On 2006-11-15 at 09:37 +0100, Wolfgang Hennerbichler wrote: > it is absolutely great. You should urge cyrus developers to include > it in their source code, once it's mature enough and well tested. I have no objection to that. Slap a BSD-ish license on the code. However, there might be some issues with including it. Eg, the Authen::SASL driver is explicitly set to be the Perl one, not the Cyrus one. Authen::SASL documents that the connection class will implement a mechanism() method, which the Cyrus driver does not. This makes it rather awkward to actually start negotiation as a client. > Well, here is one. > For self-signed certificates I get the error > STARTTLS promotion failed: SSL connect attempt failed with unknown > errorerror:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > it would be great to add a --noverify option for TLS, for self-signed > certificates. The problem with not doing verification is that you don't know if the server you're talking to is actually a man-in-the-middle, which defeats the purpose of bothering with encryption for anything seriously confidential. If you have a bunch of services then you might consider setting up your own little private Certificate Authority. I recently wrote the article at <URL:http://lopsa.org/SSLIntro> which explains SSL certificates and authorities for sysadmin-level techs who are already familiar with PGP and SSH. It walks you through setting up a personal CA, explaining _why_ you're doing the various steps. Right at the start of the script is the only bit I thought should need tuning on a per-site basis, above the "No user-serviceable parts below" warning; that's %ssl_options. If you want to turn off verification, change the option in there. I really don't want to encourage this by making it too easy, but if you've read this far ... setting the value to 0x00 will turn off verification. Regards, -Phil ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
