* "SSL" in option names is weird in 2023
2023-10-03 6:43 7% [PATCH 0/8] IMAP/NNTP client improvements Eric Wong
2023-10-03 6:43 5% ` [PATCH 4/8] net_reader: support imap.sslVerify + nntp.sslVerify Eric Wong
@ 2023-10-03 7:11 0% ` Eric Wong
1 sibling, 0 replies; 3+ results
From: Eric Wong @ 2023-10-03 7:11 UTC (permalink / raw)
To: meta
Eric Wong <e@80x24.org> wrote:
> net_reader: support imap.sslVerify + nntp.sslVerify
It still feels awkward to name options with "SSL" in them since
"Secure Sockets Layer" is long deprecated (in favor of "TLS",
"Transport Layer Security").
But git already has imap.sslVerify, so it's not something I want
to deviate from... git also has a lot of http.ssl* config
options, too, which we might benefit from having NNTP/IMAP
counterparts of...
OpenSSL, IO::Socket::SSL and Net::SSLeay are still called what
they are; and AFAIK nobody's worked on GnuTLS bindings for Perl,
yet...
So I guess we'll probably end up with a bunch of imap.ssl* and
nntp.ssl* options to set ciphers, certs, keys and whatnot...
Of course I don't trust myself to handle anything involving
SSL/TLS properly :<
^ permalink raw reply [relevance 0%]
* [PATCH 4/8] net_reader: support imap.sslVerify + nntp.sslVerify
2023-10-03 6:43 7% [PATCH 0/8] IMAP/NNTP client improvements Eric Wong
@ 2023-10-03 6:43 5% ` Eric Wong
2023-10-03 7:11 0% ` "SSL" in option names is weird in 2023 Eric Wong
1 sibling, 0 replies; 3+ results
From: Eric Wong @ 2023-10-03 6:43 UTC (permalink / raw)
To: meta
These options are useful for testing as well as users stuck on
out-of-date systems, dealing with forgetful sysadmins, broken
cronjobs, and/or are willing to risk MITM attacks.
---
lib/PublicInbox/NetReader.pm | 28 ++++++++++++++++++++++------
t/imapd-tls.t | 14 +++++++++++---
t/nntpd-tls.t | 15 ++++++++++++---
3 files changed, 45 insertions(+), 12 deletions(-)
diff --git a/lib/PublicInbox/NetReader.pm b/lib/PublicInbox/NetReader.pm
index 5819f210..2d6cb0d6 100644
--- a/lib/PublicInbox/NetReader.pm
+++ b/lib/PublicInbox/NetReader.pm
@@ -49,6 +49,13 @@ sub mic_tls_opt ($$) {
[ map { ($_, $o->{$_}) } keys %$o ];
}
+sub set_ssl_verify_mode ($$) {
+ my ($o, $bool) = @_;
+ require IO::Socket::SSL;
+ $o->{SSL_verify_mode} = $bool ? IO::Socket::SSL::SSL_VERIFY_PEER() :
+ IO::Socket::SSL::SSL_VERIFY_NONE();
+}
+
sub mic_new ($$$$) {
my ($self, $mic_arg, $sec, $uri) = @_;
my %mic_arg = (%$mic_arg, Keepalive => 1);
@@ -138,7 +145,6 @@ sub mic_for ($$$$) { # mic = Mail::IMAPClient
Server => $host,
%$common, # may set Starttls, Compress, Debug ....
};
- $mic_arg->{Ssl} = 1 if $uri->scheme eq 'imaps';
require PublicInbox::IMAPClient;
my $mic = mic_new($self, $mic_arg, $sec, $uri);
($mic && $mic->IsConnected) or
@@ -341,6 +347,7 @@ sub imap_common_init ($;$) {
}
my $to = cfg_intvl($cfg, 'imap.timeout', $$uri);
$mic_common->{$sec}->{Timeout} = $to if $to;
+ $mic_common->{$sec}->{Ssl} = 1 if $uri->scheme eq 'imaps';
# knobs we use ourselves:
my $sa = socks_args($cfg->urlmatch('imap.Proxy', $$uri));
@@ -350,11 +357,18 @@ sub imap_common_init ($;$) {
$self->{cfg_opt}->{$sec}->{$k} = $to;
}
my $k = 'imap.fetchBatchSize';
- my $bs = $cfg->urlmatch($k, $$uri) // next;
- if ($bs =~ /\A([0-9]+)\z/ && $bs > 0) {
- $self->{cfg_opt}->{$sec}->{batch_size} = $bs;
- } else {
- warn "$k=$bs is not a positive integer\n";
+ if (defined(my $bs = $cfg->urlmatch($k, $$uri))) {
+ ($bs =~ /\A([0-9]+)\z/ && $bs > 0) ?
+ ($self->{cfg_opt}->{$sec}->{batch_size} = $bs) :
+ warn("$k=$bs is not a positive integer\n");
+ }
+ my $v = $cfg->urlmatch(qw(--bool imap.sslVerify), $$uri);
+ if (defined $v) {
+ my $cur = $mic_common->{$sec} //= {};
+ $cur->{Starttls} //= 1 if !$cur->{Ssl};
+ for my $f (grep { $cur->{$_} } qw(Ssl Starttls)) {
+ set_ssl_verify_mode($cur->{$f} = {}, $v);
+ }
}
}
# make sure we can connect and cache the credentials in memory
@@ -402,6 +416,8 @@ sub nntp_common_init ($;$) {
$v = $cfg->urlmatch('--bool', "nntp.$k", $$uri);
$self->{cfg_opt}->{$sec}->{$k} = $v if defined $v;
}
+ $v = $cfg->urlmatch(qw(--bool nntp.sslVerify), $$uri);
+ set_ssl_verify_mode($args, $v) if defined $v;
# -watch internal option
for my $k (qw(pollInterval)) {
diff --git a/t/imapd-tls.t b/t/imapd-tls.t
index 673a9436..e432ef07 100644
--- a/t/imapd-tls.t
+++ b/t/imapd-tls.t
@@ -1,8 +1,7 @@
#!perl -w
-# Copyright (C) 2020-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
-use strict;
-use v5.10.1;
+use v5.12;
use Socket qw(IPPROTO_TCP SOL_SOCKET);
use PublicInbox::TestCommon;
# IO::Poll is part of the standard library, but distros may split it off...
@@ -158,10 +157,19 @@ for my $args (
test_lei(sub {
lei_ok qw(ls-mail-source), "imap://$starttls_addr",
\'STARTTLS not used by default';
+ my $plain_out = $lei_out;
ok(!lei(qw(ls-mail-source -c imap.starttls),
"imap://$starttls_addr"), 'STARTTLS verify fails');
unlike $lei_err, qr!W: imap\.starttls= .*? is not boolean!i,
'no non-boolean warning';
+ lei_ok qw(-c imap.starttls -c imap.sslVerify= ls-mail-source),
+ "imap://$starttls_addr",
+ \'disabling imap.sslVerify works w/ STARTTLS';
+ is $lei_out, $plain_out, 'sslVerify=false w/ STARTTLS output';
+ lei_ok qw(ls-mail-source -c imap.sslVerify=false),
+ "imaps://$imaps_addr",
+ \'disabling imap.sslVerify works w/ imaps://';
+ is $lei_out, $plain_out, 'sslVerify=false w/ IMAPS output';
});
SKIP: {
diff --git a/t/nntpd-tls.t b/t/nntpd-tls.t
index 095aef96..21377fc0 100644
--- a/t/nntpd-tls.t
+++ b/t/nntpd-tls.t
@@ -1,8 +1,7 @@
#!perl -w
-# Copyright (C) 2019-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
-use strict;
-use v5.10.1;
+use v5.12;
use PublicInbox::TestCommon;
use Socket qw(SOCK_STREAM IPPROTO_TCP SOL_SOCKET);
# IO::Poll and Net::NNTP are part of the standard library, but
@@ -149,12 +148,22 @@ for my $args (
test_lei(sub {
lei_ok qw(ls-mail-source), "nntp://$starttls_addr",
\'STARTTLS not used by default';
+ my $plain_out = $lei_out;
ok(!lei(qw(ls-mail-source -c nntp.starttls),
"nntp://$starttls_addr"), 'STARTTLS verify fails');
like $lei_err, qr/STARTTLS requested/,
'STARTTLS noted in stderr';
unlike $lei_err, qr!W: nntp\.starttls= .*? is not boolean!i,
'no non-boolean warning';
+ lei_ok qw(-c nntp.starttls -c nntp.sslVerify= ls-mail-source),
+ "nntp://$starttls_addr",
+ \'disabling nntp.sslVerify works w/ STARTTLS';
+ is $lei_out, $plain_out, 'sslVerify=false w/ STARTTLS output';
+
+ lei_ok qw(ls-mail-source -c nntp.sslVerify=false),
+ "nntps://$nntps_addr",
+ \'disabling nntp.sslVerify works w/ nntps://';
+ is $lei_out, $plain_out, 'sslVerify=false w/ NNTPS output';
});
SKIP: {
^ permalink raw reply related [relevance 5%]
* [PATCH 0/8] IMAP/NNTP client improvements
@ 2023-10-03 6:43 7% Eric Wong
2023-10-03 6:43 5% ` [PATCH 4/8] net_reader: support imap.sslVerify + nntp.sslVerify Eric Wong
2023-10-03 7:11 0% ` "SSL" in option names is weird in 2023 Eric Wong
0 siblings, 2 replies; 3+ results
From: Eric Wong @ 2023-10-03 6:43 UTC (permalink / raw)
To: meta
These affect both lei and -watch
Eric Wong (8):
net_reader: bail out on NNTP SOCKS connection failure
net_reader: avoid IO::Socket::SSL 2.079..2.081 warning
config: fix key-only truthy values with urlmatch
net_reader: support imap.sslVerify + nntp.sslVerify
lei: workers exit after they tell lei-daemon
net_reader: process title reflects NNTP article
xt/lei-onion-convert: test TLS + SOCKS
net_reader: note glob support in .onion hint
lib/PublicInbox/Config.pm | 18 ++++---
lib/PublicInbox/LEI.pm | 1 +
lib/PublicInbox/NetNNTPSocks.pm | 10 ++--
lib/PublicInbox/NetReader.pm | 87 +++++++++++++++++++++------------
t/imapd-tls.t | 18 +++++--
t/nntpd-tls.t | 19 +++++--
xt/lei-onion-convert.t | 21 ++++++--
7 files changed, 123 insertions(+), 51 deletions(-)
^ permalink raw reply [relevance 7%]
Results 1-3 of 3 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2023-10-03 6:43 7% [PATCH 0/8] IMAP/NNTP client improvements Eric Wong
2023-10-03 6:43 5% ` [PATCH 4/8] net_reader: support imap.sslVerify + nntp.sslVerify Eric Wong
2023-10-03 7:11 0% ` "SSL" in option names is weird in 2023 Eric Wong
Code repositories for project(s) associated with this public inbox
https://80x24.org/public-inbox.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).