From 20c940a876728fe91892200dd874dd917cd677ac Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Sun, 19 Sep 2021 12:50:32 +0000 Subject: net_reader: no STARTTLS for IMAP localhost or onions At least not by default, to match existing NNTP behavior. Tor .onions are already encrypted, and there's no point in encrypting traffic on localhost outside of testing. --- lib/PublicInbox/NetReader.pm | 20 +++++++++++--------- t/imapd-tls.t | 11 +++++++++-- t/nntpd-tls.t | 8 ++++++++ 3 files changed, 28 insertions(+), 11 deletions(-) diff --git a/lib/PublicInbox/NetReader.pm b/lib/PublicInbox/NetReader.pm index 236e824c..e305523e 100644 --- a/lib/PublicInbox/NetReader.pm +++ b/lib/PublicInbox/NetReader.pm @@ -91,6 +91,16 @@ try configuring a socks5h:// proxy: EOM } +# Net::NNTP doesn't support CAPABILITIES, yet; and both IMAP+NNTP +# servers may have multiple listen sockets. +sub try_starttls ($) { + my ($host) = @_; + return if $host =~ /\.onion\z/si; + return if $host =~ /\A127\.[0-9]+\.[0-9]+\.[0-9]+\z/s; + return if $host eq '::1'; + 1; +} + # mic_for may prompt the user and store auth info, prepares mic_get sub mic_for ($$$$) { # mic = Mail::IMAPClient my ($self, $uri, $mic_common, $lei) = @_; @@ -122,6 +132,7 @@ sub mic_for ($$$$) { # mic = Mail::IMAPClient # it to be disabled since I usually connect to localhost if (!$mic_arg->{Ssl} && !defined($mic_arg->{Starttls}) && $mic->has_capability('STARTTLS') && + try_starttls($host) && $mic->can('starttls')) { $mic->starttls or die "E: <$uri> STARTTLS: $@\n"; } @@ -164,15 +175,6 @@ sub mic_for ($$$$) { # mic = Mail::IMAPClient $mic; } -# Net::NNTP doesn't support CAPABILITIES, yet -sub try_starttls ($) { - my ($host) = @_; - return if $host =~ /\.onion\z/s; - return if $host =~ /\A127\.[0-9]+\.[0-9]+\.[0-9]+\z/s; - return if $host eq '::1'; - 1; -} - sub nn_new ($$$) { my ($nn_arg, $nntp_cfg, $uri) = @_; my $nn; diff --git a/t/imapd-tls.t b/t/imapd-tls.t index 72ba8769..73f5112f 100644 --- a/t/imapd-tls.t +++ b/t/imapd-tls.t @@ -1,8 +1,8 @@ +#!perl -w # Copyright (C) 2020-2021 all contributors # License: AGPL-3.0+ use strict; -use warnings; -use Test::More; +use v5.10.1; use Socket qw(IPPROTO_TCP SOL_SOCKET); use PublicInbox::TestCommon; # IO::Poll is part of the standard library, but distros may split it off... @@ -155,6 +155,13 @@ for my $args ( ok(sysread($slow, my $end, 4096) > 0, 'got end'); is(sysread($slow, my $eof, 4096), 0, 'got EOF'); + test_lei(sub { + lei_ok qw(ls-mail-source), "imap://$starttls_addr", + \'STARTTLS not used by default'; + ok(!lei(qw(ls-mail-source -c imap.starttls=true), + "imap://$starttls_addr"), 'STARTTLS verify fails'); + }); + SKIP: { skip 'TCP_DEFER_ACCEPT is Linux-only', 2 if $^O ne 'linux'; my $var = eval { Socket::TCP_DEFER_ACCEPT() } // 9; diff --git a/t/nntpd-tls.t b/t/nntpd-tls.t index 2c09d34e..9af6c254 100644 --- a/t/nntpd-tls.t +++ b/t/nntpd-tls.t @@ -146,6 +146,14 @@ for my $args ( is(sysread($slow, my $eof, 4096), 0, 'got EOF'); $slow = undef; + test_lei(sub { + lei_ok qw(ls-mail-source), "nntp://$starttls_addr", + \'STARTTLS not used by default'; + ok(!lei(qw(ls-mail-source -c nntp.starttls=true), + "nntp://$starttls_addr"), 'STARTTLS verify fails'); + diag $lei_err; + }); + SKIP: { skip 'TCP_DEFER_ACCEPT is Linux-only', 2 if $^O ne 'linux'; my $var = eval { Socket::TCP_DEFER_ACCEPT() } // 9; -- cgit v1.2.3-24-ge0c7