user/dev discussion of public-inbox itself
 help / color / mirror / code / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download mbox.gz: |
* "SSL" in option names is weird in 2023
  2023-10-03  6:43  7% [PATCH 0/8] IMAP/NNTP client improvements Eric Wong
  2023-10-03  6:43  5% ` [PATCH 4/8] net_reader: support imap.sslVerify + nntp.sslVerify Eric Wong
@ 2023-10-03  7:11  0% ` Eric Wong
  1 sibling, 0 replies; 3+ results
From: Eric Wong @ 2023-10-03  7:11 UTC (permalink / raw)
  To: meta

Eric Wong <e@80x24.org> wrote:
>   net_reader: support imap.sslVerify + nntp.sslVerify

It still feels awkward to name options with "SSL" in them since
"Secure Sockets Layer" is long deprecated (in favor of "TLS",
"Transport Layer Security").

But git already has imap.sslVerify, so it's not something I want
to deviate from...  git also has a lot of http.ssl* config
options, too, which we might benefit from having NNTP/IMAP
counterparts of...

OpenSSL, IO::Socket::SSL and Net::SSLeay are still called what
they are; and AFAIK nobody's worked on GnuTLS bindings for Perl,
yet...

So I guess we'll probably end up with a bunch of imap.ssl* and
nntp.ssl* options to set ciphers, certs, keys and whatnot...
Of course I don't trust myself to handle anything involving
SSL/TLS properly :<

^ permalink raw reply	[relevance 0%]
* [PATCH 4/8] net_reader: support imap.sslVerify + nntp.sslVerify
  2023-10-03  6:43  7% [PATCH 0/8] IMAP/NNTP client improvements Eric Wong
@ 2023-10-03  6:43  5% ` Eric Wong
  2023-10-03  7:11  0% ` "SSL" in option names is weird in 2023 Eric Wong
  1 sibling, 0 replies; 3+ results
From: Eric Wong @ 2023-10-03  6:43 UTC (permalink / raw)
  To: meta

These options are useful for testing as well as users stuck on
out-of-date systems, dealing with forgetful sysadmins, broken
cronjobs, and/or are willing to risk MITM attacks.
---
 lib/PublicInbox/NetReader.pm | 28 ++++++++++++++++++++++------
 t/imapd-tls.t                | 14 +++++++++++---
 t/nntpd-tls.t                | 15 ++++++++++++---
 3 files changed, 45 insertions(+), 12 deletions(-)

diff --git a/lib/PublicInbox/NetReader.pm b/lib/PublicInbox/NetReader.pm
index 5819f210..2d6cb0d6 100644
--- a/lib/PublicInbox/NetReader.pm
+++ b/lib/PublicInbox/NetReader.pm
@@ -49,6 +49,13 @@ sub mic_tls_opt ($$) {
 	[ map { ($_, $o->{$_}) } keys %$o ];
 }
 
+sub set_ssl_verify_mode ($$) {
+	my ($o, $bool) = @_;
+	require IO::Socket::SSL;
+	$o->{SSL_verify_mode} = $bool ? IO::Socket::SSL::SSL_VERIFY_PEER() :
+					IO::Socket::SSL::SSL_VERIFY_NONE();
+}
+
 sub mic_new ($$$$) {
 	my ($self, $mic_arg, $sec, $uri) = @_;
 	my %mic_arg = (%$mic_arg, Keepalive => 1);
@@ -138,7 +145,6 @@ sub mic_for ($$$$) { # mic = Mail::IMAPClient
 		Server => $host,
 		%$common, # may set Starttls, Compress, Debug ....
 	};
-	$mic_arg->{Ssl} = 1 if $uri->scheme eq 'imaps';
 	require PublicInbox::IMAPClient;
 	my $mic = mic_new($self, $mic_arg, $sec, $uri);
 	($mic && $mic->IsConnected) or
@@ -341,6 +347,7 @@ sub imap_common_init ($;$) {
 		}
 		my $to = cfg_intvl($cfg, 'imap.timeout', $$uri);
 		$mic_common->{$sec}->{Timeout} = $to if $to;
+		$mic_common->{$sec}->{Ssl} = 1 if $uri->scheme eq 'imaps';
 
