[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kfm-devel
Subject:    SSL on KDE protocols (ioslave developers please read this)
From:       George Staikos <staikos () kde ! org>
Date:       2001-05-11 6:48:12
[Download RAW message or body]


   Tonight I added SSL support to TCPSlaveBase and extended this into 
kio_smtp, kio_pop3 and kio_imap.  I also added TLS (via STARTTLS/STLS) 
support to TCPSlaveBase and thus far have extended it to kio_smtp and 
kio_pop3.  This code isn't complete yet, but it's good enough for a start.  I 
have added the hooks into kcmcrypto and kmail for this so far.  (although 
KMail still doesn't use kio_smtp)

   This code does not yet verify certificates.  This will come later 
(probably after the beta, _possibly_ before).  Any application which wishes 
to verify these certificates will have to communicate with the slave via 
metadata and link to KSSL to get the X509 dialog.  I can provide info on how 
to do this later (over the next 2 months).

    [ Note:  certificate verification isn't actually complete in kio_https 
either.  There is still some code missing because it's very complicated, 
especially with HTML, and it takes time to do this.]

    Another flaw is that TLS is a little too transparent right now.  It 
should be providing feedback to the app if TLS is requested and isn't 
available or fails.  Right now if TLS is enabled in kcmcrypto (default) and 
the server claims to support it but negotiation fails, the entire slave 
session will fail.  This should be rare, but it _can_ happen.

   Additionally, I am slowly but surely working on a certificate manager and 
generator.  It's a lot of work.  When I finish it, we will be able to send 
client certificates out (on _all_ slaves, managed from the same manager).  I 
also hope to provide X509 authentication with this.  (probably the best auth 
scheme you can get)

Users:

   Please give these slaves a test on SSL or TLS based pop, imap and smtp 
servers.  I need feedback.  I've only been able to test pop3+SSL so far.



Developers:

   The following slaves have not been patched for SSL because they do not use 
TCPSlaveBase:

   nntp          (nttps://   port 563)
   ldap          (ldaps://  port 636)
   ftp             (ftps://  and ftps-data   on 990, 989 respectively)
   
   I would appreciate if you would port your slave to TCPSlaveBase.  I can 
do the SSL updates after that point.  


-- 

George Staikos

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic