[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] Help with SASL/TLS

From: Ken Hornstein
Subject: Re: [Nmh-workers] Help with SASL/TLS
Date: Tue, 13 May 2014 18:55:01 -0400

>No, the SASL mechanisms listed in the AUTH keyword in the EHLO response 
>are unordered.

You know, I could have sworn that the server mechanism list was ordered
from most preferred to least preferred ... but there's no standards document
that says that, is there?  I stand corrected.

>The choice of mechanism to use is entirely up to the client.  Cyrus-sasl 
>tends to prefer GSSAPI over just about everything else, so if you don't 
>want to use that you need to explicitly call out a different mechanism (as 
>Ken pointed out).

>From the Cyrus-SASL source code, the client-side preference list ends up

            /* compare security flags, only take new mechanism if it has
             * all the security flags of the previous one.
             * From the mechanisms we ship with, this yields the order:
             * SRP
             * GSSAPI + KERBEROS_V4
             * DIGEST + OTP
             * CRAM + EXTERNAL
             * PLAIN + LOGIN + ANONYMOUS

>The behaviour here has nothing to do with nmh.  It is solely an artifact 
>of the SASL library we link against.  We can't document the behaviour 
>because we have no control over it, and every library will act 

It does occur to me that other SASL-aware programs I've dealt with require
you to explicitly configure the SASL mechanism you want to use on the client
side; I'm not sure if that's a good idea here or not.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]