string. -- Guilhem Moulin Fri, 11 Dec 2020 14:55:53 +0100 -- cgit v1.2.3 From b99cd2fd12bc3a2c6b858e65182a47a4ef27dba2 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 11 Dec 2020 17:57:22 +0100 Subject: test suite: `mv tests/snippets tests/config` --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 83dea70..e21ccf7 100644 --- a/Changelog +++ b/Changelog @@ -8,6 +8,7 @@ interimap (0.5.5) upstream; - libinterimap: make $OPENSSL_VERSION global. - libinterimap: use Net::SSLeay::get_version() to get the protocol version string. + - test suite: `mv tests/snippets tests/config` -- Guilhem Moulin Fri, 11 Dec 2020 14:55:53 +0100 -- cgit v1.2.3 From ed263d4a380036b654525ee268db615c17d0d216 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 11 Dec 2020 18:28:32 +0100 Subject: test suite: supply our own OpenSSL configuration file with MinProtocol=None. So we can test TLSv1 as well, not just TLSv1.2 and later. Also, explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration file (the default as of 2.3.11.3), hence running TLS tests now require Dovecot 2.3 or later. --- Changelog | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index e21ccf7..01e272c 100644 --- a/Changelog +++ b/Changelog @@ -9,6 +9,12 @@ interimap (0.5.5) upstream; - libinterimap: use Net::SSLeay::get_version() to get the protocol version string. - test suite: `mv tests/snippets tests/config` + - test suite: supply our own OpenSSL configuration file with + MinProtocol=None so we can test TLSv1 as well, not just TLSv1.2 and + later. + - test suite: explicitly set ssl_min_protocol=TLSv1 in the Dovecot + configuration file (the default as of 2.3.11.3), hence running TLS + tests now require Dovecot 2.3 or later. -- Guilhem Moulin Fri, 11 Dec 2020 14:55:53 +0100 -- cgit v1.2.3 From feeb91998a29ca040f6e5dd103e09507a6355e32 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 11 Dec 2020 18:39:46 +0100 Subject: libinterimap: deprecate SSL_protocols and introduce SSL_protocol_{min,max}. Using the libssl interface simplifies our protocol black/whitelist greatly; this only allows simple min/max bounds, but holes are arguably not very useful here. Using the new settings bumps the required libssl version to 1.1.0. --- Changelog | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 01e272c..c2f60dc 100644 --- a/Changelog +++ b/Changelog @@ -5,6 +5,11 @@ interimap (0.5.5) upstream; Buster (OpenSSL 1.1.1) this does not make a difference, however using the system default provides better compatibility with future libssl versions. + * libinterimap: deprecate SSL_protocols, obsoleted by new settings + SSL_protocol_{min,max}. Using the libssl interface simplifies our + protocol black/whilelist greatly; this only allows simple min/max + bounds, but holes are arguably not very useful here. Using the new + settings bumps the required libssl version to 1.1.0. - libinterimap: make $OPENSSL_VERSION global. - libinterimap: use Net::SSLeay::get_version() to get the protocol version string. @@ -24,7 +29,8 @@ interimap (0.5.4) upstream; Subject Alternative Name (SAN) or Subject CommonName (CN) matches the hostname or IP literal specified by the 'host' option. Previously it was only checking the chain of trust. This bumps the minimum - Net::SSLeay version to 1.83 and OpenSSL version to 1.0.2. + Net::SSLeay version to 1.83 and OpenSSL version to 1.0.2 (when + SSL_verify is used). * libinterimap: add support for the TLS SNI (Server Name Indication) extension, controlled by the new 'SSL_hostname' option. The default value of that option is the value of the 'host' option when it is -- cgit v1.2.3 From 9c192cc8946800535be678644314ec38f6e48ec7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 11 Dec 2020 19:06:29 +0100 Subject: documentation: simplify SSL options in the sample configuration files. