doveconf_remote() {
    doveconf -c "$HOME_remote/.dovecot/config" -hx "$1"
}
pkey_sha256() {
    openssl x509 -pubkey | openssl pkey -pubin -outform DER \
    | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}"
}
x509_sha256() {
    openssl x509 -noout -fingerprint -sha256 \
    | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]"
}

PKEY_SHA256="$(doveconf_remote ssl_cert | pkey_sha256)"
X509_SHA256="$(doveconf_remote ssl_cert | x509_sha256)"
PKEY_ALT_SHA256="$(doveconf_remote ssl_alt_cert | pkey_sha256)"
X509_ALT_SHA256="$(doveconf_remote ssl_alt_cert | x509_sha256)"

# pinned valid fingerprints
cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
	SSL_fingerprint = sha256\$$PKEY_SHA256 sha256\$$PKEY_ALT_SHA256
EOF

for ((i = 0; i < 32; i++)); do
    u="$(shuf -n1 -e "local" "remote")"
    sample_message | deliver -u "$u"
done
interimap_init
check_mailbox_status "INBOX"

interimap --debug || error
# which peer certificate is used is up to libssl 
grep -Fx -e "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" \
         -e "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" \
         <"$STDERR" || error

# force RSA (XXX do we really have to force TLSv1.2 here?)
cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
	SSL_protocols = TLSv1.2
	SSL_cipherlist = EECDH+AESGCM+aRSA
EOF
interimap --debug || error
grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error

# force ECDSA
sed -i "s/^SSL_cipherlist\\s*=.*/SSL_cipherlist = EECDH+AESGCM+aECDSA/" "$XDG_CONFIG_HOME/interimap/config"
interimap --debug || error
grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" <"$STDERR" || error

# vim: set filetype=sh :