From 7c5ec1cb62410f8cd7ca31c2d2a5ec92d7f0de7b Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 20:03:17 +0100 Subject: Fix broken URLs. --- doc/interimap.1.md | 4 ++-- doc/pullimap.1.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'doc') diff --git a/doc/interimap.1.md b/doc/interimap.1.md index 7df0100..2c9ddc6 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -568,6 +568,6 @@ A _getting started_ guide is available [there](getting-started.html). [INI file]: https://en.wikipedia.org/wiki/INI_file [PCRE]: https://en.wikipedia.org/wiki/Perl_Compatible_Regular_Expressions -[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html -[`verify`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/verify.html +[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html +[`verify`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-verify.html [`doveadm-deduplicate`(1)]: https://wiki.dovecot.org/Tools/Doveadm/Deduplicate diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md index 98ec2ef..42ea282 100644 --- a/doc/pullimap.1.md +++ b/doc/pullimap.1.md @@ -378,5 +378,5 @@ Standards [`fetchmail`(1)]: https://www.fetchmail.info/ [`getmail`(1)]: http://pyropus.ca/software/getmail/ [`write`(2)]: https://man7.org/linux/man-pages/man2/write.2.html -[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html -[`verify`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/verify.html +[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html +[`verify`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-verify.html -- cgit v1.2.3 From c011e17d4f238882686e3f0e59c444a1c53ac8e3 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 10 Dec 2020 14:24:49 +0100 Subject: documentation: replace example.org with example.net for consistency. --- doc/getting-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/getting-started.md b/doc/getting-started.md index 1d059b4..83d3ba9 100644 --- a/doc/getting-started.md +++ b/doc/getting-started.md @@ -198,7 +198,7 @@ for the sake of clarity we start from an empty file here. shell process doesn't linger around during the IMAP session.) 3. And finally append a `[remote]` section with your account - information at `imap.example.org` (adapt the values accordingly): + information at `imap.example.net` (adapt the values accordingly): $ cat >>${XDG_CONFIG_HOME:-~/.config}/interimap/config <<-EOF -- cgit v1.2.3 From 84d1829fd0f955cf9fb7add54f60fc314b0d42b1 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 10 Dec 2020 15:26:46 +0100 Subject: libinterimap: factor out hostname/IP parsing. Also, document that enclosing 'host' value in square brackets forces its interpretation as an IP literal (hence skips name resolution). --- doc/interimap.1.md | 4 +++- doc/pullimap.1.md | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/interimap.1.md b/doc/interimap.1.md index 2c9ddc6..ab35275 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -317,7 +317,9 @@ Valid options are: *host* -: Server hostname, for `type=imap` and `type=imaps`. +: Server hostname or IP address, for `type=imap` and `type=imaps`. + The value can optionally be enclosed in square brackets to force its + interpretation as an IP literal (hence skip name resolution). (Default: `localhost`.) *port* diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md index 42ea282..57790a6 100644 --- a/doc/pullimap.1.md +++ b/doc/pullimap.1.md @@ -139,7 +139,9 @@ Valid options are: *host* -: Server hostname, for `type=imap` and `type=imaps`. +: Server hostname or IP address, for `type=imap` and `type=imaps`. + The value can optionally be enclosed in square brackets to force its + interpretation as an IP literal (hence skip name resolution). (Default: `localhost`.) *port* -- cgit v1.2.3 From 265f133600e9812726a52ea3067409ed3578e882 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 10 Dec 2020 19:39:10 +0100 Subject: libinterimap: make SSL_verify check the hostname as well. More precisely, ensure that the certificate Subject Alternative Name (SAN) or Subject CommonName (CN) matches the hostname or IP literal specified by the 