On Fri, 21 Mar 2003, Andreas Aardal Hanssen wrote: > The 1.1.0 release will be out next week. If anyone can help me with > figuring out how a child process can continue SSL communication after the > parent did the SSL_accept, then 1.1.0 will probably be out sooner rather > than later.
I'm not sure exactly what you mean here by "did the SSL_accept". I guess you mean "perform the SSL handshake", although you could also mean "accept the "STARTTLS" command, and return "[tag] OK". Or you could mean both of those things. But in any case, I don't think it matters, since perhaps the division of labour between child and parent should be such that there is no need to pass control in the way that Andres seeks. Scott Gifford has modified stunnel so that it can execute as an IMAP proxy. It either negotiates TLS, or operates as a cleartext proxy. Moreover, it does so running non-root in a chroot jail. http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/stunnel-tlsproxy.html Below you will find a run file which runs stunnel in either cleartext or TLS mode, then runs Bruce Guenter's imapfront-auth to handle authentication, then finally bincimap's imapd. [This configuration requres a small modification to imapd to have it return the correct tagged response once it is started up post-authentication (using an environment variable provided by imapfront-auth.] Un his configuration stunnel runs non-root (as the user "stunnel"), imapfront-auth as root, then imapd as the authenticated user. I'm curious as to how you would partition the tasks differently, and why you wish to pass the TLS task from one process to another. You'll note that this configuration handles the connection with two concurrent processes - there is no way to use fewer processes without sacrificing privilege separation. #! /bin/sh concurrency=20 ulimitdata=30000000 CVM_SASL_PLAIN=cvm-local:/tmp/.cvm-unix-local export CVM_SASL_PLAIN CVM_ACCOUNT_SPLIT_CHARS= export CVM_ACCOUNT_SPLIT_CHARS SSLUID=`id -u stunnel` SSLGID=`id -g stunnel` exec 2>&1 exec \ softlimit -m $ulimitdata \ tcpserver -dHRvX \ -c "$concurrency" \ -x imap.cdb \ 0 imap \ makesock \ stunnel -D debug -/ ssl -s "$SSLUID" -g "$SSLGID" \ -N imap \ -i -R seed -p imapd.pem -n imap- -f -F 3 \ -makesock_connect_to \ /usr/bin/imapfront-auth \ /usr/local/bin/imap -- Charlie
