SERVERNAME="imap.example.net" # cf local_name{} section in the dovecot config
X509_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
    | openssl x509 -noout -fingerprint -sha256 \
    | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]")"
X509_2_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -f lname="$SERVERNAME" -hx ssl_cert \
    | openssl x509 -noout -fingerprint -sha256 \
    | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]")"

# check that empty SSL_hostname disables SNI
echo "SSL_hostname =" >>"$XDG_CONFIG_HOME/interimap/config"
interimap --debug || error
! grep "^remote: Using SNI with name " <"$STDERR" || error "Empty SSL_hostname didn't disable SNI"

# default servername is the host value
sed -i "/^SSL_hostname\\s*=/d" -- "$XDG_CONFIG_HOME/interimap/config"
interimap --debug || error
grep -Fx "remote: Using SNI with name localhost" <"$STDERR" || error "No default SNI"
grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error

# verify that SNI is not used when host is an IP
echo "host = __INVALID__" >>"$XDG_CONFIG_HOME/interimap/config"
for ip in "127.0.0.1" "[::1]"; do
    sed -i "s/^host\\s*=.*/host = $ip/" -- "$XDG_CONFIG_HOME/interimap/config"
    interimap --debug || error
    ! grep "^remote: Using SNI with name " <"$STDERR" || error "Using SNI with IP $ip"
    grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
done

# verify that SNI actually works (ie we're served the right cert)
sni_ok() {
    grep -Fx "remote: Using SNI with name $SERVERNAME" <"$STDERR" || error
    grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_2_SHA256" <"$STDERR" || error
}
echo "SSL_hostname = $SERVERNAME" >>"$XDG_CONFIG_HOME/interimap/config"
interimap --debug || error
sni_ok


## make sure SSL_hostname doesn't affect certificate verification ##

# bad CA, bad host
sed -i "s/^host\\s*=.*/host = 127.0.0.1/" -- "$XDG_CONFIG_HOME/interimap/config"
sed -i "s/^SSL_verify\\s*=.*/SSL_verify = YES/" -- "$XDG_CONFIG_HOME/interimap/config"
! interimap --debug || error
sni_ok
grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error

# good CA, bad host
echo "SSL_CAfile = $HOME/.dovecot/conf.d/ca.crt" >>"$XDG_CONFIG_HOME/interimap/config"
! interimap --debug || error
sni_ok
grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error

# bad CA, good host
sed -i "/^SSL_CAfile\\s*=/d" -- "$XDG_CONFIG_HOME/interimap/config"
sed -i "s/^host\\s*=.*/host = localhost/" -- "$XDG_CONFIG_HOME/interimap/config"
! interimap --debug || error
sni_ok
grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error

# good CA, good host
echo "SSL_CAfile = $HOME/.dovecot/conf.d/ca.crt" >>"$XDG_CONFIG_HOME/interimap/config"
interimap --debug || error
sni_ok

# vim: set filetype=sh :