"net_reader: no STARTTLS for IMAP localhost or onions"

user/dev discussion of public-inbox itself
 help / color / mirror / code / Atom feed

Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download mbox.gz: |

* [PATCH 13/16] net_reader: no STARTTLS for IMAP localhost or onions
  2021-09-19 12:50  6% [PATCH 00/16] lei IPC overhaul, NNTP fixes Eric Wong
@ 2021-09-19 12:50  7% ` Eric Wong
  0 siblings, 0 replies; 2+ results
From: Eric Wong @ 2021-09-19 12:50 UTC (permalink / raw)
  To: meta

At least not by default, to match existing NNTP behavior.
Tor .onions are already encrypted, and there's no point
in encrypting traffic on localhost outside of testing.
---
 lib/PublicInbox/NetReader.pm | 20 +++++++++++---------
 t/imapd-tls.t                | 11 +++++++++--
 t/nntpd-tls.t                |  8 ++++++++
 3 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/lib/PublicInbox/NetReader.pm b/lib/PublicInbox/NetReader.pm
index 236e824c..e305523e 100644
--- a/lib/PublicInbox/NetReader.pm
+++ b/lib/PublicInbox/NetReader.pm
@@ -91,6 +91,16 @@ try configuring a socks5h:// proxy:
 EOM
 }
 
+# Net::NNTP doesn't support CAPABILITIES, yet; and both IMAP+NNTP
+# servers may have multiple listen sockets.
+sub try_starttls ($) {
+	my ($host) = @_;
+	return if $host =~ /\.onion\z/si;
+	return if $host =~ /\A127\.[0-9]+\.[0-9]+\.[0-9]+\z/s;
+	return if $host eq '::1';
+	1;
+}
+
 # mic_for may prompt the user and store auth info, prepares mic_get
 sub mic_for ($$$$) { # mic = Mail::IMAPClient
 	my ($self, $uri, $mic_common, $lei) = @_;
@@ -122,6 +132,7 @@ sub mic_for ($$$$) { # mic = Mail::IMAPClient
 	# it to be disabled since I usually connect to localhost
 	if (!$mic_arg->{Ssl} && !defined($mic_arg->{Starttls}) &&
 			$mic->has_capability('STARTTLS') &&
+			try_starttls($host) &&
 			$mic->can('starttls')) {
 		$mic->starttls or die "E: <$uri> STARTTLS: $@\n";
 	}
@@ -164,15 +175,6 @@ sub mic_for ($$$$) { # mic = Mail::IMAPClient
 	$mic;
 }
 
-# Net::NNTP doesn't support CAPABILITIES, yet
-sub try_starttls ($) {
-	my ($host) = @_;
-	return if $host =~ /\.onion\z/s;
-	return if $host =~ /\A127\.[0-9]+\.[0-9]+\.[0-9]+\z/s;
-	return if $host eq '::1';
-	1;
-}
-
 sub nn_new ($$$) {
 	my ($nn_arg, $nntp_cfg, $uri) = @_;
 	my $nn;
diff --git a/t/imapd-tls.t b/t/imapd-tls.t
index 72ba8769..73f5112f 100644
--- a/t/imapd-tls.t
+++ b/t/imapd-tls.t
@@ -1,8 +1,8 @@
+#!perl -w
 # Copyright (C) 2020-2021 all contributors <meta@public-inbox.org>
 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
 use strict;
-use warnings;
-use Test::More;
+use v5.10.1;
 use Socket qw(IPPROTO_TCP SOL_SOCKET);
 use PublicInbox::TestCommon;
 # IO::Poll is part of the standard library, but distros may split it off...
@@ -155,6 +155,13 @@ for my $args (
 	ok(sysread($slow, my $end, 4096) > 0, 'got end');
 	is(sysread($slow, my $eof, 4096), 0, 'got EOF');
 
+	test_lei(sub {
+		lei_ok qw(ls-mail-source), "imap://$starttls_addr",
+			\'STARTTLS not used by default';
+		ok(!lei(qw(ls-mail-source -c imap.starttls=true),
+			"imap://$starttls_addr"), 'STARTTLS verify fails');
+	});
+
 	SKIP: {
 		skip 'TCP_DEFER_ACCEPT is Linux-only', 2 if $^O ne 'linux';
 		my $var = eval { Socket::TCP_DEFER_ACCEPT() } // 9;
diff --git a/t/nntpd-tls.t b/t/nntpd-tls.t
index 2c09d34e..9af6c254 100644
--- a/t/nntpd-tls.t
+++ b/t/nntpd-tls.t
@@ -146,6 +146,14 @@ for my $args (
 	is(sysread($slow, my $eof, 4096), 0, 'got EOF');
 	$slow = undef;
 