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index c2f60dc..37029cd 100644 --- a/Changelog +++ b/Changelog @@ -20,6 +20,7 @@ interimap (0.5.5) upstream; - test suite: explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration file (the default as of 2.3.11.3), hence running TLS tests now require Dovecot 2.3 or later. + - documentation: simplify SSL options in the sample configuration files. -- Guilhem Moulin Fri, 11 Dec 2020 14:55:53 +0100 -- cgit v1.2.3 From 765a8c2f7cac073b3b70277160639f8df3acb8ef Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 11 Dec 2020 20:34:07 +0100 Subject: `make release`: also bump libinterimap version and pin it in 'use' declarations. Also, make use the tag doesn't exist, and fail early if we can't detect the version. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 37029cd..b9c7df2 100644 --- a/Changelog +++ b/Changelog @@ -10,6 +10,8 @@ interimap (0.5.5) upstream; protocol black/whilelist greatly; this only allows simple min/max bounds, but holes are arguably not very useful here. Using the new settings bumps the required libssl version to 1.1.0. + + `make release`: also bump libinterimap version and pin it in 'use' + declarations. - libinterimap: make $OPENSSL_VERSION global. - libinterimap: use Net::SSLeay::get_version() to get the protocol version string. -- cgit v1.2.3 From ea120902dfe146cd7f04a289da9fa05a9e06e44c Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 11 Dec 2020 21:24:32 +0100 Subject: typofix, spelling --- Changelog | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index b9c7df2..43fbf8f 100644 --- a/Changelog +++ b/Changelog @@ -7,7 +7,7 @@ interimap (0.5.5) upstream; versions. * libinterimap: deprecate SSL_protocols, obsoleted by new settings SSL_protocol_{min,max}. Using the libssl interface simplifies our - protocol black/whilelist greatly; this only allows simple min/max + protocol black/whitelist greatly; this only allows simple min/max bounds, but holes are arguably not very useful here. Using the new settings bumps the required libssl version to 1.1.0. + `make release`: also bump libinterimap version and pin it in 'use' @@ -54,7 +54,7 @@ interimap (0.5.4) upstream; interimap (0.5.3) upstream; - * libinterimap: SSL_fingerprint now supports a space-separate list of + * libinterimap: SSL_fingerprint now supports a space-separated list of digests to pin, and succeeds if, and only if, the peer certificate SPKI matches one of the pinned digest values. Specifying multiple digest values can key useful in key rollover scenarios and/or when @@ -103,7 +103,7 @@ interimap (0.5) upstream; (regardless of the hierarchy delimiter in use). Other changes: - * interimap: the space-speparated list of names and/or patterns in + * interimap: the space-separated list of names and/or patterns in 'list-mailbox' can now contain C-style escape sequences (backslash and hexadecimal escape). * interimap: fail when two non-INBOX LIST replies return different @@ -111,7 +111,7 @@ interimap (0.5) upstream; happen if mailboxes from different namespaces are being listed. The workaround here is to run a new interimap instance for each namespace. - * libinterimap: in tunnel mode, use a socketpair rather than two pipes + * libinterimap: in tunnel mode, use a socket pair rather than two pipes for IPC between the interimap and the IMAP server. Also, use SOCK_CLOEXEC to save an fcntl() call when setting the close-on-exec flag on the socket. @@ -174,7 +174,7 @@ interimap (0.5) upstream; - libinterimap: use directories relative to $HOME for the XDG environment variables default values. Previously getpwuid() was called to determine the user's home directory, while the XDG - specification explicitely mentions $HOME. Conveniently our docs + specification explicitly mentions $HOME. Conveniently our docs always mentioned ~/, which on POSIX-compliant systems expands to the value of the variable HOME. (Cf. Shell and Utilities volume of POSIX.1-2017, sec. 2.6.1.) @@ -188,7 +188,7 @@ interimap (0.5) upstream; - libinterimap: push_flag_updates(): ignore UIDs for which no untagged FETCH response was received. - libinterimap: push_flag_updates(): don't ignores received updates (by - another client) to a superset of the desigred flag list. + another client) to a superset