command-line sieve client that supports TLS

[Phil Pennock]

On 2006-11-15 at 09:37 +0100, Wolfgang Hennerbichler wrote:
> it is absolutely great. You should urge cyrus developers to include  
> it in their source code, once it's mature enough and well tested.

I have no objection to that.  Slap a BSD-ish license on the code.

However, there might be some issues with including it.  Eg, the
Authen::SASL driver is explicitly set to be the Perl one, not the Cyrus
one.  Authen::SASL documents that the connection class will implement a
mechanism() method, which the Cyrus driver does not.  This makes it
rather awkward to actually start negotiation as a client.

> Well, here is one.
> For self-signed certificates I get the error
> STARTTLS promotion failed: SSL connect attempt failed with unknown  
> errorerror:14090086:SSL  
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 
> it would be great to add a --noverify option for TLS, for self-signed  
> certificates.

The problem with not doing verification is that you don't know if the
server you're talking to is actually a man-in-the-middle, which defeats
the purpose of bothering with encryption for anything seriously
confidential.

If you have a bunch of services then you might consider setting up your
own little private Certificate Authority.  I recently wrote the article
at <URL:http://lopsa.org/SSLIntro> which explains SSL certificates and
authorities for sysadmin-level techs who are already familiar with PGP
and SSH.  It walks you through setting up a personal CA, explaining
_why_ you're doing the various steps.

Right at the start of the script is the only bit I thought should need
tuning on a per-site basis, above the "No user-serviceable parts below"
warning; that's %ssl_options.  If you want to turn off verification,
change the option in there.  I really don't want to encourage this by
making it too easy, but if you've read this far ... setting the value to
0x00 will turn off verification.

Regards,
-Phil