Hi, Charlie, On Tue, 25 Mar 2003, Charlie Brady wrote: >On Fri, 21 Mar 2003, Andreas Aardal Hanssen wrote: >I'm not sure exactly what you mean here by "did the SSL_accept". I guess >you mean "perform the SSL handshake", although you could also mean "accept >the "STARTTLS" command, and return "[tag] OK". Or you could mean both of >those things.
The handshake. >But in any case, I don't think it matters, since perhaps the division of >labour between child and parent should be such that there is no need to >pass control in the way that Andres seeks. >Scott Gifford has modified stunnel so that it can execute as an IMAP >proxy. It either negotiates TLS, or operates as a cleartext proxy. >Moreover, it does so running non-root in a chroot jail. >Un his configuration stunnel runs non-root (as the user "stunnel"), >imapfront-auth as root, then imapd as the authenticated user. I'm curious >as to how you would partition the tasks differently, and why you wish to >pass the TLS task from one process to another. You'll note that this >configuration handles the connection with two concurrent processes - there >is no way to use fewer processes without sacrificing privilege separation. Agreed that this is a great way to handle port 993 SSL, but how would you use this to solve STARTTLS? Andy -- Andreas Aardal Hanssen | http://www.andreas.hanssen.name/gpg Author of Binc IMAP | Nil desperandum
