On Sun, Jun 21, 2020 at 10:08:44PM +0200, Vincent Lefevre wrote:
On 2020-06-21 10:59:05 -0700, Kevin J. McCarthy wrote:Aaron Schrab posted a patch in ticket 250, setting conn->ssf for $tunnel, but I am not clear on what is expected of $tunnel either. Does $tunnel imply Mutt can assume the connection is secure?A choice needs to be done and documented, possibly controlled by an option. And the behavior needs to be made consistent.
I'm inclined to take the stance that the $tunnel is secure. For stable branch, I'll include the PREAUTH patch in <20200621151915.gg23...@afu.lan>:
if (!idata->conn->ssf && !Tunnel && option(OPTSSLFORCETLS)) but make no other changes.For master branch, I'll add a new option, something like $tunnel_is_secure, defaulting "yes". That will turn off STARTTLS for tunneled imap, pop3, and smtp connections (a possibly breaking change). It will also disable the "IMAP PREAUTH" check.
If changed to "no", then STARTTLS will occur for tunneled imap, pop3, and smtp connections (subject to $ssl_starttls and $ssl_force_tls, as it does right now) . For "IMAP PREAUTH", it will error out if $ssl_force_tls is set.
How does that sound? -- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA
signature.asc
Description: PGP signature
