blob: f18b8b090ef25db7e7a27207987718be7ccf684e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
SERVERNAME="imap.example.net" # cf local_name{} section in the dovecot config
X509_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
| openssl x509 -noout -fingerprint -sha256 \
| sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]")"
X509_2_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -f lname="$SERVERNAME" -hx ssl_cert \
| openssl x509 -noout -fingerprint -sha256 \
| sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]")"
# check that empty SSL_hostname disables SNI
echo "SSL_hostname =" >>"$XDG_CONFIG_HOME/interimap/config"
interimap --debug || error
! grep "^remote: Using SNI with name " <"$STDERR" || error "Empty SSL_hostname didn't disable SNI"
# default servername is the host value
sed -i "/^SSL_hostname\\s*=/d" -- "$XDG_CONFIG_HOME/interimap/config"
interimap --debug || error
grep -Fx "remote: Using SNI with name localhost" <"$STDERR" || error "No default SNI"
grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
# verify that SNI is not used when host is an IP
echo "host = __INVALID__" >>"$XDG_CONFIG_HOME/interimap/config"
for ip in "127.0.0.1" "[::1]"; do
sed -i "s/^host\\s*=.*/host = $ip/" -- "$XDG_CONFIG_HOME/interimap/config"
interimap --debug || error
! grep "^remote: Using SNI with name " <"$STDERR" || error "Using SNI with IP $ip"
grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
done
# verify that SNI actually works (ie we're served the right cert)
sni_ok() {
grep -Fx "remote: Using SNI with name $SERVERNAME" <"$STDERR" || error
grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_2_SHA256" <"$STDERR" || error
}
echo "SSL_hostname = $SERVERNAME" >>"$XDG_CONFIG_HOME/interimap/config"
interimap --debug || error
sni_ok
## make sure SSL_hostname doesn't affect certificate verification ##
# bad CA, bad host
sed -i "s/^host\\s*=.*/host = 127.0.0.1/" -- "$XDG_CONFIG_HOME/interimap/config"
sed -i "s/^SSL_verify\\s*=.*/SSL_verify = YES/" -- "$XDG_CONFIG_HOME/interimap/config"
! interimap --debug || error
sni_ok
grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
# good CA, bad host
echo "SSL_CAfile = $HOME/.dovecot/conf.d/ca.crt" >>"$XDG_CONFIG_HOME/interimap/config"
! interimap --debug || error
sni_ok
grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
# bad CA, good host
sed -i "/^SSL_CAfile\\s*=/d" -- "$XDG_CONFIG_HOME/interimap/config"
sed -i "s/^host\\s*=.*/host = localhost/" -- "$XDG_CONFIG_HOME/interimap/config"
! interimap --debug || error
sni_ok
grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
# good CA, good host
echo "SSL_CAfile = $HOME/.dovecot/conf.d/ca.crt" >>"$XDG_CONFIG_HOME/interimap/config"
interimap --debug || error
sni_ok
# vim: set filetype=sh :
|