unofficial mirror of meta@public-inbox.org
 help / color / mirror / Atom feed
From: Eric Wong <e@80x24.org>
To: meta@public-inbox.org
Subject: [PATCH 4/8] net_reader: support imap.sslVerify + nntp.sslVerify
Date: Tue,  3 Oct 2023 06:43:48 +0000	[thread overview]
Message-ID: <20231003064352.2902298-5-e@80x24.org> (raw)
In-Reply-To: <20231003064352.2902298-1-e@80x24.org>

These options are useful for testing as well as users stuck on
out-of-date systems, dealing with forgetful sysadmins, broken
cronjobs, and/or are willing to risk MITM attacks.
---
 lib/PublicInbox/NetReader.pm | 28 ++++++++++++++++++++++------
 t/imapd-tls.t                | 14 +++++++++++---
 t/nntpd-tls.t                | 15 ++++++++++++---
 3 files changed, 45 insertions(+), 12 deletions(-)

diff --git a/lib/PublicInbox/NetReader.pm b/lib/PublicInbox/NetReader.pm
index 5819f210..2d6cb0d6 100644
--- a/lib/PublicInbox/NetReader.pm
+++ b/lib/PublicInbox/NetReader.pm
@@ -49,6 +49,13 @@ sub mic_tls_opt ($$) {
 	[ map { ($_, $o->{$_}) } keys %$o ];
 }
 
+sub set_ssl_verify_mode ($$) {
+	my ($o, $bool) = @_;
+	require IO::Socket::SSL;
+	$o->{SSL_verify_mode} = $bool ? IO::Socket::SSL::SSL_VERIFY_PEER() :
+					IO::Socket::SSL::SSL_VERIFY_NONE();
+}
+
 sub mic_new ($$$$) {
 	my ($self, $mic_arg, $sec, $uri) = @_;
 	my %mic_arg = (%$mic_arg, Keepalive => 1);
@@ -138,7 +145,6 @@ sub mic_for ($$$$) { # mic = Mail::IMAPClient
 		Server => $host,
 		%$common, # may set Starttls, Compress, Debug ....
 	};
-	$mic_arg->{Ssl} = 1 if $uri->scheme eq 'imaps';
 	require PublicInbox::IMAPClient;
 	my $mic = mic_new($self, $mic_arg, $sec, $uri);
 	($mic && $mic->IsConnected) or
@@ -341,6 +347,7 @@ sub imap_common_init ($;$) {
 		}
 		my $to = cfg_intvl($cfg, 'imap.timeout', $$uri);
 		$mic_common->{$sec}->{Timeout} = $to if $to;
+		$mic_common->{$sec}->{Ssl} = 1 if $uri->scheme eq 'imaps';
 
 		# knobs we use ourselves:
 		my $sa = socks_args($cfg->urlmatch('imap.Proxy', $$uri));
@@ -350,11 +357,18 @@ sub imap_common_init ($;$) {
 			$self->{cfg_opt}->{$sec}->{$k} = $to;
 		}
 		my $k = 'imap.fetchBatchSize';
-		my $bs = $cfg->urlmatch($k, $$uri) // next;
-		if ($bs =~ /\A([0-9]+)\z/ && $bs > 0) {
-			$self->{cfg_opt}->{$sec}->{batch_size} = $bs;
-		} else {
-			warn "$k=$bs is not a positive integer\n";
+		if (defined(my $bs = $cfg->urlmatch($k, $$uri))) {
+			($bs =~ /\A([0-9]+)\z/ && $bs > 0) ?
+				($self->{cfg_opt}->{$sec}->{batch_size} = $bs) :
+				warn("$k=$bs is not a positive integer\n");
+		}
+		my $v = $cfg->urlmatch(qw(--bool imap.sslVerify), $$uri);
+		if (defined $v) {
+			my $cur = $mic_common->{$sec} //= {};
+			$cur->{Starttls} //= 1 if !$cur->{Ssl};
+			for my $f (grep { $cur->{$_} } qw(Ssl Starttls)) {
+				set_ssl_verify_mode($cur->{$f} = {}, $v);
+			}
 		}
 	}
 	# make sure we can connect and cache the credentials in memory
@@ -402,6 +416,8 @@ sub nntp_common_init ($;$) {
 			$v = $cfg->urlmatch('--bool', "nntp.$k", $$uri);
 			$self->{cfg_opt}->{$sec}->{$k} = $v if defined $v;
 		}
+		$v = $cfg->urlmatch(qw(--bool nntp.sslVerify), $$uri);
+		set_ssl_verify_mode($args, $v) if defined $v;
 