+	test_lei(sub {
+		lei_ok qw(ls-mail-source), "nntp://$starttls_addr",
+			\'STARTTLS not used by default';
+		ok(!lei(qw(ls-mail-source -c nntp.starttls=true),
+			"nntp://$starttls_addr"), 'STARTTLS verify fails');
+		diag $lei_err;
+	});
+
 	SKIP: {
 		skip 'TCP_DEFER_ACCEPT is Linux-only', 2 if $^O ne 'linux';
 		my $var = eval { Socket::TCP_DEFER_ACCEPT() } // 9;

^ permalink raw reply related	[relevance 7%]

* [PATCH 00/16] lei IPC overhaul, NNTP fixes
@ 2021-09-19 12:50  6% Eric Wong
  2021-09-19 12:50  7% ` [PATCH 13/16] net_reader: no STARTTLS for IMAP localhost or onions Eric Wong
  0 siblings, 1 reply; 2+ results
From: Eric Wong @ 2021-09-19 12:50 UTC (permalink / raw)
  To: meta

11/16 is a bit worrying for saved search dedupe over HTTP(S),
and I can't seem to reproduce it reliably, either..

ls-mail-source and import use is far nicer, as it provides a
good avenue for doing partial fetches.

lei/store IPC got a massive overhaul, and the sto_done_request
simplification is nice.  This will probably simplify automatic
export-kw support to IMAP folders.

I also noticed "lei config --edit" was wonky, so
I made it share code with "lei edit-search".

Starting to document config knobs, too.

Eric Wong (16):
  ipc: wq_do: support synchronous waits and responses
  ipc: allow disabling broadcast for wq_workers
  lei/store: use SOCK_SEQPACKET rather than pipe
  lei: simplify sto_done_request
  lei_xsearch: drop Data::Dumper use
  ipc: drop dynamic WQ process counts
  lei: clamp internal worker processes to 4
  lei ls-mail-source: use "high"/"low" for NNTP
  lei ls-mail-source: pretty JSON support
  net_reader: fix single NNTP article fetch, test ranges
  xt: add fsck script over over.sqlite3
  watch: use net_reader->mic_new wrapper for SOCKS+TLS
  net_reader: no STARTTLS for IMAP localhost or onions
  lei config --edit: use controlling terminal
  net_reader: disallow imap.fetchBatchSize=0
  doc: lei-config: document various knobs

 Documentation/lei-config.pod          |  91 +++++++++++++++++++-
 MANIFEST                              |   2 +
 lib/PublicInbox/IPC.pm                | 117 +++++++++++---------------
 lib/PublicInbox/LEI.pm                |  32 +++----
 lib/PublicInbox/LeiConfig.pm          |  42 +++++++++
 lib/PublicInbox/LeiEditSearch.pm      |  60 +++++--------
 lib/PublicInbox/LeiExternal.pm        |   2 +-
 lib/PublicInbox/LeiImport.pm          |   2 +-
 lib/PublicInbox/LeiImportKw.pm        |   6 +-
 lib/PublicInbox/LeiIndex.pm           |   2 +-
 lib/PublicInbox/LeiInit.pm            |   4 +-
 lib/PublicInbox/LeiInput.pm           |   2 +-
 lib/PublicInbox/LeiLsMailSource.pm    |  25 +++---
 lib/PublicInbox/LeiNoteEvent.pm       |  11 +--
 lib/PublicInbox/LeiRefreshMailSync.pm |   2 +-
 lib/PublicInbox/LeiRemote.pm          |   4 +-
 lib/PublicInbox/LeiRm.pm              |   2 +-
 lib/PublicInbox/LeiSavedSearch.pm     |  16 +---
 lib/PublicInbox/LeiStore.pm           |  22 ++---
 lib/PublicInbox/LeiTag.pm             |   2 +-
 lib/PublicInbox/LeiToMail.pm          |  22 ++---
 lib/PublicInbox/LeiXSearch.pm         |   9 +-
 lib/PublicInbox/NetReader.pm          |  39 +++++----
 lib/PublicInbox/WQWorker.pm           |   9 +-
 lib/PublicInbox/Watch.pm              |   3 +-
 t/imapd-tls.t                         |  11 ++-
 t/ipc.t                               |  19 ++---
 t/lei-import-nntp.t                   |  26 ++++++
 t/lei.t                               |   3 +
 t/nntpd-tls.t                         |   8 ++
 t/uri_nntps.t                         |   3 +
 xt/over-fsck.perl                     |  44 ++++++++++
 32 files changed, 403 insertions(+), 239 deletions(-)
 create mode 100644 lib/PublicInbox/LeiConfig.pm
 create mode 100644 xt/over-fsck.perl


^ permalink raw reply	[relevance 6%]

Results 1-2 of 2 | reverse | options above

-- pct% links below jump to the message on this page, permalinks otherwise --
2021-09-19 12:50  6% [PATCH 00/16] lei IPC overhaul, NNTP fixes Eric Wong
2021-09-19 12:50  7% ` [PATCH 13/16] net_reader: no STARTTLS for IMAP localhost or onions Eric Wong
Code repositories for project(s) associated with this public inbox

	https://80x24.org/public-inbox.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).