wes at umich.edu
Mon Jun 16 20:50:18 EDT 2008
On 16 Jun 2008, at 19:07, Andrew Morgan wrote:
> Does the mupdate process in a Cyrus murder actually use TLS?
Almost certainly. mupdate_connect devolves to backend_connect, the
same routine that cyrus routinely uses throughout for proxy
connections. Also, the mupdate server pays attention to the
"allowplaintext" configuration, so if you're not using TLS and aren't
permitting plaintest, passwords don't work. Are you using GSSAPI?
> The 'mupdatetest' binary doesn't seem to support it. The --help
> list TLS as an option, and if I use "-t ''", it just hangs during TLS
I see that imtest / mupdatetest specifically doesn't mention -t wrt
mupdate. But imtest's TLS support is pretty broken, AFAIK. In
particular, there's not way at all to set a CA location. In any
case, mupdatetest -t "" does in fact work for me, tho it gives errors
about self-signed certificates. With no CA, self-signed certs are
kind of a given.
> It seems like it should work because mupdated lists STARTTLS in the
> capability string, but none of the hosts in my Cyrus murder try to
> use TLS
> as far as I can tell.
If you don't want them to, don't configure certificates for your
mupdate master. Personally, I'm using GSSAPI everywhere, so I prefer
not to have certificates configured where they aren't going to
provide me with much (if any) benefit. If you do configure them,
they are used.
More information about the Info-cyrus