of the desired flag list. - libinterimap: avoid sending large UID EXPUNGE|FETCH|STORE commands as they might exceed the server's max acceptable command size; these commands are now split into multiple (sequential) commands when their @@ -198,7 +198,7 @@ interimap (0.5) upstream; This is a also a workaround for a bug in Dovecot 2.3.4: https://dovecot.org/pipermail/dovecot/2019-November/117522.html - interimap: for the reason explained above, limit number of messages - to 128 per APPEND command (only on servers advertizing MULTIAPPEND, + to 128 per APPEND command (only on servers advertising MULTIAPPEND, for other servers the number remains 1). - interimap: gracefully ignore messages with a NIL RFC822 attribute. - pullimap: treat messages with a NIL RFC822 attribute as empty. -- cgit v1.2.3 From 22ef303cdc7b6d5f7de35d3189fbf157093c258e Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 12 Dec 2020 11:29:02 +0100 Subject: README: use 'restrict' option in authorized_keys(5) snippet. This is shorter and more future-proof. Quoting the manual: restrict Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation and execution of ~/.ssh/rc. If any future restriction capabilities are added to authorized_keys files they will be included in this set. Note that this won't work with Jessie's OpenSSH server. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 43fbf8f..196c01d 100644 --- a/Changelog +++ b/Changelog @@ -23,6 +23,8 @@ interimap (0.5.5) upstream; configuration file (the default as of 2.3.11.3), hence running TLS tests now require Dovecot 2.3 or later. - documentation: simplify SSL options in the sample configuration files. + - README: suggest 'restrict,command="/usr/bin/doveadm exec imap"' as + authorized_keys(5) options. -- Guilhem Moulin Fri, 11 Dec 2020 14:55:53 +0100 -- cgit v1.2.3 From d961f6e9069308927f4882978d95706f408ef944 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 12 Dec 2020 12:12:50 +0100 Subject: README: suggest ControlPath=$XDG_RUNTIME_DIR/ssh-imap-%C for the SSH transport MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Not a good idea to use a world-writable directory, see ssh_config(5)… Note that variable expansion is only available in OpenSSH 8.4 and later, cf. https://bugzilla.mindrot.org/show_bug.cgi?id=3140 . --- Changelog | 3 +++ 1 file changed, 3 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 196c01d..4bc426b 100644 --- a/Changelog +++ b/Changelog @@ -25,6 +25,9 @@ interimap (0.5.5) upstream; - documentation: simplify SSL options in the sample configuration files. - README: suggest 'restrict,command="/usr/bin/doveadm exec imap"' as authorized_keys(5) options. + - README: suggest ControlPath=$XDG_RUNTIME_DIR/ssh-imap-%C for the SSH + transport (note that variable expansion is only available in OpenSSH + 8.4 and later). -- Guilhem Moulin Fri, 11 Dec 2020 14:55:53 +0100 -- cgit v1.2.3 From b70d9b261a6d2849efeb670b53e0ab726a58fb59 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 13 Dec 2020 15:07:30 +0100 Subject: Make error messages more uniform and consistent. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 4bc426b..931e526 100644 --- a/Changelog +++ b/Changelog @@ -12,6 +12,7 @@ interimap (0.5.5) upstream; settings bumps the required libssl version to 1.1.0. + `make release`: also bump libinterimap version and pin it in 'use' declarations. + + Make error messages more uniform and consistent. - libinterimap: make $OPENSSL_VERSION global. - libinterimap: use Net::SSLeay::get_version() to get the protocol version string. -- cgit v1.2.3 From ba9d8af01141a6d5d5b98a0e249c311814b844a6 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 13 Dec 2020 17:37:32 +0100 Subject: test suite: ensure we haven't started speaking IMAP when the SSL/TLS handshake is aborted. (Unless STARTTLS is used to upgrade the connection.) --- Changelog | 3 +++ 1 file changed, 3 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 931e526..9a36e8a 100644 --- a/Changelog +++ b/Changelog @@ -29,6 +29,9 @@ interimap (0.5.5) upstream; - README: