nnimap doesn't work with: stream gssapi, auth gssapi and SSL/TLS

nnimap doesn't work with: stream gssapi, auth gssapi and SSL/TLS

[Boris Samorodov]

Hi!

I've posted a bug report to news server, but it seems to be overloaded
by spam. Here is the original message.

Hello Bugfixing Girls and Boys,


I have:
$ uname srm
FreeBSD 6.0-RELEASE i386

Gnus v5.11
GNU Emacs 22.0.50.3 (i386-unknown-freebsd6.0, X toolkit, Xaw3d scroll bars)
 of 2005-11-15 on srv.sem.ipt.ru -- from cvs a couple of hours ago.
Cyrus IMAP4 v2.2.10 and it's imtest. OpenSSL 0.9.7e-p1 25 Oct 2004.


Here is full .emacs[1] I'm playing with:
-----
(setq imap-log t)
(custom-set-variables
 '(gnus-select-method (quote
    (nnimap "host.ipt.ru"
      (nnimap-stream gssapi)
      (nnimap-authenticator gssapi)
      (nnimap-server-port 993))))
 '(imap-gssapi-program (quote ("imtest -s -m gssapi -u %l -p %p %s"))))
-----

When changing nnimap-server-port to 143 and deletting an "-s" option
from imtest command, all goes well. But I'm expecting that GNUS should
work with SSL/TLS, because imtest from console shows almost identical
answers:

=====
$ imtest -m gssapi -u bsam -p 143 -c host.ipt.ru
S: * OK host.ipt.ru Cyrus IMAP4 v2.2.10 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=NTLM AUTH=GSSAPI AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI YIICHgYJKoZIhvcSAQICAQBuggINMIICCaADAgEFoQMCAQ6iBwMFACAAAACjggEtYYIBKTCCASWgAwIBBaEIGwZJUFQuUlWiIjAgoAMCAQGhGTAXGwRpbWFwGw9zZXJ2aWNlcy5pcHQucnWjge8wgeygAwIBEKEDAgEBooHfBIHcXMnkn3rSFCKd7w+IaOHP/g0gSsuGZda15MYl7PImF9gHPTKNGtcNkmKedg5cFI97Jp9WEYjfGuiFCiPUqSYugV1gceWZPnzVtp8RNBLe3WRYzAhsygVBFwkfSKrouT1+2apkYVII3kFcq9Bgac88Hzqfe2owAEZKC9JMTUCds8Lm157LdzlGCpMdZYCA7lYtyoqUbvsYwtQ3t1z1sI2Q2cfGz74goIa+dsqIWWREDRCkJoQLuFjGjWxZn/DKPMl37vpOZ3SSFJ+x8Zj6R6UDjdzUf/ed7VOpKVRCqKSBwjCBv6ADAgEQooG3BIG08qWl1rrmHkof/1I3i55J8A01Pvm3eXnX0ojsT19Xwui8YWFoiKa269AbP2HMAlcaxc0/CIQacKm0np/pAmAtB07qDHAvyB6uE4ZRSbSsGlz4lV8H99BhML+GEeTR3ikjUvL04Isfqh785KEQZsEviHdxTUYvK63uuOulQUfWdk6UEQUbOasQkdQjV++rKSvNfqQhjDG3PdsjF9yjWI9ACyg4k4mPNtZGh08dyoGqSnk+1VuM
S: + YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgREsoVe9vaEBf7lX91zzmiUg/+kj5S2heWmQ3DoLDJ2zRa/073wM8ES14SmHf9scOXjn4fuV9phuro83GbnbrlKwnFmEdI=
C: 
S: + YD8GCSqGSIb3EgECAgIBBAD/////9l8ZzJPvBLxN2sJ9qvQeADmgC4HdoytQXuowxsvMxdJYGtoGBwAQAAQEBAQ=
C: YEcGCSqGSIb3EgECAgIBBAD/////6yCVW4FihR9OYWKwO5+9PRKJJnPrlGtrtLml71tIEbt+tJhiBAAEAGJzYW0ICAgICAgICA==
S: A01 OK Success (privacy protection)
Authenticated.
Security strength factor: 56

