Fix TLS verification; find server by own hostname & SRV.

* TLS hostname verification was not actually happening. I'm mortified. * IO::Socket::SSL requirement bumped to 1.14 (was 0.97). * By default, if no server specified, before falling back to localhost try to use the current hostname and SRV records in DNS to figure out if Sieve is available. Checks for sieve, imaps & imap protocol SRV records and honours target==. to mean "no". * This works better with the Mozilla::PublicSuffix module installed. * Added ability to blacklist authentication mechanisms
philpennock · Apr 14, 2013 · 1dd818b · 1dd818b
1 parent 0602a34
commit 1dd818b
Show file tree

Hide file tree

Showing 5 changed files with 231 additions and 17 deletions.
diff --git a/LICENSE b/LICENSE
@@ -1,4 +1,4 @@
-Copyright © 2006-2012 Phil Pennock.  All rights reserved.
+Copyright © 2006-2013 Phil Pennock.  All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions

diff --git a/README b/README
@@ -56,12 +56,13 @@ Pre-Requisites
  Perl5
  Authen::SASL
  IO::Socket::INET6
- IO::Socket::SSL      0.97 or greater
+ IO::Socket::SSL         1.14 or greater
+ Mozilla::PublicSuffix   optional; automatic server location
  Net::DNS
  Pod::Usage
- Term::ReadKey 	      optional; password prompting without echo
- Term::ReadLine       optional; improves interactive mode
- Term::ReadLine::Gnu  optional; adds tab-completion
+ Term::ReadKey           optional; password prompting without echo
+ Term::ReadLine          optional; improves interactive mode
+ Term::ReadLine::Gnu     optional; adds tab-completion
  various other Perl modules which are shipped with Perl itself
 
 
@@ -82,6 +83,14 @@ chose to avoid having readline mess with $LINES/$COLUMNS and just edited
 readline-$VER/terminal.c to disable the call to sh_set_lines_and_columns().
 
 
+On some platforms, bad interactions between the Authen::SASL::Perl module's
+GSSAPI support and the platform GSSAPI libraries have been observed to cause
+Perl to segfault during authentication.  If you observe this and fixing your
+libraries is not an option, take a look at the %blacklist_auth_mechanisms
+definition in the user-editable part of the script and force-disable the
+mechanism which has broken platform Perl support.
+
+
 If you experience any other problems, or have better solutions to the above,
 please report them.
 

diff --git a/TODO b/TODO
@@ -3,6 +3,7 @@ Things that sieve-connect would like for xmas.
  * A full test-suite to torture the client.
  * Support for referrals
    * A server which does this so it can be tested
+ * DANE support for chasing TLS expected hostnames out of verified DNS
  * Figuring out sensible things to do with response codes in general
  * Figuring out what's going on with the isode implementation and the Perl
    SASL libraries that breaks authentication.

diff --git a/find-perl58.sh b/find-perl58.sh
@@ -27,5 +27,5 @@ if [ ".$p58" != "." ]; then
 	echo "$p58"
 	exit 0
 fi
-echo >&2 "$0: Failed to find a Perl 5.8 interpreter"
+echo >&2 "$0: Failed to find a Perl >= 5.8 interpreter"
 exit 1