suggest ControlPath=$XDG_RUNTIME_DIR/ssh-imap-%C for the SSH transport (note that variable expansion is only available in OpenSSH 8.4 and later). + - test suite: ensure we haven't started speaking IMAP when the SSL/TLS + handshake is aborted (unless STARTTLS is used to upgrade to + connection). -- Guilhem Moulin Fri, 11 Dec 2020 14:55:53 +0100 -- cgit v1.2.3 From 8c43ed9baa905d907a6aad77de2282a852ba69a9 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 13 Dec 2020 17:43:52 +0100 Subject: libinterimap: use default locations for trusted CA certificates when neither CAfile nor CApath are set. In particular, OpenSSL's default locations can be overridden by the SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see SSL_CTX_load_verify_locations(3ssl). This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is used). --- Changelog | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 9a36e8a..2fbdf36 100644 --- a/Changelog +++ b/Changelog @@ -10,6 +10,12 @@ interimap (0.5.5) upstream; protocol black/whitelist greatly; this only allows simple min/max bounds, but holes are arguably not very useful here. Using the new settings bumps the required libssl version to 1.1.0. + * libinterimap: use default locations for trusted CA certificates when + neither CAfile nor CApath are set. In particular, OpenSSL's default + locations can be overridden by the SSL_CERT_FILE resp. SSL_CERT_DIR + environment variables, see SSL_CTX_load_verify_locations(3ssl). + This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is + used). + `make release`: also bump libinterimap version and pin it in 'use' declarations. + Make error messages more uniform and consistent. -- cgit v1.2.3 From 0a358b8e929be3cbf9586e2a9146c209903f6896 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 13 Dec 2020 18:15:39 +0100 Subject: libinterimap: _start_ssl() now fails immediately with OpenSSL <1.1.0. It could in principle still work with earlier versions if the new settings SSL_protocol_{min,max} are not used, however it's cumbersome to do individual checks for specific settings, let alone maintain test coverage with multiple OpenSSL versions. --- Changelog | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 2fbdf36..773065d 100644 --- a/Changelog +++ b/Changelog @@ -8,14 +8,16 @@ interimap (0.5.5) upstream; * libinterimap: deprecate SSL_protocols, obsoleted by new settings SSL_protocol_{min,max}. Using the libssl interface simplifies our protocol black/whitelist greatly; this only allows simple min/max - bounds, but holes are arguably not very useful here. Using the new - settings bumps the required libssl version to 1.1.0. + bounds, but holes are arguably not very useful here. * libinterimap: use default locations for trusted CA certificates when neither CAfile nor CApath are set. In particular, OpenSSL's default locations can be overridden by the SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see SSL_CTX_load_verify_locations(3ssl). - This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is - used). + * libinterimap: _start_ssl() now fails immediately with OpenSSL <1.1.0. + It could in principle still work with earlier versions if the new + settings SSL_protocol_{min,max} are not used, however it's cumbersome + to do individual checks for specific settings, let alone maintain + test coverage with multiple OpenSSL versions. + `make release`: also bump libinterimap version and pin it in 'use' declarations. + Make error messages more uniform and consistent. -- cgit v1.2.3 From 9c8b3460c4ae5026066aff9ea1b7d38716c893a8 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 13 Dec 2020 23:02:22 +0100 Subject: Remove obsolete Changelog entry. --- Changelog | 1 - 1 file changed, 1 deletion(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 773065d..000e3a1 100644 --- a/Changelog +++ b/Changelog @@ -21,7 +21,6 @@ interimap (0.5.5) upstream; + `make release`: also bump libinterimap version and pin it in 'use' declarations. + Make error messages more uniform and consistent. - - libinterimap: make $OPENSSL_VERSION global. - libinterimap: use Net::SSLeay::get_version() to get the protocol version string. - test suite: `mv tests/snippets tests/config` -- cgit v1.2.3 From 30c2bc3c362a4eb6b35560cff0bd95404360fe22 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 17 Dec 2020 13:47:09 +0100 Subject: test suite: use stock OpenSSL config except for tests/tls-protocols. It's best to use a stock (clean) environment when possible. We only need to test TLS protocol version <1.2 for tests/tls-protocols. --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 000e3a1..c401c2d 100644 --- a/Changelog +++ b/Changelog @@ -24,7 +24,7 @@ interimap (0.5.5) upstream; - libinterimap: use Net::SSLeay::get_version() to get the protocol version string. - test suite: `mv tests/snippets tests/config` - - test suite: supply our own OpenSSL configuration file with + - tests/tls-protocols: use custom OpenSSL configuration file with MinProtocol=None so we can test TLSv1 as well, not just TLSv1.2 and later. - test suite: explicitly set ssl_min_protocol=TLSv1 in the Dovecot -- cgit v1.2.3 From 1a19feb7a4b3d70f44e4e1fb0f9920b063842422 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 17 Dec 2020 14:54:34 +0100 Subject: manuals: Clarify that known TLS protocol versions depend on the OpenSSL version used. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index c401c2d..afee1ca 100644 --- a/Changelog +++ b/Changelog @@ -39,6 +39,8 @@ interimap (0.5.5) upstream; - test suite: ensure we haven't started speaking IMAP when the SSL/TLS handshake is aborted (unless STARTTLS is used to upgrade to connection). + - documentation: Clarify that known TLS protocol versions depend on the + OpenSSL version used. -- Guilhem Moulin Fri, 11 Dec 2020 14:55:53 +0100 -- cgit v1.2.3 From 57988c83bb4b3f1780f045880ac4a8f36a51c55c Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 17 Dec 2020 17:38:17 +0100 Subject: libinterimap: new option SSL_ciphersuites to set the TLSv1.3 ciphersuites. Also, clarify that SSL_cipherlist only applies to TLSv1.2 and below. See SSL_CTX_set_cipher_list(3ssl). --- Changelog | 3 +++ 1 file changed, 3 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index afee1ca..29ca360 100644 --- a/Changelog +++ b/Changelog @@ -18,6 +18,9 @@ interimap (0.5.5) upstream; settings SSL_protocol_{min,max} are not used, however it's cumbersome to do individual checks for specific settings, let alone maintain test coverage with multiple OpenSSL versions. + * libinterimap: new option SSL_ciphersuites to set the TLSv1.3 + ciphersuites; also, clarify that SSL_cipherlist only applies to + TLSv1.2 and below, see SSL_CTX_set_cipher_list(3ssl). + `make release`: also bump libinterimap version and pin it in 'use' declarations. + Make error messages more uniform and consistent. -- cgit v1.2.3 From 28949bd234e3d977bc2dfc10df3a76a921cc2c07 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 17 Dec 2020 19:08:48 +0100 Subject: typofix --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 29ca360..6e9cf1c 100644 --- a/Changelog +++ b/Changelog @@ -42,7 +42,7 @@ interimap (0.5.5) upstream; - test suite: ensure we haven't started speaking IMAP when the SSL/TLS handshake is aborted (unless STARTTLS is used to upgrade to connection). - - documentation: Clarify that known TLS protocol versions depend on the + - documentation: clarify that known TLS protocol versions depend on the OpenSSL version used. -- Guilhem Moulin Fri, 11 Dec 2020 14:55:53 +0100 -- cgit v1.2.3 From 9cbaed6527c3030819976dbe41bfb4392d6a6fa2 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 26 Dec 2020 23:11:11 +0100 Subject: Prepare new release v0.5.5. --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 6e9cf1c..cba8719 100644 --- a/Changelog +++ b/Changelog @@ -45,7 +45,7 @@ interimap (0.5.5) upstream; - documentation: clarify that known TLS protocol versions depend on the OpenSSL version used. - -- Guilhem Moulin Fri, 11 Dec 2020 14:55:53 +0100 + -- Guilhem Moulin Sat, 26 Dec 2020 23:11:10 +0100 interimap (0.5.4) upstream; -- cgit v1.2.3