Given the query parameter `tlsVerifyMode` one can specify the TLS
validation mode for IMAP, SMTP, and sieve protocols when the TLS
wrapper is enabled.
Possible options are:
* tlsVerifyMode=allowInsecureLocalhost: This will disable peer verification
if the remote host is on the local machine (localhost and similar)
* tlsVerifyMode=none: Disable all TLS checks. This should be used for
debugging only
Refs #5078
Add a new initializer for NGActiveSSLSocket, `initWithConnectedActiveSocket`
with the purpose to be initialized on top of a connected socket. Moving
the function of grabbing the socket fd and options from outside into the
SSL socket implementation itself.
Also by passing the socket, we dont have to pass the host name explicitly
anymore, as we can get it from the socket itself.
The verifyMode selector can enable the full TLS checks (default), disable
them for localhost addresses, or disable peer verification completely.
Refs #5078
Implement peer verification for TLS connections also
for GnuTLS. It will load the default system CA root store,
and also send the Server Name Indication (SNI).
Fixes#5019
Load system default CA trust store and verify the hostname of the
endpoint.
Simplify the SSL setup by reducing duplicate initialization code.
Require a host name argument now to be able to compare the host names
with.
Fixes#5019
Following the implementations on IMAP and Sieve, implement STARTTLS
also for SMTP: A new TLS socket is built on the already open socket
which performs all TLS related actions. The SMTP client then
only has to talk on the TLS socket.
Note that after issuing STARTTLS command, we have to re-request the
supported server capabilities (i.e. send EHLO again and parse the
server response), because the announced AUTH mechanism may change.
Fixes#31
Implement support for SMTPS. Remove some unused initialization
functions and add one expecting NSURL. From this url we can extract
the scheme: smtp:// or smtps://, whereas the former is unencrypted SMTP
and the latter refers to smtp in SSL/TLS wrapper mode (usually port 465).
As with IMAPS and STARTTLS for sieve, openssl or GnuTLS need to be present
for this to work.
Fixes#31
According to https://tools.ietf.org/html/rfc3501#section-5.1.3 ,
in comparison to Base64 encoding, "," should be used instead of "/"
as the greatest digit of the base.
Of course, this meant that the encodings used by an IMAP server (e.g.,
dovecot) and SOGo did not match when they were communicating with each
other.
For example, when SOGo attempts to create a folder whose encoding
includes the base64 "/" digit, it is not accepted as valid mUTF7 by
the IMAP server:
C[0x5649de0d5d30]: 5 LIST "" ""
S[0x5649de0f3640]: * LIST (\Noselect) "/" ""
S[0x5649de0f3640]: 5 OK List completed (0.001 + 0.040 + 0.039 secs).
C[0x5649de0d5d30]: 6 create "INBOX/&BD8EMAQ/BDA-"
S[0x5649de0f3640]: 6 NO Mailbox name is not valid mUTF-7 (0.001 + 0.000 secs).
In the other direction, when such a folder is listed by the IMAP
server, it appears with a ",", for example: "&BD8EMAQ/BDA-". And this
is not correctly decoded by SOGo due to the fact that "," is not known
to SOGo as a digit in this base and is mapped to -1 by the internal
table, which results in a wrong Unicode code.
An example of a Unicode string which would trigger this bug is a
string with U+043F CYRILLIC SMALL LETTER PE as the third letter:
$ printf '\x04\x3f\x04\x30\x04\x3f' | recode ucs-2..
$ printf '\x04\x3f\x04\x30\x04\x3f' | base64
BD8EMAQ/
Three two-byte Unicode (Cyrillic) characters correspond to eight 6-bit
base64 digits, the last one being "/":
U+043F U+0430 U+043F
0000 01|00 0011 1111 00|00 0100 0011 00|00 0000 0100 00|11 1111
B| D| 8| E| M| A| Q| /|
This bug has been reported in:
https://sogo.nu/bugs/view.php?id=4308https://bugzilla.altlinux.org/show_bug.cgi?id=32426https://bugzilla.altlinux.org/show_bug.cgi?id=33722
and a part of the problem described in
https://sogo.nu/bugs/view.php?id=2318 must be caused by incorrect
mUTF7 encoding, too (and hence must have not been fixed completely
before):
And I see next messages when I try to open Cyrillic folder:
C[0x7fb2e23a77a0]: 5 select "&BBQEPgRBBEIEQwT/BEs-"
S[0x7fb2e21fb690]: 5 NO Invalid mailbox name: &BBQEPgRBBEIEQwT/BEs-
As can you see sogo sends wrong folder name:
received "&BBQEPgRBBEIEQwQ,BEs-"
sent "&BBQEPgRBBEIEQwT/BEs-"