$ imtest -s -m gssapi -u bsam -p 993 -c host.ipt.ru
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
S: * OK host.ipt.ru Cyrus IMAP4 v2.2.10 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=NTLM AUTH=LOGIN AUTH=PLAIN AUTH=GSSAPI AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI YIICHgYJKoZIhvcSAQICAQBuggINMIICCaADAgEFoQMCAQ6iBwMFACAAAACjggEtYYIBKTCCASWgAwIBBaEIGwZJUFQuUlWiIjAgoAMCAQGhGTAXGwRpbWFwGw9zZXJ2aWNlcy5pcHQucnWjge8wgeygAwIBEKEDAgEBooHfBIHcXMnkn3rSFCKd7w+IaOHP/g0gSsuGZda15MYl7PImF9gHPTKNGtcNkmKedg5cFI97Jp9WEYjfGuiFCiPUqSYugV1gceWZPnzVtp8RNBLe3WRYzAhsygVBFwkfSKrouT1+2apkYVII3kFcq9Bgac88Hzqfe2owAEZKC9JMTUCds8Lm157LdzlGCpMdZYCA7lYtyoqUbvsYwtQ3t1z1sI2Q2cfGz74goIa+dsqIWWREDRCkJoQLuFjGjWxZn/DKPMl37vpOZ3SSFJ+x8Zj6R6UDjdzUf/ed7VOpKVRCqKSBwjCBv6ADAgEQooG3BIG0Q2Qjbbyn2z7K9ClnjBYhS3EEcaaUjAmsqpiu4zJjnbmlkEt0qdtSRkibR5njj6B0DfGr+u/nYiHCQDeALpmuaNMuKqPss6Wk+VyZzpkh08GAlmSJEB2Q6vxaITGJ9v9RZNFM68VQ8pJTAH+DQUyToNueheJu0wb+VjmIOIQSKtRSKBHVlqbp+WHOE05xbMGtp4f0AKyInK9cIRcGXPmitb5npPDJOKyXjehZkoIXAqqPv6In
S: + YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgREGTbaGs8aP4WtNZww9igzxdVzesf7mlIo0b3fsFnvIuGEU5H4VLy/nwqQilcpi0wVxLw9iLB3my6aYekEKqa6uN1DCjU=
C: 
S: + YD8GCSqGSIb3EgECAgIBBAD/////jZ8I74L8pN0laRB3w6Ds7wshBVtejlAVT0Tuip/76elMzu+dAQAQAAQEBAQ=
C: YEcGCSqGSIb3EgECAgIBBAD/////OAiVSg7TbDaBUk+m4xXjLYJkphz4RRBydojKXr9wTl+KJqLXAQAEAGJzYW0ICAgICAgICA==
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
=====

As I can see, the main difference is that the latter answer is
beginning with some error message (the certificate is
self-signed). But authentication in fact was successful.

When using config[1] and loading gnus emacs shows clocks as a cursor
forever (actually, I didn't wait more that five minutes). Top shows
emacs at select state, netstat shows that a connection with the server
is established.

Stream ssl, auth login and port 993 are working as a charm.


Thank you for cooperation. And for the great soft as well!
-- 
Boris B. Samorodov, Research Engineer
InPharmTech Co,     http://www.ipt.ru
Telephone & Internet Service Provider

[SOLVED+patch] nnimap doesn't work with: stream gssapi, auth gssapi and SSL/TLS

[Boris Samorodov]

[-- Attachment #1: Type: text/plain, Size: 553 bytes --]

Hi!

I've posted a bug report to news server, but it seems to be overloaded
by spam. Here is the original message.

On Wed, 16 Nov 2005 01:25:53 +0300 Boris Samorodov wrote:

> Hello Bugfixing Girls and Boys,
[skip]
> As I can see, the main difference is that the latter answer is
> beginning with some error message (the certificate is
> self-signed). But authentication in fact was successful.

Yes. That was the case.

Looking at gnus/imap.el I noticed a code at kerberos4 function dealing
with such messages. Hence, the next patch made gnus happy.


[-- Attachment #2: Patch for imap.el --]
[-- Type: text/plain, Size: 592 bytes --]

--- imap.el.orig	Sun Oct 30 23:34:53 2005
+++ imap.el	Wed Nov 16 09:55:45 2005
@@ -591,6 +591,13 @@
 	    (while (and (memq (process-status process) '(open run))
 			(set-buffer buffer) ;; XXX "blue moon" nntp.el bug
 			(goto-char (point-min))
+			;; Athena IMTEST can output SSL verify errors
+			(or (while (looking-at "^verify error:num=")
+			      (forward-line))
+			    t)
+			(or (while (looking-at "^TLS connection established")
+			      (forward-line))
+			    t)
 			;; cyrus 1.6.x (13? < x <= 22) queries capabilities
 			(or (while (looking-at "^C:")
 			      (forward-line))

[-- Attachment #3: Type: text/plain, Size: 172 bytes --]


Is anybody interested in committing the patch?


WBR
-- 
Boris B. Samorodov, Research Engineer
InPharmTech Co,     http://www.ipt.ru
Telephone & Internet Service Provider

Re: [SOLVED+patch] nnimap doesn't work with: stream gssapi, auth gssapi and SSL/TLS

[Simon Josefsson]

Boris Samorodov <bsam@ipt.ru> writes:

> Hi!
>
> I've posted a bug report to news server, but it seems to be overloaded
> by spam. Here is the original message.
>
> On Wed, 16 Nov 2005 01:25:53 +0300 Boris Samorodov wrote:
>
>> Hello Bugfixing Girls and Boys,
> [skip]
>> As I can see, the main difference is that the latter answer is
>> beginning with some error message (the certificate is
>> self-signed). But authentication in fact was successful.
>
> Yes. That was the case.
>
> Looking at gnus/imap.el I noticed a code at kerberos4 function dealing
> with such messages. Hence, the next patch made gnus happy.
>
> --- imap.el.orig	Sun Oct 30 23:34:53 2005
> +++ imap.el	Wed Nov 16 09:55:45 2005
> @@ -591,6 +591,13 @@
>  	    (while (and (memq (process-status process) '(open run))
>  			(set-buffer buffer) ;; XXX "blue moon" nntp.el bug
>  			(goto-char (point-min))
> +			;; Athena IMTEST can output SSL verify errors
> +			(or (while (looking-at "^verify error:num=")
> +			      (forward-line))
> +			    t)
> +			(or (while (looking-at "^TLS connection established")
> +			      (forward-line))
> +			    t)
>  			;; cyrus 1.6.x (13? < x <= 22) queries capabilities
>  			(or (while (looking-at "^C:")
>  			      (forward-line))
>
> Is anybody interested in committing the patch?

Hi!  Installed in No Gnus and Gnus 5.10.

Thanks!