From: Jochen Hein <jochen@jochen.org>
To: Lars Ingebrigtsen <larsi@gnus.org>
Cc: Andreas Schwab <schwab@linux-m68k.org>,
ding@gnus.org, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: [PATCH] GSSAPI authentication for nnimap
Date: Sat, 13 Feb 2016 11:30:25 +0100 [thread overview]
Message-ID: <838u2onbr2.fsf@echidna.jochen.org> (raw)
In-Reply-To: <87oablkss4.fsf@gnus.org> (Lars Ingebrigtsen's message of "Sat, 13 Feb 2016 17:50:51 +1100")
Lars Ingebrigtsen <larsi@gnus.org> writes:
> Jochen Hein <jochen@jochen.org> writes:
>
>> The following patches add GSSAPI support to nnimap. I'll comment what I
>> did and why above each patch. I'm currently cloning the emacs
>> repository and I hope to forward port the patches and add/adapt the
>> documentation accordingly.
>
> Great!
Except that nnimap didn't work for me at all - I'll have a look, but
might want to wait after the cleanup frenzy is over :-) I've also seem
some fixes already...
While you're at it - it might be a good idea to move starttls.el and
gssapi.el from lisp/gnus to lisp/net. Both are used by
network-stream.el. tls.el is already there.
There's also net/imap.el - which also claims to handle GSSAPI. I have
no idea if that's in use anywhere.
>> I currently know of one difference between gsasl and imtest: connections
>> with gsasl use TLS, imtest doesn't. If we want that, we can add '-t ""'
>> to the imtest call according to the imtest manpage:
>>
>> -t keyfile
>> Enable TLS. keyfile contains the TLS public and
>> private keys. Specify "" to negotiate a TLS
>> encryption layer but not use TLS authentication.
>>
>> Another option could be to handle STARTTLS in
>> network-stream-open-gssapi. For my usecase I'll use gsasl, so I've not
>> added code for that.
>
> Hm... it would have been nice if this all went through our normal TLS
> functions, so that the user could be given the opportunity to use the
> network security manager in Emacs, which handles certificate errors and
> the like. So I think it would be very nice if
> network-stream-open-gssapi handled TLS itself.
That might not work with the current approach:
$ imtest -m gssapi -p imap imap
...
. STARTTLS
. BAD Can't Starttls after authentication
On the other hand I expect that someone doing Single-Sign-On with his
mail server will also have the right SSL-certificates in place. For
example, both my server and client have been added to a FreeIPA domain.
So I currently contemplate to add '-t ""' to the imtest command in
gssapi.el, because it matches my use case and we'd use STARTTLS in both
commands. I think we've reached a time where TLS should be enabled by
default.
In list/net I've found sasl*.el - that doesn't do GSSAPI at all, but it
could possibly be implemented there. But I expect that this is beyond
my minimal elisp skill, so that's something to explore much later.
Jochen
--
The only problem with troubleshooting is that the trouble shoots back.
next prev parent reply other threads:[~2016-02-13 10:30 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-29 14:35 gssapi " Florian Weimer
2016-02-06 6:40 ` Lars Ingebrigtsen
2016-02-07 17:16 ` Jochen Hein
2016-02-08 5:23 ` Lars Ingebrigtsen
2016-02-08 9:51 ` Jochen Hein
2016-02-08 20:59 ` Jochen Hein
2016-02-08 21:51 ` Andreas Schwab
2016-02-08 23:21 ` Jochen Hein
2016-02-08 23:47 ` Andreas Schwab
2016-02-09 6:22 ` Jochen Hein
2016-02-09 20:05 ` Jochen Hein
2016-02-09 23:31 ` Lars Ingebrigtsen
2016-02-10 4:16 ` Jochen Hein
2016-02-10 4:23 ` Lars Ingebrigtsen
2016-02-10 4:30 ` Lars Ingebrigtsen
2016-02-10 4:42 ` Jochen Hein
2016-02-10 4:50 ` Lars Ingebrigtsen
2016-02-10 21:37 ` Jochen Hein
2016-02-11 19:51 ` [PATCH] GSSAPI " Jochen Hein
2016-02-13 6:50 ` Lars Ingebrigtsen
2016-02-13 10:30 ` Jochen Hein [this message]
2016-02-14 2:25 ` Lars Ingebrigtsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=838u2onbr2.fsf@echidna.jochen.org \
--to=jochen@jochen.org \
--cc=ding@gnus.org \
--cc=fw@deneb.enyo.de \
--cc=larsi@gnus.org \
--cc=schwab@linux-m68k.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).