How to make sync_client invoke STARTTLS for replication

Wesley Craig wes at umich.edu
Wed May 26 11:52:01 EDT 2010


On 26 May 2010, at 10:58, Rudy Gevaert wrote:
> On 02/11/2010 11:53 PM, Rich Wales wrote:
>> I'm running Cyrus 2.3.16 (with replication) between two Ubuntu  
>> servers.
>>
>> What do I have to do to make the "sync_client" application invoke  
>> STARTTLS
>> when it connects to "sync_server" on the other host?
>>
>> I can invoke TLS when I use the "synctest" program, but I can't  
>> seem to
>> figure out how to force "sync_client" to use TLS when actually  
>> replicating.
>>
>> The reason I'm assuming TLS is not happening is that when /var/log/ 
>> syslog
>> records the "User logged in" events associated with replication,  
>> TLS is
>> not mentioned as part of the authentication mechanism in use.
>>
>> Right now, the lack of TLS is not a major issue because one of the  
>> servers
>> is connected to my LAN via a VPN link (so it's encrypted).  But I  
>> still
>> want to know what I'm supposed to do in order for a TLS layer to  
>> happen.
>
> Has anybody been able to fix this?

Define "fix".  If you have allowplaintext set, there's no reason to  
use TLS.  If you don't have allowplaintext, there are bugs in 2.3.16  
that prevent it from working.  See:

	https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3174

There are other configurations that don't work, either.  For example,  
if you configure sync_client to use a list of mechs, those mechs  
aren't compared to the mechs offered by sync_server.  See:

	https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3093

If you have feedback on either of these, I'm listening and committing  
improvements.  Maybe you're trying to get TLS while using some other  
form of strong crypto?

:wes


More information about the Info-cyrus mailing list