I've recently been facing a special case: a pop3 server (dovecot) with a TLS-upgraded connection and client certificate does not require the password when the LOGIN authentication mechanism is used, effectively behaving as if it was an EXTERNAL authentication.

< + VXNlcm5hbWU6
> dXNlcg==
< +OK Logged in.

Obviously the server does not require the password because the client certificate authentication takes precedence; the AUTH command is however needed before being able to use other commands. This looks like a deviance from the description (https://tools.ietf.org/html/draft-murchison-sasl-login-00), that has been written "a posteriori" (probably by reverse engineering) and has not become a standard. This document does not describe the case when the password is not needed.

Currently, curl stops with CURLE_LOGIN_DENIED, treating the positive response as bad because a continuation is unconditionally expected.

Should we support this ? If yes, the fix is ready.

In addition I would set the LOGIN mechanism a lower priority than the PLAIN one, as advised in the document mentioned above.

OK for these changes ?


Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Reply via email to