mupdate TLS

[Andrew Morgan]

On Mon, 16 Jun 2008, Wesley Craig wrote:

> On 16 Jun 2008, at 19:07, Andrew Morgan wrote:
>> Does the mupdate process in a Cyrus murder actually use TLS?
>
> Almost certainly.  mupdate_connect devolves to backend_connect, the same 
> routine that cyrus routinely uses throughout for proxy connections.  Also, 
> the mupdate server pays attention to the "allowplaintext" configuration, so 
> if you're not using TLS and aren't permitting plaintest, passwords don't 
> work.  Are you using GSSAPI?
>
>> The 'mupdatetest' binary doesn't seem to support it.  The --help doesn't
>> list TLS as an option, and if I use "-t ''", it just hangs during TLS
>> negotiation.
>
> I see that imtest / mupdatetest specifically doesn't mention -t wrt mupdate. 
> But imtest's TLS support is pretty broken, AFAIK.  In particular, there's not 
> way at all to set a CA location.  In any case, mupdatetest -t "" does in fact 
> work for me, tho it gives errors about self-signed certificates.  With no CA, 
> self-signed certs are kind of a given.
>
>> It seems like it should work because mupdated lists STARTTLS in the
>> capability string, but none of the hosts in my Cyrus murder try to use TLS
>> as far as I can tell.
>
> If you don't want them to, don't configure certificates for your mupdate 
> master.  Personally, I'm using GSSAPI everywhere, so I prefer not to have 
> certificates configured where they aren't going to provide me with much (if 
> any) benefit.  If you do configure them, they are used.

Thanks Wes.  It seems that I had the permissions wrong on my private key 
so mupdate was unable to use TLS.  Now I think I need to restart mupdate 
to get it working properly...

 	Andy