 		# knobs we use ourselves:
 		my $sa = socks_args($cfg->urlmatch('imap.Proxy', $$uri));
@@ -350,11 +357,18 @@ sub imap_common_init ($;$) {
 			$self->{cfg_opt}->{$sec}->{$k} = $to;
 		}
 		my $k = 'imap.fetchBatchSize';
-		my $bs = $cfg->urlmatch($k, $$uri) // next;
-		if ($bs =~ /\A([0-9]+)\z/ && $bs > 0) {
-			$self->{cfg_opt}->{$sec}->{batch_size} = $bs;
-		} else {
-			warn "$k=$bs is not a positive integer\n";
+		if (defined(my $bs = $cfg->urlmatch($k, $$uri))) {
+			($bs =~ /\A([0-9]+)\z/ && $bs > 0) ?
+				($self->{cfg_opt}->{$sec}->{batch_size} = $bs) :
+				warn("$k=$bs is not a positive integer\n");
+		}
+		my $v = $cfg->urlmatch(qw(--bool imap.sslVerify), $$uri);
+		if (defined $v) {
+			my $cur = $mic_common->{$sec} //= {};
+			$cur->{Starttls} //= 1 if !$cur->{Ssl};
+			for my $f (grep { $cur->{$_} } qw(Ssl Starttls)) {
+				set_ssl_verify_mode($cur->{$f} = {}, $v);
+			}
 		}
 	}
 	# make sure we can connect and cache the credentials in memory
@@ -402,6 +416,8 @@ sub nntp_common_init ($;$) {
 			$v = $cfg->urlmatch('--bool', "nntp.$k", $$uri);
 			$self->{cfg_opt}->{$sec}->{$k} = $v if defined $v;
 		}
+		$v = $cfg->urlmatch(qw(--bool nntp.sslVerify), $$uri);
+		set_ssl_verify_mode($args, $v) if defined $v;
 
 		# -watch internal option
 		for my $k (qw(pollInterval)) {
diff --git a/t/imapd-tls.t b/t/imapd-tls.t
index 673a9436..e432ef07 100644
--- a/t/imapd-tls.t
+++ b/t/imapd-tls.t
@@ -1,8 +1,7 @@
 #!perl -w
-# Copyright (C) 2020-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
-use strict;
-use v5.10.1;
+use v5.12;
 use Socket qw(IPPROTO_TCP SOL_SOCKET);
 use PublicInbox::TestCommon;
 # IO::Poll is part of the standard library, but distros may split it off...
@@ -158,10 +157,19 @@ for my $args (
 	test_lei(sub {
 		lei_ok qw(ls-mail-source), "imap://$starttls_addr",
 			\'STARTTLS not used by default';
+		my $plain_out = $lei_out;
 		ok(!lei(qw(ls-mail-source -c imap.starttls),
 			"imap://$starttls_addr"), 'STARTTLS verify fails');
 		unlike $lei_err, qr!W: imap\.starttls= .*? is not boolean!i,
 			'no non-boolean warning';
+		lei_ok qw(-c imap.starttls -c imap.sslVerify= ls-mail-source),
+			"imap://$starttls_addr",
+			\'disabling imap.sslVerify works w/ STARTTLS';
+		is $lei_out, $plain_out, 'sslVerify=false w/ STARTTLS output';
+		lei_ok qw(ls-mail-source -c imap.sslVerify=false),
+			"imaps://$imaps_addr",
+			\'disabling imap.sslVerify works w/ imaps://';
+		is $lei_out, $plain_out, 'sslVerify=false w/ IMAPS output';
 	});
 
