Email: email@example.com • Mastodon: @firstname.lastname@example.org • Debian: benh (Salsa, QA) • Gitweb: git.decadent.org.uk • GitHub: bwhacks
I usually send patches from git via git imap-send, which gives me a chance to edit and save them through my regular mail client. Obviously I want to make a secure connection to the IMAP server. The upstream code now supports doing this with OpenSSL, but git is under GPL and it seems that not all relevant contributors have given the extra permission to link with OpenSSL. So in Debian you still need to use an external program to provide a TLS tunnel.
The commonly used TLS tunnelling programs, openssl s_client and stunnel, do not validate server certificates in a useful way - at least by default.
Here's how I've configured git imap-send and stunnel to properly validate the server certificate. If you use the PLAIN or LOGIN authentication method with the server, you will still see the warning:
*** IMAP Warning *** Password is being sent in the clear
The server does see the clear-text password, but it is encrypted on the wire and git imap-send just doesn't know that.
[imap] user = ben folder = "drafts" tunnel = "stunnel ~/.git-imap-send/stunnel.conf"
debug = 3 foreground = yes client = yes connect = mail.decadent.org.uk:993 sslVersion = TLSv1.2 renegotiation = no verify = 2 ; Current CA for the IMAP server. ; If you don't want to pin to a specific CA certificate, use ; /etc/ssl/certs/ca-certificates.crt instead. CAfile = /etc/ssl/certs/StartCom_Certification_Authority.pem checkHost = mail.decadent.org.uk
If stunnel chokes on the checkHost variable, it doesn't support certificate name validation. Unfortunately no Debian stable release has this feature - only testing/unstable. I'm wondering whether it would be worthwhile to backport it or even to make a stable update to add this important security feature.