From ed263d4a380036b654525ee268db615c17d0d216 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Fri, 11 Dec 2020 18:28:32 +0100
Subject: test suite: supply our own OpenSSL configuration file with
 MinProtocol=None.

So we can test TLSv1 as well, not just TLSv1.2 and later.

Also, explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration
file (the default as of 2.3.11.3), hence running TLS tests now require
Dovecot 2.3 or later.
---
 tests/tls-verify-peer/t | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'tests/tls-verify-peer/t')

diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
index 2461a1f..17018a6 100644
--- a/tests/tls-verify-peer/t
+++ b/tests/tls-verify-peer/t
@@ -31,7 +31,7 @@ verified_peer() {
     [ -s "$TMPDIR/preverify" ] || error
     ! grep -Fvx "preverify=1" <"$TMPDIR/preverify" || error
 
-    grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
+    grep "^remote: SSL protocol: TLSv" <"$STDERR" || error
     grep "^remote: SSL cipher: " <"$STDERR" || error
 
     check_mailbox_status "INBOX"
-- 
cgit v1.2.3


From ba9d8af01141a6d5d5b98a0e249c311814b844a6 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 13 Dec 2020 17:37:32 +0100
Subject: test suite: ensure we haven't started speaking IMAP when the SSL/TLS
 handshake is aborted.

(Unless STARTTLS is used to upgrade the connection.)
---
 tests/tls-verify-peer/t | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'tests/tls-verify-peer/t')

diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
index 17018a6..8cc098a 100644
--- a/tests/tls-verify-peer/t
+++ b/tests/tls-verify-peer/t
@@ -15,8 +15,9 @@ unverified_peer() {
     [ -s "$TMPDIR/preverify" ] || error
     ! grep -Fvx "preverify=0" <"$TMPDIR/preverify" || error
 
-    # make sure we didn't send any credentials
+    # make sure we didn't send any credentials or started speaking IMAP
     ! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
+    grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
 }
 verified_peer() {
     local i u
-- 
cgit v1.2.3


From 8c43ed9baa905d907a6aad77de2282a852ba69a9 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 13 Dec 2020 17:43:52 +0100
Subject: libinterimap: use default locations for trusted CA certificates when
 neither CAfile nor CApath are set.

In particular, OpenSSL's default locations can be overridden by the
SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see
SSL_CTX_load_verify_locations(3ssl).

This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is
used).
---
 tests/tls-verify-peer/t | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

(limited to 'tests/tls-verify-peer/t')

diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
index 8cc098a..8326521 100644
--- a/tests/tls-verify-peer/t
+++ b/tests/tls-verify-peer/t
@@ -46,7 +46,9 @@ with_remote_config() {
 }
 
 step_start "peer verification enabled by default"
+# assume our fake root CA is not among OpenSSL's default trusted CAs
 unverified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
 step_done
 
 step_start "peer verification result honored when pinned pubkey matches"
@@ -54,13 +56,23 @@ with_remote_config <<-EOF
 	SSL_fingerprint = sha256\$$PKEY_SHA256
 EOF
 unverified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
 grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
 step_done
 
+
 capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX)
 cp -T -- ~/.dovecot/conf.d/ca.crt "$capath/ca-certificates.crt"
 
-step_start "SSL_CAfile"
+step_start "SSL_CAfile/\$SSL_CERT_FILE"
+
+# verify that an error is raised when CAfile can't be loaded
+# (it's not the case for $SSL_CERT_FILE, cf. SSL_CTX_load_verify_locations(3ssl))
+with_remote_config <<<"SSL_CAfile = /nonexistent"
+! interimap --debug || error
+grep -Fx "remote: ERROR: SSL_CTX_load_verify_locations()" <"$STDERR" || error
+grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
+
 if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
     # assume our fake root CA is not there
     with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt"
@@ -71,6 +83,10 @@ fi
 with_remote_config <<<"SSL_CAfile = $capath/ca-certificates.crt"
 verified_peer
 
+with_remote_config </dev/null
+SSL_CERT_FILE=~/.dovecot/conf.d/ca.crt verified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
+
 # hostnames and IPs included in the subjectAltName should work as well
 for host in "ip6-localhost" "127.0.0.1" "::1"; do
     with_remote_config <<-EOF
@@ -80,7 +96,7 @@ for host in "ip6-localhost" "127.0.0.1" "::1"; do
     verified_peer
 done
 
-# but not for other IPs or hostnames
+# but not for other hostnames or IPs
 for host in "ip6-loopback" "127.0.1.1"; do
     with_remote_config <<-EOF
 		host = $host
@@ -92,7 +108,8 @@ done
 step_done
 
 
-step_start "SSL_CApath"
+step_start "SSL_CApath/\$SSL_CERT_DIR"
+
 if [ -d "/etc/ssl/certs" ]; then
     # assume our fake root CA is not there
     with_remote_config <<<"SSL_CApath = /etc/ssl/certs"
@@ -105,6 +122,10 @@ c_rehash "$capath"
 with_remote_config <<<"SSL_CApath = $capath"
 verified_peer
 
+with_remote_config </dev/null
+SSL_CERT_DIR="$capath" verified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
+
 # hostnames and IPs included in the subjectAltName should work as well
 for host in "ip6-localhost" "127.0.0.1" "::1"; do
     with_remote_config <<-EOF
-- 
cgit v1.2.3