Skip to content

feat(tls): add STARTTLS for FTPS, SMTP, IMAP, and POP3#2

Merged
jonwiggins merged 1 commit into
mainfrom
feat/starttls-all-protocols
Mar 19, 2026
Merged

feat(tls): add STARTTLS for FTPS, SMTP, IMAP, and POP3#2
jonwiggins merged 1 commit into
mainfrom
feat/starttls-all-protocols

Conversation

@jonwiggins
Copy link
Copy Markdown
Owner

@jonwiggins jonwiggins commented Mar 18, 2026

Summary

  • Add UseSsl enum (None/Try/All) to control STARTTLS behavior across protocols
  • Wire --ssl, --ssl-reqd, --ftp-ssl-control, --ftp-ssl-ccc CLI flags through Easy to protocol handlers
  • Implement STARTTLS/AUTH SSL for FTP, STARTTLS for SMTP/IMAP, STLS for POP3
  • Fix FTPS implicit mode: correct login/PBSZ ordering, PROT C support, tolerant PBSZ/PROT error handling

Test plan

  • 15 of 16 curl tests pass (400, 401, 402, 403, 406, 408, 409, 980, 981, 982, 983, 984, 985, 986, 1112)
  • Test 407 is a pre-existing FTP connection reuse bug (not related to this PR)
  • All 311 Rust unit tests pass
  • No regressions on previously passing tests (verified tests 1-20, 100-130)
  • cargo fmt, cargo clippy, cargo test, cargo doc all pass

@jonwiggins
feat(tls): add STARTTLS support for FTPS, SMTP, IMAP, and POP3
77c5b15 
Implement STARTTLS — upgrading a plain TCP connection to TLS mid-stream
after initial protocol negotiation. This passes 15 of 16 curl tests
(400-409, 980-986, 1112); the sole remaining failure (407) is a
pre-existing FTP connection reuse bug.

Changes:

- Add `UseSsl` enum (None/Try/All) for controlling STARTTLS behavior
- Add `--ssl` → UseSsl::Try, `--ssl-reqd` → UseSsl::All CLI mapping
- Add `--ftp-ssl-control` flag for PROT C (clear data channel)
- Add `--ftp-ssl-ccc` flag for CCC (clear command channel)

FTP/FTPS:
- Try AUTH SSL before AUTH TLS (matching curl's auth order)
- Return error 64 when --ssl-reqd and both AUTH commands fail
- Detect pipelined server responses and return error 8 in Try mode
- Send PROT C instead of PROT P when --ftp-ssl-control is set
- Ignore PBSZ/PROT failures for stunnel-wrapped FTPS servers
- Fix login/PBSZ ordering: implicit FTPS does USER/PASS then PBSZ/PROT

SMTP:
- Parse STARTTLS from EHLO capabilities
- Send STARTTLS command when --ssl is used with smtp://
- Return error 8 on STARTTLS failure, error 64 when required but missing

IMAP:
- Parse STARTTLS from CAPABILITY response
- Send STARTTLS command when --ssl is used with imap://
- Return error 64 when --ssl-reqd and CAPABILITY fails or lacks STARTTLS

POP3:
- Parse STLS from CAPA response
- Send STLS command when --ssl is used with pop3://
- Return error 64 when --ssl-reqd and CAPA fails or lacks STLS

Tests passing: 400, 401, 402, 403, 406, 408, 409, 980, 981, 982, 983,
984, 985, 986, 1112
@jonwiggins jonwiggins force-pushed the feat/starttls-all-protocols branch from 5d0dff1 to 77c5b15 Compare March 18, 2026 23:30
@jonwiggins jonwiggins merged commit 385b52c into main Mar 19, 2026
7 checks passed
@jonwiggins jonwiggins mentioned this pull request Mar 28, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonwiggins