From: Eric Wong <e@80x24.org>
To: meta@public-inbox.org
Subject: [PATCH 4/8] net_reader: support imap.sslVerify + nntp.sslVerify
Date: Tue, 3 Oct 2023 06:43:48 +0000 [thread overview]
Message-ID: <20231003064352.2902298-5-e@80x24.org> (raw)
In-Reply-To: <20231003064352.2902298-1-e@80x24.org>
These options are useful for testing as well as users stuck on
out-of-date systems, dealing with forgetful sysadmins, broken
cronjobs, and/or are willing to risk MITM attacks.
---
lib/PublicInbox/NetReader.pm | 28 ++++++++++++++++++++++------
t/imapd-tls.t | 14 +++++++++++---
t/nntpd-tls.t | 15 ++++++++++++---
3 files changed, 45 insertions(+), 12 deletions(-)
diff --git a/lib/PublicInbox/NetReader.pm b/lib/PublicInbox/NetReader.pm
index 5819f210..2d6cb0d6 100644
--- a/lib/PublicInbox/NetReader.pm
+++ b/lib/PublicInbox/NetReader.pm
@@ -49,6 +49,13 @@ sub mic_tls_opt ($$) {
[ map { ($_, $o->{$_}) } keys %$o ];
}
+sub set_ssl_verify_mode ($$) {
+ my ($o, $bool) = @_;
+ require IO::Socket::SSL;
+ $o->{SSL_verify_mode} = $bool ? IO::Socket::SSL::SSL_VERIFY_PEER() :
+ IO::Socket::SSL::SSL_VERIFY_NONE();
+}
+
sub mic_new ($$$$) {
my ($self, $mic_arg, $sec, $uri) = @_;
my %mic_arg = (%$mic_arg, Keepalive => 1);
@@ -138,7 +145,6 @@ sub mic_for ($$$$) { # mic = Mail::IMAPClient
Server => $host,
%$common, # may set Starttls, Compress, Debug ....
};
- $mic_arg->{Ssl} = 1 if $uri->scheme eq 'imaps';
require PublicInbox::IMAPClient;
my $mic = mic_new($self, $mic_arg, $sec, $uri);
($mic && $mic->IsConnected) or
@@ -341,6 +347,7 @@ sub imap_common_init ($;$) {
}
my $to = cfg_intvl($cfg, 'imap.timeout', $$uri);
$mic_common->{$sec}->{Timeout} = $to if $to;
+ $mic_common->{$sec}->{Ssl} = 1 if $uri->scheme eq 'imaps';
# knobs we use ourselves:
my $sa = socks_args($cfg->urlmatch('imap.Proxy', $$uri));
@@ -350,11 +357,18 @@ sub imap_common_init ($;$) {
$self->{cfg_opt}->{$sec}->{$k} = $to;
}
my $k = 'imap.fetchBatchSize';
- my $bs = $cfg->urlmatch($k, $$uri) // next;
- if ($bs =~ /\A([0-9]+)\z/ && $bs > 0) {
- $self->{cfg_opt}->{$sec}->{batch_size} = $bs;
- } else {
- warn "$k=$bs is not a positive integer\n";
+ if (defined(my $bs = $cfg->urlmatch($k, $$uri))) {
+ ($bs =~ /\A([0-9]+)\z/ && $bs > 0) ?
+ ($self->{cfg_opt}->{$sec}->{batch_size} = $bs) :
+ warn("$k=$bs is not a positive integer\n");
+ }
+ my $v = $cfg->urlmatch(qw(--bool imap.sslVerify), $$uri);
+ if (defined $v) {
+ my $cur = $mic_common->{$sec} //= {};
+ $cur->{Starttls} //= 1 if !$cur->{Ssl};
+ for my $f (grep { $cur->{$_} } qw(Ssl Starttls)) {
+ set_ssl_verify_mode($cur->{$f} = {}, $v);
+ }
}
}
# make sure we can connect and cache the credentials in memory
@@ -402,6 +416,8 @@ sub nntp_common_init ($;$) {
$v = $cfg->urlmatch('--bool', "nntp.$k", $$uri);
$self->{cfg_opt}->{$sec}->{$k} = $v if defined $v;
}
+ $v = $cfg->urlmatch(qw(--bool nntp.sslVerify), $$uri);
+ set_ssl_verify_mode($args, $v) if defined $v;
# -watch internal option
for my $k (qw(pollInterval)) {
diff --git a/t/imapd-tls.t b/t/imapd-tls.t
index 673a9436..e432ef07 100644
--- a/t/imapd-tls.t
+++ b/t/imapd-tls.t
@@ -1,8 +1,7 @@
#!perl -w
-# Copyright (C) 2020-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
-use strict;
-use v5.10.1;
+use v5.12;
use Socket qw(IPPROTO_TCP SOL_SOCKET);
use PublicInbox::TestCommon;
