Subject: Re: imap-uw package and SSL
To: None <rb-netbsd@BigScaryChildren.net>
From: David Burgess <burgess@neonramp.com>
List: tech-pkg
Date: 08/13/2002 14:48:22
> Hi,
>
> The imap-uw package is setup to use openssl by default.  However, the
> imap-uw SSLBUILD file says that you shouldn't enable SSL support unless
> you plan on installing valid certificates.  Since not everyone will
> want to setup certificates (since a valid one will usually cost money),
> it seems like a bad idea to have SSL support enabled by default.
> Unless I'm missing something, the only way I can use imap-uw with SSL
> enabled clients without buying a certificate is to create a self-signed
> certificate and then have clients specify "/noverify" (or whatever the
> flag is to prevent certificate verification).  At the very least, there
> should be a simple make flag "IMAP_UW_SSL" which can be set to NO to
> disable SSL support entirely.
>
> Am I missing something here?  Shall I send-pr a change for this?

Actually, creating valid certificates isn't a problem - I have a script
that does (almost) all the work.  Once you add the noverify tag, life is
good.  Remember, the point is to encrypt the data on the way out of the
server, so having the system be "TLS ready" and simply not turn it on is
fine with me.
If there was a PR required for this, it would be to make sure the noverify
flag is set in the example file and that the text makes it clear that the
certs are checked whether you use SSL or not.  Basically, something along
the lines of "unless you bought a cert, do not remove the /noverify flag".
-- 
Dave Burgess
CTO, Nebraska On-Ramp
Chief Engineer, Mitec Internet Services
Bellevue, NE 68123