'host' option. Previously it was only verifying the chain of trust. This bumps the minimum Net::SSLeay version to 1.83 and OpenSSL version 1.0.2. --- doc/build.md | 2 +- doc/interimap.1.md | 14 +++++++++----- doc/pullimap.1.md | 14 +++++++++----- 3 files changed, 19 insertions(+), 11 deletions(-) (limited to 'doc') diff --git a/doc/build.md b/doc/build.md index 4a4f80d..47d1a89 100644 --- a/doc/build.md +++ b/doc/build.md @@ -24,7 +24,7 @@ following Perl modules: * [`Getopt::Long`](https://perldoc.perl.org/Getopt/Long.html) (*core module*) * [`MIME::Base64`](https://perldoc.perl.org/MIME/Base64.html) (*core module*) — if authentication is required * [`List::Util`](https://perldoc.perl.org/List/Util.html) (*core module*) - * [`Net::SSLeay`](https://metacpan.org/pod/Net::SSLeay) ≥1.73 + * [`Net::SSLeay`](https://metacpan.org/pod/Net::SSLeay) ≥1.83 * [`POSIX`](https://perldoc.perl.org/POSIX.html) (*core module*) * [`Socket`](https://perldoc.perl.org/Socket.html) (*core module*) * [`Time::HiRes`](https://perldoc.perl.org/Time/HiRes.html) (*core module*) — if `logfile` is set diff --git a/doc/interimap.1.md b/doc/interimap.1.md index ab35275..d21424b 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -420,15 +420,19 @@ Valid options are: *SSL_verify* -: Whether to verify the server certificate chain. +: Whether to verify the server certificate chain, and match its + Subject Alternative Name (SAN) or Subject CommonName (CN) against + the value of the *host* option. + (Default: `YES`.) + Note that using *SSL_fingerprint* to specify the fingerprint of the server certificate provides an independent server authentication - measure as it ignores the CA chain. - (Default: `YES`.) + measure as it pins directly its key material and ignore its chain of + trust. *SSL_CApath* -: Directory to use for server certificate verification if +: Directory to use for server certificate verification when `SSL_verify=YES`. This directory must be in “hash format”, see [`verify`(1ssl)] for more information. @@ -436,7 +440,7 @@ Valid options are: *SSL_CAfile* : File containing trusted certificates to use during server - certificate verification if `SSL_verify=YES`. + certificate verification when `SSL_verify=YES`. Supported extensions {#supported-extensions} ==================== diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md index 57790a6..bcf5ade 100644 --- a/doc/pullimap.1.md +++ b/doc/pullimap.1.md @@ -239,15 +239,19 @@ Valid options are: *SSL_verify* -: Whether to verify the server certificate chain. +: Whether to verify the server certificate chain, and match its + Subject Alternative Name (SAN) or Subject CommonName (CN) against + the value of the *host* option. + (Default: `YES`.) + Note that using *SSL_fingerprint* to specify the fingerprint of the server certificate provides an independent server authentication - measure as it ignores the CA chain. - (Default: `YES`.) + measure as it pins directly its key material and ignore its chain of + trust. *SSL_CApath* -: Directory to use for server certificate verification if +: Directory to use for server certificate verification when `SSL_verify=YES`. This directory must be in “hash format”, see [`verify`(1ssl)] for more information. @@ -255,7 +259,7 @@ Valid options are: *SSL_CAfile* : File containing trusted certificates to use during server - certificate verification if `SSL_verify=YES`. + certificate verification when `SSL_verify=YES`. Control flow {#control-flow} ============ -- cgit v1.2.3 From 09376bac4fe99c542223ba0ae23ad6067410b1fa Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 10 Dec 2020 20:44:40 +0100 Subject: typofix --- doc/build.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/build.md b/doc/build.md index 47d1a89..d922e43 100644 --- a/doc/build.md +++ b/doc/build.md @@ -1,7 +1,7 @@ % Build instructions % [Guilhem Moulin](mailto:guilhem@fripost.org) -On Debian 9 (codename *Stretch*) and later, installing [`interimap`(1)] +On Debian 10 (codename *Buster*) and later, installing [`interimap`(1)] is a single command away: $ sudo apt install interimap -- cgit v1.2.3 From 4ed6f0982cc0553e31e7beadf441beb8573a07d4 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 10 Dec 2020 21:52:44 +0100 Subject: libinterimap: add support for the TLS SNI (Server Name Indication) extension. This is controlled by the new 'SSL_hostname' option. The default value of that option is the value of the 'host' option when it is hostname, and the empty string (which disables SNI) when it is an IP literal. --- doc/interimap.1.md | 7 +++++++ doc/pullimap.1.md | 7 +++++++ 2 files changed, 14 insertions(+) (limited to 'doc') diff --git a/doc/interimap.1.md b/doc/interimap.1.md index d21424b..54c3dcf 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -442,6 +442,13 @@ Valid options are: : File containing trusted certificates to use during server certificate verification when `SSL_verify=YES`. +*SSL_hostname* + +: Name to use for the TLS SNI (Server Name Indication) extension. The + default value is taken from the *host* option when it is a hostname, + and to the empty string when it is an IP literal. + Setting *SSL_hostname* to the empty string explicitly disables SNI. + Supported extensions {#supported-extensions} ==================== diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md index bcf5ade..fb3a73b 100644 --- a/doc/pullimap.1.md +++ b/doc/pullimap.1.md @@ -261,6 +261,13 @@ Valid options are: : File containing trusted certificates to use during server certificate verification when `SSL_verify=YES`. +*SSL_hostname* + +: Name to use for the TLS SNI (Server Name Indication) extension. The + default value is taken from the *host* option when it is a hostname, + and to the empty string when it is an IP literal. + Setting *SSL_hostname* to the empty string explicitly disables SNI. + Control flow {#control-flow} ============ -- cgit v1.2.3 From eb60cecd3c813372ed618751fe5c77229d26df76 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 10 Dec 2020 22:41:56 +0100 Subject: documentation: improve wording. --- doc/interimap.1.md | 4 ++-- doc/pullimap.1.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'doc') diff --git a/doc/interimap.1.md b/doc/interimap.1.md index 54c3dcf..2d2a637 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -329,8 +329,8 @@ Valid options are: *proxy* -: An optional SOCKS proxy to use for TCP connections to the IMAP - server (`type=imap` and `type=imaps` only), formatted as +: Optional SOCKS proxy to use for TCP connections to the IMAP server + (`type=imap` and `type=imaps` only), formatted as `PROTOCOL://[USER:PASSWORD@]PROXYHOST[:PROXYPORT]`. If `PROXYPORT` is omitted, it is assumed at port 1080. Only [SOCKSv5][RFC 1928] is supported (with optional diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md index fb3a73b..c9500e0 100644 --- a/doc/pullimap.1.md +++ b/doc/pullimap.1.md @@ -151,8 +151,8 @@ Valid options are: *proxy* -: An optional SOCKS proxy to use for TCP connections to the IMAP - server (`type=imap` and `type=imaps` only), formatted as +: Optional SOCKS proxy to use for TCP connections to the IMAP server + (`type=imap` and `type=imaps` only), formatted as `PROTOCOL://[USER:PASSWORD@]PROXYHOST[:PROXYPORT]`. If `PROXYPORT` is omitted, it is assumed at port 1080. Only [SOCKSv5][RFC 1928] is supported (with optional -- cgit v1.2.3 From 46fe928647ad8d38ced79a36d38cd152055ed005 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 10 Dec 2020 23:43:16 +0100 Subject: rename 'debian' branch to 'debian/latest' for DEP-14 compliance. --- doc/build.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/build.md b/doc/build.md index d922e43..b9291f7 100644 --- a/doc/build.md +++ b/doc/build.md @@ -84,12 +84,12 @@ Debian GNU/Linux users can also use [`gbp`(1)] from [`git-buildpackage`](https://tracker.debian.org/pkg/git-buildpackage) in order to build their own packages: - $ git checkout debian + $ git checkout debian/latest $ gbp buildpackage Alternatively, for the development version: - $ git checkout debian + $ git checkout debian/latest $ git merge master $ gbp buildpackage --git-force-create --git-upstream-tree=BRANCH -- cgit v1.2.3