How to make sync_client invoke STARTTLS for replication
Wesley Craig
wes at umich.edu
Wed May 26 11:52:01 EDT 2010
On 26 May 2010, at 10:58, Rudy Gevaert wrote:
> On 02/11/2010 11:53 PM, Rich Wales wrote:
>> I'm running Cyrus 2.3.16 (with replication) between two Ubuntu
>> servers.
>>
>> What do I have to do to make the "sync_client" application invoke
>> STARTTLS
>> when it connects to "sync_server" on the other host?
>>
>> I can invoke TLS when I use the "synctest" program, but I can't
>> seem to
>> figure out how to force "sync_client" to use TLS when actually
>> replicating.
>>
>> The reason I'm assuming TLS is not happening is that when /var/log/
>> syslog
>> records the "User logged in" events associated with replication,
>> TLS is
>> not mentioned as part of the authentication mechanism in use.
>>
>> Right now, the lack of TLS is not a major issue because one of the
>> servers
>> is connected to my LAN via a VPN link (so it's encrypted). But I
>> still
>> want to know what I'm supposed to do in order for a TLS layer to
>> happen.
>
> Has anybody been able to fix this?
Define "fix". If you have allowplaintext set, there's no reason to
use TLS. If you don't have allowplaintext, there are bugs in 2.3.16
that prevent it from working. See:
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3174
There are other configurations that don't work, either. For example,
if you configure sync_client to use a list of mechs, those mechs
aren't compared to the mechs offered by sync_server. See:
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3093
If you have feedback on either of these, I'm listening and committing
improvements. Maybe you're trying to get TLS while using some other
form of strong crypto?
:wes
More information about the Info-cyrus
mailing list