After client authenticated STARTTLS, no EXTERNAL?
rjs3 at andrew.cmu.edu
Thu May 27 11:04:30 EDT 2004
On Thu, 27 May 2004, Simon Josefsson wrote:
> Hello. Is it possible to get client authenticated STARTTLS working
> with Cyrus IMAPD, without a password login?
> I'm assuming EXTERNAL would be used for this, so here is what I put in
> sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5 EXTERNAL
Yes, it can, provided you authenticate with a proper trusted client cert
(and that there is an authzid that is usable in the certificate).
> However, even after successful client auth STARTTLS, the EXTERNAL
> mechanism is not available. Any ideas?
To be honest, this hasn't gotten much testing because it isn't really used
by anyone (due to the need to have some way to convert client certs CNs to
IMAP IDs reliably). I'd look for a problem in either cmd_starttls in
imapd.c (to not set the SASL_AUTH_EXTERNAL value properly) or possibly
in the code in server.c:mech_permitted in SASL. I do know that there was
a bug in the handling of external that was fixed in 2.1.18, btw
(revision 1.136 of server.c)...
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus