[BUG] Prefer AUTH=CRAM-MD5 makes login fail in some IMAP servers.

[BUG] Prefer AUTH=CRAM-MD5 makes login fail in some IMAP servers.

[Emilio Jesús Gallego Arias]

Hi all,

starting with:

,----
| commit 1809f181366e42a47ba94551b54fd0d56d7e8dee
| Author: Lars Magne Ingebrigtsen <larsi@quimbies.gnus.org>
| Date:   Sun Jan 2 23:28:40 2011 +0100
|
|     (nnimap-login): Prefer AUTH=CRAM-MD5, if it's available.
|
|     This avoids sending passwords in plain text over non-encrypted
|     channels.
`----

I cannot login to one of my IMAP servers anymore.

I have several IMAP servers enabled, but as much as I try to isolate
that faulty server the other connect. I've tried to edit newsrd.eld,
etc... but to no avail, one server always gets reconnected.

So I'm not able to meaningful debug it, but here is some info from IMAP
debug buffers:

29 BAD unrecognized IMAP4 command or invalid state
30 BAD unrecognized IMAP4 command or invalid state
31 BAD unrecognized IMAP4 command or invalid state
32 BAD unrecognized IMAP4 command or invalid state
33 BAD unrecognized IMAP4 command or invalid state
34 BAD unrecognized IMAP4 command or invalid state
35 BAD unrecognized IMAP4 command or invalid state
36 BAD unrecognized IMAP4 command or invalid state
37 BAD unrecognized IMAP4 command or invalid state
38 BAD unrecognized IMAP4 command or invalid state
39 BAD unrecognized IMAP4 command or invalid state
40 BAD unrecognized IMAP4 command or invalid state
41 BAD unrecognized IMAP4 command or invalid state
42 BAD unrecognized IMAP4 command or invalid state
43 BAD unrecognized IMAP4 command or invalid state
44 BAD unrecognized IMAP4 command or invalid state
45 BAD unrecognized IMAP4 command or invalid state
46 BAD unrecognized IMAP4 command or invalid state
47 BAD unrecognized IMAP4 command or invalid state
48 BAD unrecognized IMAP4 command or invalid state
* BYE user input timeout

Process *nnimap*<2> connection broken by remote peer

19:08:12 (nnimap "server" (nnimap-address "server.com") (nnimap-stream network))

19:08:15 7 AUTHENTICATE CRAM-MD5
19:08:22 29 EXAMINE "Spam"

Regards,
Emilio

Re: [BUG] Prefer AUTH=CRAM-MD5 makes login fail in some IMAP servers.

[Lars Magne Ingebrigtsen]

egallego@babel.ls.fi.upm.es (Emilio Jesús Gallego Arias) writes:

> 19:08:12 (nnimap "server" (nnimap-address "server.com") (nnimap-stream network))
>
> 19:08:15 7 AUTHENTICATE CRAM-MD5
> 19:08:22 29 EXAMINE "Spam"

Are these lines from the *nnimap log* buffer?  The first line there
looks awfully odd.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: [BUG] Prefer AUTH=CRAM-MD5 makes login fail in some IMAP servers.

[Emilio Jesús Gallego Arias]

Lars Magne Ingebrigtsen <larsi@gnus.org> writes:

> egallego@babel.ls.fi.upm.es (Emilio Jesús Gallego Arias) writes:
>
>> 19:08:12 (nnimap "server" (nnimap-address "server.com") (nnimap-stream network))
>>
>> 19:08:15 7 AUTHENTICATE CRAM-MD5
>> 19:08:22 29 EXAMINE "Spam"
>
> Are these lines from the *nnimap log* buffer?  The first line there
> looks awfully odd.

The first line is part of the *gnus trace* buffer, I thought that would
be useful.

The *nnimap log* is difficult to make sense as I'm not able to disable
my other imap servers :(

Anyways I edebugged imap-login and got the exact message the server is respoding.

I guess the server is some sort of netscape one, The greeting sequence is:

* OK IMAP4 PROXY server ready
1 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 UIDPLUS IDLE LOGIN-REFERRALS NAMESPACE QUOTA CHILDREN SORT AUTH=CRAM-MD5
1 OK capabilities listed
2 LOGOUT
* BYE disconnecting
2 OK LOGOUT complete

Then gnus tries to perform CRAM-MD5 and it fails:

+ PDAwNjU...bS5jb3JyZW8+
2527 NO ERROR 119 invalid user or password err 30

Let me know what can I do, if I have time I'll have a look to the
CRAM-MD5 RFC.

Regards and thanks,
Emilio

Re: [BUG] Prefer AUTH=CRAM-MD5 makes login fail in some IMAP servers.

[Lars Magne Ingebrigtsen]

egallego@babel.ls.fi.upm.es (Emilio Jesús Gallego Arias) writes:

> Let me know what can I do, if I have time I'll have a look to the
> CRAM-MD5 RFC.

If you could `M-x edebug-defun' on `nnimap-login' in nnimap.el and step
through it, that would help.  My guess would be that it, er, doesn't
encode something right...

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: [BUG] Prefer AUTH=CRAM-MD5 makes login fail in some IMAP servers.

[Emilio Jesús Gallego Arias]

Lars Magne Ingebrigtsen <larsi@gnus.org> writes:

> egallego@babel.ls.fi.upm.es (Emilio Jesús Gallego Arias) writes:
>
>> Let me know what can I do, if I have time I'll have a look to the
>> CRAM-MD5 RFC.
>
> If you could `M-x edebug-defun' on `nnimap-login' in nnimap.el and step
> through it, that would help.  My guess would be that it, er, doesn't
> encode something right...

