mupdate TLS

[Wesley Craig]

On 16 Jun 2008, at 19:07, Andrew Morgan wrote:
> Does the mupdate process in a Cyrus murder actually use TLS?

Almost certainly.  mupdate_connect devolves to backend_connect, the  
same routine that cyrus routinely uses throughout for proxy  
connections.  Also, the mupdate server pays attention to the  
"allowplaintext" configuration, so if you're not using TLS and aren't  
permitting plaintest, passwords don't work.  Are you using GSSAPI?

> The 'mupdatetest' binary doesn't seem to support it.  The --help  
> doesn't
> list TLS as an option, and if I use "-t ''", it just hangs during TLS
> negotiation.

I see that imtest / mupdatetest specifically doesn't mention -t wrt  
mupdate.  But imtest's TLS support is pretty broken, AFAIK.  In  
particular, there's not way at all to set a CA location.  In any  
case, mupdatetest -t "" does in fact work for me, tho it gives errors  
about self-signed certificates.  With no CA, self-signed certs are  
kind of a given.

> It seems like it should work because mupdated lists STARTTLS in the
> capability string, but none of the hosts in my Cyrus murder try to  
> use TLS
> as far as I can tell.

If you don't want them to, don't configure certificates for your  
mupdate master.  Personally, I'm using GSSAPI everywhere, so I prefer  
not to have certificates configured where they aren't going to  
provide me with much (if any) benefit.  If you do configure them,  
they are used.

:wes