 	SKIP: {
diff --git a/t/nntpd-tls.t b/t/nntpd-tls.t
index 095aef96..21377fc0 100644
--- a/t/nntpd-tls.t
+++ b/t/nntpd-tls.t
@@ -1,8 +1,7 @@
 #!perl -w
-# Copyright (C) 2019-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
-use strict;
-use v5.10.1;
+use v5.12;
 use PublicInbox::TestCommon;
 use Socket qw(SOCK_STREAM IPPROTO_TCP SOL_SOCKET);
 # IO::Poll and Net::NNTP are part of the standard library, but
@@ -149,12 +148,22 @@ for my $args (
 	test_lei(sub {
 		lei_ok qw(ls-mail-source), "nntp://$starttls_addr",
 			\'STARTTLS not used by default';
+		my $plain_out = $lei_out;
 		ok(!lei(qw(ls-mail-source -c nntp.starttls),
 			"nntp://$starttls_addr"), 'STARTTLS verify fails');
 		like $lei_err, qr/STARTTLS requested/,
 			'STARTTLS noted in stderr';
 		unlike $lei_err, qr!W: nntp\.starttls= .*? is not boolean!i,
 			'no non-boolean warning';
+		lei_ok qw(-c nntp.starttls -c nntp.sslVerify= ls-mail-source),
+			"nntp://$starttls_addr",
+			\'disabling nntp.sslVerify works w/ STARTTLS';
+		is $lei_out, $plain_out, 'sslVerify=false w/ STARTTLS output';
+
+		lei_ok qw(ls-mail-source -c nntp.sslVerify=false),
+			"nntps://$nntps_addr",
+			\'disabling nntp.sslVerify works w/ nntps://';
+		is $lei_out, $plain_out, 'sslVerify=false w/ NNTPS output';
 	});
 
 	SKIP: {

^ permalink raw reply related	[relevance 5%]
* [PATCH 0/8] IMAP/NNTP client improvements
@ 2023-10-03  6:43  7% Eric Wong
  2023-10-03  6:43  5% ` [PATCH 4/8] net_reader: support imap.sslVerify + nntp.sslVerify Eric Wong
  2023-10-03  7:11  0% ` "SSL" in option names is weird in 2023 Eric Wong
  0 siblings, 2 replies; 3+ results
From: Eric Wong @ 2023-10-03  6:43 UTC (permalink / raw)
  To: meta

These affect both lei and -watch

Eric Wong (8):
  net_reader: bail out on NNTP SOCKS connection failure
  net_reader: avoid IO::Socket::SSL 2.079..2.081 warning
  config: fix key-only truthy values with urlmatch
  net_reader: support imap.sslVerify + nntp.sslVerify
  lei: workers exit after they tell lei-daemon
  net_reader: process title reflects NNTP article
  xt/lei-onion-convert: test TLS + SOCKS
  net_reader: note glob support in .onion hint

 lib/PublicInbox/Config.pm       | 18 ++++---
 lib/PublicInbox/LEI.pm          |  1 +
 lib/PublicInbox/NetNNTPSocks.pm | 10 ++--
 lib/PublicInbox/NetReader.pm    | 87 +++++++++++++++++++++------------
 t/imapd-tls.t                   | 18 +++++--
 t/nntpd-tls.t                   | 19 +++++--
 xt/lei-onion-convert.t          | 21 ++++++--
 7 files changed, 123 insertions(+), 51 deletions(-)

^ permalink raw reply	[relevance 7%]
Results 1-3 of 3 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2023-10-03  6:43  7% [PATCH 0/8] IMAP/NNTP client improvements Eric Wong
2023-10-03  6:43  5% ` [PATCH 4/8] net_reader: support imap.sslVerify + nntp.sslVerify Eric Wong
2023-10-03  7:11  0% ` "SSL" in option names is weird in 2023 Eric Wong

Code repositories for project(s) associated with this public inbox

	https://80x24.org/public-inbox.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).