Add $tunnel_is_secure config, defaulting set.

The config variable is to resolve an ambiguity in Mutt about whether
using $tunnel is secure.

On the one hand, the examples in the manual show using ssh or a direct
pipe to a program.  Many users do this to connect to an IMAP server
with PREAUTH configured, relying on the tunnel to be secured by ssh or
by the fact that it's a local pipe.

On the other hand, the Mutt connection code still respects
$ssl_starttls and $ssl_force_tls, as if the $tunnel connection were
not already secured.

After some discussion on mutt-dev, it seemed the best idea to assume
the connection is secure by default, in order to not break IMAP
PREAUTH connections, but to provide a configuration variable in case
there are situations where it is not.

Thanks to Aaron Schrab for the original idea of setting conn->ssf for
$tunnel in his patch to ticket 250.

1 files changed, 14 insertions, 0 deletions

diff --git a/init.h b/init.h
index ea928b43..4e421f67 100644
--- a/init.h
+++ b/init.h
@@ -4344,6 +4344,20 @@ struct option_t MuttVars[] = {
   ** tunnel commands per connection.
   */
 #endif
+  { "tunnel_is_secure", DT_BOOL, R_NONE, {.l=OPTTUNNELISSECURE}, {.l=1} },
+  /*
+  ** .pp
+  ** When \fIset\fP, Mutt will assume the $$tunnel connection does not need
+  ** STARTTLS to be enabled.  It will also allow IMAP PREAUTH server
+  ** responses inside a $tunnel to proceed.  This is appropriate if $$tunnel
+  ** uses ssh or directly invokes the server locally.
+  ** .pp
+  ** When \fIunset\fP, Mutt will negotiate STARTTLS according to the
+  ** $ssl_starttls and $ssl_force_tls variables.  If $ssl_force_tls is
+  ** set, Mutt will abort connecting if an IMAP server responds with PREAUTH.
+  ** This setting is appropriate if $$tunnel does not provide security and
+  ** could be tampered with by attackers.
+  */
   { "uncollapse_jump", 	DT_BOOL, R_NONE, {.l=OPTUNCOLLAPSEJUMP}, {.l=0} },
   /*
   ** .pp