From f72316ddd989e581b22d96e2f05b76efd59e092c Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 4 Aug 2020 03:07:01 +0200 Subject: Improve long command wrapping. --- doc/interimap.1.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'doc/interimap.1.md') diff --git a/doc/interimap.1.md b/doc/interimap.1.md index f10ced6..9cfa2fa 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -405,9 +405,9 @@ Valid options are: The following command can be used to compute the SHA-256 digest of a certificate's Subject Public Key Info: - openssl x509 -in /path/to/server/certificate.pem -pubkey \ - | openssl pkey -pubin -outform DER \ - | openssl dgst -sha256 + $ openssl x509 -in /path/to/server/certificate.pem -pubkey \ + | openssl pkey -pubin -outform DER \ + | openssl dgst -sha256 *SSL_verify* -- cgit v1.2.3 From 44de56076c4db37acb981d6a24e42f919dcf8520 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 4 Aug 2020 03:44:18 +0200 Subject: typofix --- doc/interimap.1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/interimap.1.md') diff --git a/doc/interimap.1.md b/doc/interimap.1.md index 9cfa2fa..5370d79 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -469,7 +469,7 @@ Known bugs and limitations * Because the [IMAP protocol][RFC 3501] doesn't provide a way for clients to determine whether a disappeared mailbox was deleted or renamed, `interimap` aborts when a known mailbox disappeared from one - server but not the other. The `--delete` (resp. `rename`) command + server but not the other. The `--delete` (resp. `--rename`) command should be used instead to delete (resp. rename) the mailbox on both servers as well as within `interimap`'s internal database. -- cgit v1.2.3 From b5a74469e5c5e828d5799ae4a66d70347f8aa8a6 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 4 Aug 2020 03:46:24 +0200 Subject: typofix --- doc/interimap.1.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'doc/interimap.1.md') diff --git a/doc/interimap.1.md b/doc/interimap.1.md index 5370d79..de39880 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -397,8 +397,8 @@ Valid options are: *SSL_fingerprint* : Fingerprint of the server certificate's Subject Public Key Info, in - the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by - default `sha256`). + the form `[ALGO$]DIGEST_HEX` where `ALGO` is the digest algorithm + (by default `sha256`). Attempting to connect to a server with a non-matching certificate SPKI fingerprint causes `interimap` to abort the connection during the SSL/TLS handshake. -- cgit v1.2.3 From 1630f2387c52a0ac460922eda6535165fdb279d1 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 8 Dec 2020 16:03:23 +0100 Subject: libinterimap: 'debug' forces 'null-stderr' = 0. The standard error is never sent to /dev/null in debug mode. Closes: deb#968392 --- doc/interimap.1.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'doc/interimap.1.md') diff --git a/doc/interimap.1.md b/doc/interimap.1.md index de39880..c70698b 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -376,7 +376,8 @@ Valid options are: *null-stderr* : Whether to redirect *command*'s standard error to `/dev/null` for - `type=tunnel`. (Default: `NO`.) + `type=tunnel`. This option is ignored when the `--debug` flag is + set. (Default: `NO`.) *SSL_protocols* -- cgit v1.2.3 From a1ef66a76b4a6651b7371a9fd1e35f2f99e85bfa Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 15:06:37 +0100 Subject: libinterimap: SSL_fingerprint now supports a space-separate list of digests to pin. And succeeds if, and only if, the peer certificate SPKI matches one of the pinned digest values. Specifying multiple digest values can key useful in key rollover scenarios and/or when the server supports certificates of different types (for instance RSA+ECDSA). --- doc/interimap.1.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'doc/interimap.1.md') diff --git a/doc/interimap.1.md b/doc/interimap.1.md index c70698b..9b53a69 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -397,9 +397,10 @@ Valid options are: *SSL_fingerprint* -: Fingerprint of the server certificate's Subject Public Key Info, in - the form `[ALGO$]DIGEST_HEX` where `ALGO` is the digest algorithm - (by default `sha256`). +: Space-separated list of acceptable fingerprints for the server + certificate's Subject Public Key Info, in the form + `[ALGO$]DIGEST_HEX` where `ALGO` is the digest algorithm (by default + `sha256`). Attempting to connect to a server with a non-matching certificate SPKI fingerprint causes `interimap` to abort the connection during the SSL/TLS handshake. @@ -410,6 +411,11 @@ Valid options are: | openssl pkey -pubin -outform DER \ | openssl dgst -sha256 + Specifying multiple digest values can be useful in key rollover + scenarios and/or when the server supports certificates of different + types (for instance RSA+ECDSA). In that case the connection is + aborted when none of the specified digests matches. + *SSL_verify* : Whether to verify the server certificate chain. -- cgit v1.2.3 From 83f85ee3a6fde64a0809180a13e0cc8a3d703bca Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 15:29:34 +0100 Subject: typofix --- doc/interimap.1.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'doc/interimap.1.md') diff --git a/doc/interimap.1.md b/doc/interimap.1.md index 9b53a69..7df0100 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -420,8 +420,8 @@ Valid options are: : Whether to verify the server certificate chain. Note that using *SSL_fingerprint* to specify the fingerprint of the - server certificate is an orthogonal authentication measure as it - ignores the CA chain. + server certificate provides an independent server authentication + measure as it ignores the CA chain. (Default: `YES`.) *SSL_CApath* @@ -434,7 +434,7 @@ Valid options are: *SSL_CAfile* : File containing trusted certificates to use during server - certificate authentication if `SSL_verify=YES`. + certificate verification if `SSL_verify=YES`. Supported extensions {#supported-extensions} ==================== -- cgit v1.2.3