Well, I've edebugged nnimap-login and double checked with wireshark and
thunderbird and indeed it seems that CRAM-MD5 auth is completely broken
in that weird server. However years ago it used to work.

For the record Gnus did produce the same result that Thunderbird, which
also couldn't login.

I've disabled (with a hack) CRAM-MD5 for that particular server, sorry
for the noise.

Regards,
Emilio

Re: [BUG] Prefer AUTH=CRAM-MD5 makes login fail in some IMAP servers.

[Lars Ingebrigtsen]

egallego@babel.ls.fi.upm.es (Emilio Jesús Gallego Arias) writes:

> Well, I've edebugged nnimap-login and double checked with wireshark and
> thunderbird and indeed it seems that CRAM-MD5 auth is completely broken
> in that weird server. However years ago it used to work.

If it is just your particular server that has this problem, then I guess
this isn't a Gnus problem.  However, if it's a common bug in some IMAP
servers, perhaps Gnus should default to using LOGIN, which is faster
than CRAM-MD5 (one less round trip to the server), and is probably
tested a lot more than CRAM-MD5.

The drawback is that if you're talking to your IMAP server over a plain
network connection (boo!) to a server that doesn't support STARTTLS
(boo!), but the server has both CRAM-MD5 and LOGIN enabled, then your
passwords will be transferred unencrypted (boo!).

nnimap could default to using CRAM-MD5 in that particular case, but then
we're kinda into a very special case, and if CRAM-MD5 is buggy, then
some people will be affected anyway...

What do all y'all think?

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: [BUG] Prefer AUTH=CRAM-MD5 makes login fail in some IMAP servers.

[Ted Zlatanov]

On Sat, 22 Jan 2011 20:29:54 +0100 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> If it is just your particular server that has this problem, then I guess
LI> this isn't a Gnus problem.  However, if it's a common bug in some IMAP
LI> servers, perhaps Gnus should default to using LOGIN, which is faster
LI> than CRAM-MD5 (one less round trip to the server), and is probably
LI> tested a lot more than CRAM-MD5.

LI> The drawback is that if you're talking to your IMAP server over a plain
LI> network connection (boo!) to a server that doesn't support STARTTLS
LI> (boo!), but the server has both CRAM-MD5 and LOGIN enabled, then your
LI> passwords will be transferred unencrypted (boo!).

LI> nnimap could default to using CRAM-MD5 in that particular case, but then
LI> we're kinda into a very special case, and if CRAM-MD5 is buggy, then
LI> some people will be affected anyway...

I think CRAM-MD5 should be preferred if it's available.  The user should
be able to disable that preference like any other login method.

Ted

Re: [BUG] Prefer AUTH=CRAM-MD5 makes login fail in some IMAP servers.

[Lars Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> I think CRAM-MD5 should be preferred if it's available.  The user should
> be able to disable that preference like any other login method.

I had hoped it wouldn't be necessary to customise the login method.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: [BUG] Prefer AUTH=CRAM-MD5 makes login fail in some IMAP servers.

[Ted Zlatanov]

On Mon, 24 Jan 2011 14:07:11 -0800 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> I think CRAM-MD5 should be preferred if it's available.  The user should
>> be able to disable that preference like any other login method.

LI> I had hoped it wouldn't be necessary to customise the login method.

It's not normally, but if the server is buggy you can't avoid it IMO.
So maybe make it a defvar and not a defcustom.

Ted

Re: [BUG] Prefer AUTH=CRAM-MD5 makes login fail in some IMAP servers.

[Lars Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> It's not normally, but if the server is buggy you can't avoid it IMO.
> So maybe make it a defvar and not a defcustom.

Well, it'd be a defvoo, since it would be a server slot.

nnimap could just try all the allowed login methods if any of them
fails.  But there are probably some IMAP servers that would balk at
that, too.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: [BUG] Prefer AUTH=CRAM-MD5 makes login fail in some IMAP servers.

[Ted Zlatanov]

On Mon, 24 Jan 2011 14:30:53 -0800 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> It's not normally, but if the server is buggy you can't avoid it IMO.
>> So maybe make it a defvar and not a defcustom.

LI> Well, it'd be a defvoo, since it would be a server slot.

LI> nnimap could just try all the allowed login methods if any of them
LI> fails.  But there are probably some IMAP servers that would balk at
LI> that, too.

Yeah, I don't think you need to be too thorough with fixing the buggy
CRAM-MD5 case.  Just add a defvoo "ignore-auth-methods" and the user can
add 'cram-md5 to that as needed.

Ted

Re: [BUG] Prefer AUTH=CRAM-MD5 makes login fail in some IMAP servers.

[Lars Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> Yeah, I don't think you need to be too thorough with fixing the buggy
> CRAM-MD5 case.  Just add a defvoo "ignore-auth-methods" and the user can
> add 'cram-md5 to that as needed.

Well, so far there's been only a single report of cram-md5-ey
brokenness, so I think there's still a real chance of getting away with
adding no conf options in this area.

But I think I'm going to do what I proposed -- if the connection is
TLS/STARTTLS, then we're going to default to using LOGIN, so CRAM-MD5 is
used for non-encrypted connections only.  It'll be slightly faster.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: [BUG] Prefer AUTH=CRAM-MD5 makes login fail in some IMAP servers.

[Lars Ingebrigtsen]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> But I think I'm going to do what I proposed -- if the connection is
> TLS/STARTTLS, then we're going to default to using LOGIN, so CRAM-MD5 is
> used for non-encrypted connections only.  It'll be slightly faster.

I've now done this.  Let me know whether this leads to any problems for
anybody, but I think it's rather unlikely.  (Unless I added a bug
somewhere.  Emacs forfend.)

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen