From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/86849 Path: news.gmane.org!not-for-mail From: Jochen Hein Newsgroups: gmane.emacs.gnus.general Subject: Re: [PATCH] GSSAPI authentication for nnimap Date: Sat, 13 Feb 2016 11:30:25 +0100 Message-ID: <838u2onbr2.fsf@echidna.jochen.org> References: <87oaecan6t.fsf@mid.deneb.enyo.de> <87d1sanxyx.fsf@gnus.org> <83a8ncfnkc.fsf@echidna.jochen.org> <8737t3g4hk.fsf@gnus.org> <831t8mgbpi.fsf@echidna.jochen.org> <87io1ykh0h.fsf@linux-m68k.org> <83vb5yhjpo.fsf@echidna.jochen.org> <87wpqeix2s.fsf@linux-m68k.org> <83zivammhs.fsf@echidna.jochen.org> <83wpqd4pk6.fsf@echidna.jochen.org> <87egcl795w.fsf@gnus.org> <834mdfdo0c.fsf_-_@echidna.jochen.org> <87oablkss4.fsf@gnus.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1455359798 17439 80.91.229.3 (13 Feb 2016 10:36:38 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 13 Feb 2016 10:36:38 +0000 (UTC) Cc: Andreas Schwab , ding@gnus.org, Florian Weimer To: Lars Ingebrigtsen Original-X-From: ding-owner+M35072@lists.math.uh.edu Sat Feb 13 11:36:27 2016 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from lists1.math.uh.edu ([129.7.128.208]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1aUXYq-0005G4-VV for ding-account@gmane.org; Sat, 13 Feb 2016 11:36:21 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by lists1.math.uh.edu with smtp (Exim 4.85) (envelope-from ) id 1aUXXz-0008RD-Dq; Sat, 13 Feb 2016 04:35:27 -0600 Original-Received: from mx2.math.uh.edu ([129.7.128.33]) by lists1.math.uh.edu with esmtps (TLSv1.2:AES128-GCM-SHA256:128) (Exim 4.85) (envelope-from ) id 1aUXXv-0008Qj-SC for ding@lists.math.uh.edu; Sat, 13 Feb 2016 04:35:23 -0600 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx2.math.uh.edu with esmtps (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from ) id 1aUXXn-0007fL-43 for ding@lists.math.uh.edu; Sat, 13 Feb 2016 04:35:23 -0600 Original-Received: from smtp.dinoex.de ([188.40.204.4] ident=root) by quimby.gnus.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1aUXXk-0003a5-Ko; Sat, 13 Feb 2016 11:35:12 +0100 Original-Received: from smtp.dinoex.de (uucp@smtp.dinoex.de [188.40.204.4]) by smtp.dinoex.de (8.15.2/8.15.1) with ESMTPS id u1DAZ6D2089859 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 13 Feb 2016 11:35:07 +0100 (CET) (envelope-from jochen@jochen.org) Original-Received: (from uucp@localhost) by smtp.dinoex.de (8.15.2/8.15.1/Submit) with UUCP id u1DAZ6qD089855; Sat, 13 Feb 2016 11:35:06 +0100 (CET) (envelope-from jochen@jochen.org) Original-Received: from echidna.jochen.org (echidna.jochen.org [IPv6:fd23:e163:19f7:1234:222:4dff:fe7c:d76a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by jupiter.jochen.org (Postfix) with ESMTPSA id 9684B16F; Sat, 13 Feb 2016 11:30:25 +0100 (CET) X-Message-Flag: This space is intentionally left blank In-Reply-To: <87oablkss4.fsf@gnus.org> (Lars Ingebrigtsen's message of "Sat, 13 Feb 2016 17:50:51 +1100") User-Agent: Gnus/5.130015 (Ma Gnus v0.15) Emacs/24.4 (gnu/linux) X-Milter: Spamilter (Reciever: smtp.dinoex.de; Sender-ip: 188.40.204.4; Sender-helo: smtp.dinoex.de;) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (smtp.dinoex.de [188.40.204.4]); Sat, 13 Feb 2016 11:35:08 +0100 (CET) X-Spam-Score: -1.9 (-) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:86849 Archived-At: Lars Ingebrigtsen writes: > Jochen Hein writes: > >> The following patches add GSSAPI support to nnimap. I'll comment what I >> did and why above each patch. I'm currently cloning the emacs >> repository and I hope to forward port the patches and add/adapt the >> documentation accordingly. > > Great! Except that nnimap didn't work for me at all - I'll have a look, but might want to wait after the cleanup frenzy is over :-) I've also seem some fixes already... While you're at it - it might be a good idea to move starttls.el and gssapi.el from lisp/gnus to lisp/net. Both are used by network-stream.el. tls.el is already there. There's also net/imap.el - which also claims to handle GSSAPI. I have no idea if that's in use anywhere. >> I currently know of one difference between gsasl and imtest: connections >> with gsasl use TLS, imtest doesn't. If we want that, we can add '-t ""' >> to the imtest call according to the imtest manpage: >> >> -t keyfile >> Enable TLS. keyfile contains the TLS public and >> private keys. Specify "" to negotiate a TLS >> encryption layer but not use TLS authentication. >> >> Another option could be to handle STARTTLS in >> network-stream-open-gssapi. For my usecase I'll use gsasl, so I've not >> added code for that. > > Hm... it would have been nice if this all went through our normal TLS > functions, so that the user could be given the opportunity to use the > network security manager in Emacs, which handles certificate errors and > the like. So I think it would be very nice if > network-stream-open-gssapi handled TLS itself. That might not work with the current approach: $ imtest -m gssapi -p imap imap ... . STARTTLS . BAD Can't Starttls after authentication On the other hand I expect that someone doing Single-Sign-On with his mail server will also have the right SSL-certificates in place. For example, both my server and client have been added to a FreeIPA domain. So I currently contemplate to add '-t ""' to the imtest command in gssapi.el, because it matches my use case and we'd use STARTTLS in both commands. I think we've reached a time where TLS should be enabled by default. In list/net I've found sasl*.el - that doesn't do GSSAPI at all, but it could possibly be implemented there. But I expect that this is beyond my minimal elisp skill, so that's something to explore much later. Jochen -- The only problem with troubleshooting is that the trouble shoots back.