# IO::Poll is part of the standard library, but distros may split it off...
@@ -158,10 +157,19 @@ for my $args (
test_lei(sub {
lei_ok qw(ls-mail-source), "imap://$starttls_addr",
\'STARTTLS not used by default';
+ my $plain_out = $lei_out;
ok(!lei(qw(ls-mail-source -c imap.starttls),
"imap://$starttls_addr"), 'STARTTLS verify fails');
unlike $lei_err, qr!W: imap\.starttls= .*? is not boolean!i,
'no non-boolean warning';
+ lei_ok qw(-c imap.starttls -c imap.sslVerify= ls-mail-source),
+ "imap://$starttls_addr",
+ \'disabling imap.sslVerify works w/ STARTTLS';
+ is $lei_out, $plain_out, 'sslVerify=false w/ STARTTLS output';
+ lei_ok qw(ls-mail-source -c imap.sslVerify=false),
+ "imaps://$imaps_addr",
+ \'disabling imap.sslVerify works w/ imaps://';
+ is $lei_out, $plain_out, 'sslVerify=false w/ IMAPS output';
});
SKIP: {
diff --git a/t/nntpd-tls.t b/t/nntpd-tls.t
index 095aef96..21377fc0 100644
--- a/t/nntpd-tls.t
+++ b/t/nntpd-tls.t
@@ -1,8 +1,7 @@
#!perl -w
-# Copyright (C) 2019-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
-use strict;
-use v5.10.1;
+use v5.12;
use PublicInbox::TestCommon;
use Socket qw(SOCK_STREAM IPPROTO_TCP SOL_SOCKET);
# IO::Poll and Net::NNTP are part of the standard library, but
@@ -149,12 +148,22 @@ for my $args (
test_lei(sub {
lei_ok qw(ls-mail-source), "nntp://$starttls_addr",
\'STARTTLS not used by default';
+ my $plain_out = $lei_out;
ok(!lei(qw(ls-mail-source -c nntp.starttls),
"nntp://$starttls_addr"), 'STARTTLS verify fails');
like $lei_err, qr/STARTTLS requested/,
'STARTTLS noted in stderr';
unlike $lei_err, qr!W: nntp\.starttls= .*? is not boolean!i,
'no non-boolean warning';
+ lei_ok qw(-c nntp.starttls -c nntp.sslVerify= ls-mail-source),
+ "nntp://$starttls_addr",
+ \'disabling nntp.sslVerify works w/ STARTTLS';
+ is $lei_out, $plain_out, 'sslVerify=false w/ STARTTLS output';
+
+ lei_ok qw(ls-mail-source -c nntp.sslVerify=false),
+ "nntps://$nntps_addr",
+ \'disabling nntp.sslVerify works w/ nntps://';
+ is $lei_out, $plain_out, 'sslVerify=false w/ NNTPS output';
});
SKIP: {
next prev parent reply other threads:[~2023-10-03 6:43 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-03 6:43 [PATCH 0/8] IMAP/NNTP client improvements Eric Wong
2023-10-03 6:43 ` [PATCH 1/8] net_reader: bail out on NNTP SOCKS connection failure Eric Wong
2023-10-03 6:43 ` [PATCH 2/8] net_reader: avoid IO::Socket::SSL 2.079..2.081 warning Eric Wong
2023-10-03 6:43 ` [PATCH 3/8] config: fix key-only truthy values with urlmatch Eric Wong
2023-10-03 6:43 ` Eric Wong [this message]
2023-10-03 6:43 ` [PATCH 5/8] lei: workers exit after they tell lei-daemon Eric Wong
2023-10-03 6:43 ` [PATCH 6/8] net_reader: process title reflects NNTP article Eric Wong
2023-10-03 6:43 ` [PATCH 7/8] xt/lei-onion-convert: test TLS + SOCKS Eric Wong
2023-10-03 6:43 ` [PATCH 8/8] net_reader: note glob support in .onion hint Eric Wong
2023-10-03 7:11 ` "SSL" in option names is weird in 2023 Eric Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://public-inbox.org/README
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231003064352.2902298-5-e@80x24.org \
--to=e@80x24.org \
--cc=meta@public-inbox.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).