Patch: forcing SSL before auth

Leena Heino Leena.Heino at uta.fi
Mon Aug 10 08:43:34 EDT 2015 

On Mon, 10 Aug 2015, Bron Gondwana wrote:

> On Mon, Aug 10, 2015, at 21:05, Carlos Velasco wrote:
>>
>> El 10/08/2015 a las 7:42, Leena Heino escribió:
>>> Attached is a patch to add CA certificate options to cyradm. The patch
>>> does not change the dafault functionality in cyradm it only adds
>>> the missing CA certificate options and documentation.
>>>
>>> This is a refinement to the patch that Carlos Velasco patch has sent.
>>>
>>> This patch can be applied to Cyrus imapd 2.4, 2.5 and git master branches.
>>
>> Can't see the attachment ;)
>
> :) Yeah - that might be handy to have!  Ellie has said that she'll have a look at it tomorrow.
> (in our team meeting 30 min ago), so it would be handy to have the attachment!

It seems that mail program did not attach the patch. I'll try to 
send it again.

-- 
   Leena Heino              University of Tampere / Computer Centre
   ( liinu at uta.fi )      ( http://www.uta.fi/laitokset/tkk )
-------------- next part --------------
diff -Naur cyrus-imapd-2.5.5.orig/perl/imap/IMAP/Shell.pm cyrus-imapd-2.5.5/perl/imap/IMAP/Shell.pm
--- cyrus-imapd-2.5.5.orig/perl/imap/IMAP/Shell.pm	2015-08-10 04:01:26.000000000 +0300
+++ cyrus-imapd-2.5.5/perl/imap/IMAP/Shell.pm	2015-08-10 08:30:21.988057250 +0300
@@ -444,9 +444,9 @@
 # programs, as opposed to things expected from within a program.)
 sub shell {
   my ($server, $port, $authz, $auth, $systemrc, $userrc, $dorc, $mech, $pw,
-      $tlskey, $notls) =
+      $tlskey, $notls, $cacert, $capath) =
     ('', 143, undef, $ENV{USER} || $ENV{LOGNAME}, '/usr/local/etc/cyradmrc.pl',
-     "$ENV{HOME}/.cyradmrc.pl", 1, undef, undef, undef, undef);
+     "$ENV{HOME}/.cyradmrc.pl", 1, undef, undef, undef, undef, undef, undef);
   GetOptions('user|u=s' => \$auth,
 	     'authz|z=s' => \$authz,
 	     'rc|r!' => \$dorc,
@@ -458,6 +458,8 @@
 	     'password|w=s' => \$pw,
   	     'tlskey|t:s' => \$tlskey,
   	     'notls' => \$notls,
+  	     'cafile=s' => \$cacert,
+  	     'cadir=s' => \$capath,
 	     'help|h' => sub { cyradm_usage(); exit(0); },
 	     'version|v' => sub { cyradm_version(); exit(0); }
 	    );
@@ -478,7 +480,8 @@
 			  -rock => \$cyradm});
     $cyradm->authenticate(-authz => $authz, -user => $auth,
 			  -mechanism => $mech, -password => $pw,
-			  -tlskey => $tlskey, -notls => $notls)
+			  -tlskey => $tlskey, -notls => $notls,
+			  -cafile => $cacert, -cadir => $capath)
       or die "cyradm: cannot authenticate to server with $mech as $auth\n";
   }
   my $fstk = [*STDIN, *STDOUT, *STDERR];
@@ -507,6 +510,11 @@
   --userrc <file>       Use user configuration <file>
   --port <port>         Connect to server on <port>
   --auth <mechanism>    Authenticate with <mechanism>
+  --tlskey <keyfile>    Use certicate with keyfile to authentica with server
+  --notls               Disable StartTLS negotiation
+  --cafile <cacertfile> Use CA certificate file to validate server certificate
+  --cadir <cacertdirectory> Use CA certificate directory to validate
+                            server certificate
   --help                This help message
   --version             The version of Cyrus IMAP this utility is a part of
 
@@ -834,9 +842,19 @@
 	$want = '-notls';
 	next;
       }
+      if ($opt ne '' && '-cafile' =~ /^\Q$opt/ || $opt eq '--cafile') {
+	$want = '-cafile';
+	next;
+      }
+      if ($opt ne '' && '-cadir' =~ /^\Q$opt/ || $opt eq '--cadir') {
+	$want = '-cadir';
+	next;
+      }
       if ($opt =~ /^-/) {
 	die "usage: authenticate [-minssf N] [-maxssf N] [-mechanisms STR]\n".
-	    "                    [-service name] [-tlskey keyfile] [-notls] [user]\n";
+	    "                    [-service name] [-tlskey keyfile] [-notls] [user]\n".
+	    "                    [-cafile cacertfile] [-cadir cacertdir]\n".
+	    "                    [user]\n";
       }
     }
     if ($opt =~ /^-/) {
@@ -852,7 +870,9 @@
   if (@nargv > 1) {
     if (Cyrus::IMAP::havetls()) {
       die "usage: authenticate [-minssf N] [-maxssf N] [-mechanisms STR]\n".
-          "                    [-service name] [-tlskey keyfile] [-notls] [user]\n";
+          "                    [-service name] [-tlskey keyfile] [-notls] [user]\n".
+          "                    [-cafile cacertfile] [-cadir cacertdir]\n".
+          "                    [user]\n";
     } else {
       die "usage: authenticate [-minssf N] [-maxssf N] [-mechanisms STR]\n".
           "                    [-service name] [user]\n";
diff -Naur cyrus-imapd-2.5.5.orig/perl/imap/cyradm.sh cyrus-imapd-2.5.5/perl/imap/cyradm.sh
--- cyrus-imapd-2.5.5.orig/perl/imap/cyradm.sh	2015-08-10 04:01:26.000000000 +0300
+++ cyrus-imapd-2.5.5/perl/imap/cyradm.sh	2015-08-10 08:30:52.291138450 +0300
@@ -53,6 +53,7 @@
 
   $ cyradm [--user user] [--[no]rc] [--systemrc file] [--userrc file] \
   > [--port n] [--auth mechanism] [--tlskey keyfile] [--notls] \
+  > [--cafile cacertfile] [--cadir cacertdir] \
   > [--server] server
 
 but possibly

More information about the Cyrus-devel mailing list