 		# -watch internal option
 		for my $k (qw(pollInterval)) {
diff --git a/t/imapd-tls.t b/t/imapd-tls.t
index 673a9436..e432ef07 100644
--- a/t/imapd-tls.t
+++ b/t/imapd-tls.t
@@ -1,8 +1,7 @@
 #!perl -w
-# Copyright (C) 2020-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
-use strict;
-use v5.10.1;
+use v5.12;
 use Socket qw(IPPROTO_TCP SOL_SOCKET);
 use PublicInbox::TestCommon;
 # IO::Poll is part of the standard library, but distros may split it off...
@@ -158,10 +157,19 @@ for my $args (
 	test_lei(sub {
 		lei_ok qw(ls-mail-source), "imap://$starttls_addr",
 			\'STARTTLS not used by default';
+		my $plain_out = $lei_out;
 		ok(!lei(qw(ls-mail-source -c imap.starttls),
 			"imap://$starttls_addr"), 'STARTTLS verify fails');
 		unlike $lei_err, qr!W: imap\.starttls= .*? is not boolean!i,
 			'no non-boolean warning';
+		lei_ok qw(-c imap.starttls -c imap.sslVerify= ls-mail-source),
+			"imap://$starttls_addr",
+			\'disabling imap.sslVerify works w/ STARTTLS';
+		is $lei_out, $plain_out, 'sslVerify=false w/ STARTTLS output';
+		lei_ok qw(ls-mail-source -c imap.sslVerify=false),
+			"imaps://$imaps_addr",
+			\'disabling imap.sslVerify works w/ imaps://';
+		is $lei_out, $plain_out, 'sslVerify=false w/ IMAPS output';
 	});
 
 	SKIP: {
diff --git a/t/nntpd-tls.t b/t/nntpd-tls.t
index 095aef96..21377fc0 100644
--- a/t/nntpd-tls.t
+++ b/t/nntpd-tls.t
@@ -1,8 +1,7 @@
 #!perl -w
-# Copyright (C) 2019-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
-use strict;
-use v5.10.1;
+use v5.12;
 use PublicInbox::TestCommon;
 use Socket qw(SOCK_STREAM IPPROTO_TCP SOL_SOCKET);
 # IO::Poll and Net::NNTP are part of the standard library, but
@@ -149,12 +148,22 @@ for my $args (
 	test_lei(sub {
 		lei_ok qw(ls-mail-source), "nntp://$starttls_addr",
 			\'STARTTLS not used by default';
+		my $plain_out = $lei_out;
 		ok(!lei(qw(ls-mail-source -c nntp.starttls),
 			"nntp://$starttls_addr"), 'STARTTLS verify fails');
 		like $lei_err, qr/STARTTLS requested/,
 			'STARTTLS noted in stderr';
 		unlike $lei_err, qr!W: nntp\.starttls= .*? is not boolean!i,
 			'no non-boolean warning';
+		lei_ok qw(-c nntp.starttls -c nntp.sslVerify= ls-mail-source),
+			"nntp://$starttls_addr",
+			\'disabling nntp.sslVerify works w/ STARTTLS';
+		is $lei_out, $plain_out, 'sslVerify=false w/ STARTTLS output';
+
+		lei_ok qw(ls-mail-source -c nntp.sslVerify=false),
+			"nntps://$nntps_addr",
+			\'disabling nntp.sslVerify works w/ nntps://';
+		is $lei_out, $plain_out, 'sslVerify=false w/ NNTPS output';
 	});
 
 	SKIP: {

  parent reply	other threads:[~2023-10-03  6:43 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-03  6:43 [PATCH 0/8] IMAP/NNTP client improvements Eric Wong
2023-10-03  6:43 ` [PATCH 1/8] net_reader: bail out on NNTP SOCKS connection failure Eric Wong
2023-10-03  6:43 ` [PATCH 2/8] net_reader: avoid IO::Socket::SSL 2.079..2.081 warning Eric Wong
2023-10-03  6:43 ` [PATCH 3/8] config: fix key-only truthy values with urlmatch Eric Wong
2023-10-03  6:43 ` Eric Wong [this message]
2023-10-03  6:43 ` [PATCH 5/8] lei: workers exit after they tell lei-daemon Eric Wong
2023-10-03  6:43 ` [PATCH 6/8] net_reader: process title reflects NNTP article Eric Wong
2023-10-03  6:43 ` [PATCH 7/8] xt/lei-onion-convert: test TLS + SOCKS Eric Wong
2023-10-03  6:43 ` [PATCH 8/8] net_reader: note glob support in .onion hint Eric Wong
2023-10-03  7:11 ` "SSL" in option names is weird in 2023 Eric Wong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://public-inbox.org/README

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231003064352.2902298-5-e@80x24.org \
    --to=e@80x24.org \
    --cc=meta@public-inbox.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).