curl / Mailing Lists / curl-library / Single Mail

curl-library

SASL LOGIN mechanism

From: Patrick Monnerat <patrick_at_monnerat.net>
Date: Wed, 14 Feb 2018 01:48:03 +0100

I've recently been facing a special case: a pop3 server (dovecot) with a
TLS-upgraded connection and client certificate does not require the
password when the LOGIN authentication mechanism is used, effectively
behaving as if it was an EXTERNAL authentication.

> AUTH LOGIN
< + VXNlcm5hbWU6
> dXNlcg==
< +OK Logged in.

Obviously the server does not require the password because the client
certificate authentication takes precedence; the AUTH command is however
needed before being able to use other commands. This looks like a
deviance from the description
(https://tools.ietf.org/html/draft-murchison-sasl-login-00), that has
been written "a posteriori" (probably by reverse engineering) and has
not become a standard. This document does not describe the case when the
password is not needed.

Currently, curl stops with CURLE_LOGIN_DENIED, treating the positive
response as bad because a continuation is unconditionally expected.

Should we support this ? If yes, the fix is ready.

In addition I would set the LOGIN mechanism a lower priority than the
PLAIN one, as advised in the document mentioned above.

OK for these changes ?

Patrick

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-02-14