Re: $ssl_client_cert users?

[Kevin J. McCarthy]

On Sat, Mar 06, 2021 at 09:09:35AM -0800, Kevin J. McCarthy wrote:
Is anyone here using $ssl_client_cert to authenticate to a 
IMAP/POP/SMTP server?


TL;DR: if so, please help me test against branch 
`kevin/336-smtp-client-cert`.


I've merged the branch into master.  Again, if you notice any problems 
with client cert authentication as a result, please holler.


--
Kevin J. McCarthy
GPG Fingerprint: 8975 A9B3 3AA3 7910 385C  5308 ADEF 7684 8031 6BDA


signature.asc
Description: PGP signature

$ssl_client_cert users?

[Kevin J. McCarthy]

Is anyone here using $ssl_client_cert to authenticate to a IMAP/POP/SMTP 
server?


TL;DR: if so, please help me test against branch 
`kevin/336-smtp-client-cert`.


Gitlab #336  reported a 
problem using this for authentication to a Postfix SMTP server.


The problem seemed to be the OpenSSL / GnuTLS client cert code was 
calling mutt_account_getuser().  First this makes no sense (to me) 
because they are authenticated via cert.  But second, if the user is 
set, the SMTP code would then force authentication.  The server didn't 
advertise AUTH (again, because they are already authenticated), so Mutt 
would abort.


I've posted a still work-in-progress commit to branch 
`kevin/336-smtp-client-cert` which fixes the issue for the reporter.


However, I'm concerned this *might* impact other use cases.  It's not 
clear to me how/why SASL "external" would be involved in this.  But the 
comment in the SSL/GnuTLS code indicated it could be, and might expect 
the user field.


It would seem to me more obvious to just add the call to the beginning 
of imap_auth_sasl() if that's the case though.  :-/


Anyway, if you are using this, I'd appreciate help testing.  Thank you!

--
Kevin J. McCarthy
GPG Fingerprint: 8975 A9B3 3AA3 7910 385C  5308 ADEF 7684 8031 6BDA


signature.asc
Description: PGP signature