IMAP - can not chose compatible AUTH backend

[qaxi]

Steps to reproduce

1. Setup IMAP auth with TLS enabled to server with AUTH=GSSAPI CAPABLITY

Expected behaviour

You can login to NC

Actual behaviour

No login - error message in log: [user_external][3] ERROR: Could not connect to imap server via curl: Operation timed out after 10001 milliseconds with 0 out of 0 bytes received

test from Linux shell

# curl --basic -v imaps://email.example.com --user 'user@example.com'
Enter host password for user 'user@madeta.cz':
*   Trying xx8.yy5.zz4.aa6:993...
* TCP_NODELAY set
* Connected to email.example.com (xx8.yy5.zz4.aa6) port 993 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
*  subject: CN=email.example.com
*  start date: Jun 17 02:22:59 2020 GMT
*  expire date: Sep 18 02:22:59 2020 GMT
*  subjectAltName: host "email.example.com" matched cert's "email.example.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< * OK Server 1 IMAP4rev1 Thu, 09 Jul 2020 11:08:40 +0200
> A001 CAPABILITY
< * CAPABILITY IMAP4rev1 AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=GSSAPI SORT THREAD=ORDEREDSUBJECT UIDPLUS QUOTA ACL NAMESPACE CHILDREN IDLE ID UNSELECT METADATA MULTISEARCH ESEARCH XLIST CREATE-SPECIAL-USE 
< A001 OK CAPABILITY Completed
> A002 AUTHENTICATE GSSAPI
< +
* gss_init_sec_context() failed: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0). 
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (94) An authentication function returned an error

Problem is that this Linux server is (and will never be) used in Kerberos environment ...

I had to switch off GSSAPI auth backend on IMAP server, because there is not any way how to tell
user_external/CURL not to use it. **After it it works like charm ...* BTW in owncloud with the old way to specify user_external config it still works**

# curl --basic -v imaps://email.example.com --login-options "AUTH=PLAIN" --user 'user@example.com'
Enter host password for user 'user@example.com':
*   Trying 192.0.2.0:993...
* TCP_NODELAY set
* Connected to email.example.com (192.0.2.0) port 993 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
*  subject: CN=email.example.com
*  start date: Mar 16 07:11:09 2022 GMT
*  expire date: Jun 14 07:11:08 2022 GMT
*  subjectAltName: host "email.example.com" matched cert's "email.example.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< * OK IMAP Server
> A001 CAPABILITY
< * CAPABILITY IMAP4rev1 AUTH=PLAIN AUTH=LOGIN AUTH=NTLM AUTH=GSSAPI UIDPLUS QUOTA ACL NAMESPACE CHILDREN IDLE ID UNSELECT METADATA MULTISEARCH ESEARCH XLIST CREATE-SPECIAL-USE 
< A001 OK CAPABILITY Completed
> A002 AUTHENTICATE PLAIN
< + 
> 123456789qwertzuiopasdfghjklyxcvbnm
< A002 OK AUTHENTICATE Completed
> A003 LIST "" *
.
.
.
< A003 OK LIST Completed
* Connection #0 to host email.example.com left intact

Possible solutions:

• enable choosing auth backend in user_external (CURLOPT_HTTPAUTH The HTTP authentication method(s) to use. The options are: CURLAUTH_BASIC, CURLAUTH_DIGEST, CURLAUTH_GSSNEGOTIATE, CURLAUTH_NTLM, CURLAUTH_ANY, and CURLAUTH_ANYSAFE. )
• try to auth with other auth backends too ...

Affected Authentication backend

IMAP and server with GSSAPI

Server configuration

User External App version: 2.1.0

Operating system: Ubuntu 20.04 LTS

Web server: Apache2 2.4.41

Database: Postgresql 12.9

PHP version: 7.4.3

Nextcloud version: 23.0.3

Updated from an older Nextcloud/ownCloud or fresh install: fresh

Where did you install Nextcloud from: nextcloud tar file

Signing status:

Signing status

``` NO integrit URL ... ```

List of activated apps:

App list

``` Enabled: - admin_audit: 1.13.0 - bruteforcesettings: 2.4.0 - cloud_federation_api: 1.6.0 - comments: 1.13.0 - dav: 1.21.0 - federatedfilesharing: 1.13.0 - files: 1.18.0 - files_rightclick: 1.2.0 - files_sharing: 1.15.0 - files_trashbin: 1.13.0 - files_versions: 1.16.0 - files_videoplayer: 1.12.0 - limit_login_to_ip: 3.1.0 - logreader: 2.8.0 - lookup_server_connector: 1.11.0 - notifications: 2.11.1 - oauth2: 1.11.0 - provisioning_api: 1.13.0 - serverinfo: 1.13.0 - settings: 1.5.0 - sharebymail: 1.13.0 - twofactor_backupcodes: 1.12.0 - updatenotification: 1.13.0 - user_external: 2.1.0 - viewer: 1.7.0 - workflowengine: 2.5.0 Disabled: - accessibility: 1.5.0 - activity: 2.12.0 - circles: 23.1.0 - contactsinteraction: 1.0.0 - dashboard: 7.0.0 - encryption - federation: 1.9.0 - files_external - files_pdfviewer: 1.8.0 - firstrunwizard: 2.8.0 - nextcloud_announcements: 1.8.0 - password_policy: 1.9.1 - photos: 1.1.0 - privacy: 1.3.0 - recommendations: 0.7.0 - support: 1.2.1 - survey_client: 1.7.0 - systemtags: 1.9.0 - text: 3.0.1 - theming: 1.10.0 - user_ldap - user_status: 1.0.1 - weather_status: 1.0.0 ```

Nextcloud configuration:

Config report

``` # sudo -u www-data php occ config:list system { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "memcache.local": "\\OC\\Memcache\\APCu", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "cloud.example.com" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "pgsql", "version": "19.0.0.12", "overwrite.cli.url": "https:\/\/cloud.example.com", "htaccess.RewriteBase": "\/", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "mail_smtpmode": "smtp", "mail_smtpsecure": "tls", "mail_sendmailmode": "smtp", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "587", "user_backends": [ { "class": "OC_User_IMAP", "arguments": [ "email.example.com", 993, true ] } ], "loglevel": 3, "logfile": "\/var\/log\/nextcloud.log", "default_language": "cs_CZ", "updatechecker": true, "filelocking.enabled": true, "log_type": "errorlog", "trashbin_retention_obligation": "30, auto" } } ```

[violoncelloCH]

hi @qaxi ! would you want to create a pull request adding CURLAUTH_GSSNEGOTIATE support?