[balsa/wip/gtk4] IMAP goes GIO



commit 6f47b65d8a6cb991badc45279375ff8c689fe10a
Author: Albrecht Dreß <albrecht dress arcor de>
Date:   Tue Jun 5 22:05:31 2018 -0400

    IMAP goes GIO
    
    Changes to libnetclient/*:
    As I mentioned above, in the libnetclient library I added a module
    which “simulates” the character-buffering methods of libbalsa/imap/siobuf.[hc].
    Other improvements include:
    - transparent compression (RFC 4978) support – which revealed a bug
      in GIO sending crap when finalising the connection.
      This is not really harmful, but may confuse a network-based IDS
      (see <https://bugzilla.gnome.org/show_bug.cgi?id=795985>);
    - helper function for wiping auth data with random chars
      before freeing the string;
    - improved unit tests.
    
    Changes to libbalsa/imap/*:
    - siobuf.[hc] are removed, siobuf-nc.h providing a “glue layer”
      for libnetclient is added
    - auth-cram.c, imap-auth.[ch]: partly re-written; uses libnetclient signals;
      replace fixed-length strings by dynamically allocated glib strings
      which is safer; simplifications by using libnetclient functions
    - auth-gssapi.c: simplified by using libnetclient helpers;
      glib strings as above
    - imap-commands.c, imap-handle.[ch], imap_search.c, imap_tst.c:
      simplifications by using libnetclient functions, removed some unused functions
    - imap-tls.c, imap_compress.[ch]: massive simplification
      as all “real” work is implemented in GIO via libnetclient
    - imap_private.h: modification of struct _ImapMboxHandle
      to use libnetclient stuff, and remove obsolete fields
    - util.c: simplified quoting function, removed unused unquoting
    In all modules, I replaced the mixture of debugging functions ([f]printf)
    by g_debug etc.
    
    Changes to libbalsa/*:
    - imap-server.c: cleaned up unused monitor cb, use unified security
      (from libnetclient) instead of separate ssl/tls settings
    - libbalsa.c: replace OpenSSL-based certificate functions
      by GTlsCertificate and GnuTLS (if GCR is not available,
      remember that GIO is based on GnuTLS)
    - misc.c: tiny improvement for assuring ~/.balsa
    - server.[ch]: use NetClientCryptMode instead of use_ssl and tls_mode;
      remove obsolete libbalsa_server_user_cb (replaced by libnetclient's signals);
      simplify libbalsa_server_check_cert
    - smtp-server.c: use changed server api
    
    Changes to libinit_balsa/*:
    - assistant_page_user.c: use changed server api
    
    Changes to src/*:
    - folder-conf.c: configure IMAP according to changed server api
      (note: widget (de)activation logic not yet fully functional)
    - src/mailbox-conf.[ch]: ditto, but with a working (de)activation logic
      (I think)
    - mailbox-node.c: use g_debug instead of printf
    - main.c: remove IMAP debug option (use G_MESSAGES_DEBUG, as always)
    - save-restore.c: remove obsolete item
    
    On the top-level:
    - the configure/meson checks for OpenSSL and ZLib have been removed
    
    Signed-off-by: Peter Bloomfield <PeterBloomfield bellsouth net>

 ChangeLog                              |  61 +++
 configure.ac                           |  16 -
 libbalsa/imap-server.c                 | 101 +----
 libbalsa/imap-server.h                 |   1 -
 libbalsa/imap/Makefile.am              |   4 +-
 libbalsa/imap/auth-cram.c              |  55 ++-
 libbalsa/imap/auth-gssapi.c            | 393 +++++-------------
 libbalsa/imap/imap-auth.c              | 154 ++++---
 libbalsa/imap/imap-auth.h              |   2 -
 libbalsa/imap/imap-commands.c          |  48 +--
 libbalsa/imap/imap-handle.c            | 689 +++++++++++--------------------
 libbalsa/imap/imap-handle.h            |  16 +-
 libbalsa/imap/imap-tls.c               | 357 +---------------
 libbalsa/imap/imap_compress.c          | 171 +-------
 libbalsa/imap/imap_compress.h          |  14 -
 libbalsa/imap/imap_private.h           |  41 +-
 libbalsa/imap/imap_search.c            |  28 +-
 libbalsa/imap/imap_tst.c               | 101 ++---
 libbalsa/imap/libimap.h                |   8 -
 libbalsa/imap/siobuf.c                 | 728 ---------------------------------
 libbalsa/imap/siobuf.h                 |  88 ----
 libbalsa/imap/util.c                   |  81 +---
 libbalsa/imap/util.h                   |   6 +-
 libbalsa/libbalsa.c                    | 395 +++++++++---------
 libbalsa/libbalsa.h                    |   6 +-
 libbalsa/misc.c                        |   4 +-
 libbalsa/send.c                        |   2 +-
 libbalsa/server.c                      | 260 +++---------
 libbalsa/server.h                      |  43 +-
 libbalsa/smtp-server.c                 |  22 +-
 libinit_balsa/assistant_page_user.c    |  20 +-
 libnetclient/Makefile.am               |   2 +
 libnetclient/meson.build               |   2 +
 libnetclient/net-client-pop.c          |  26 +-
 libnetclient/net-client-smtp.c         |  20 +-
 libnetclient/net-client-utils.c        |  25 +-
 libnetclient/net-client-utils.h        |  10 +
 libnetclient/net-client.c              | 100 ++++-
 libnetclient/net-client.h              |  56 ++-
 libnetclient/test/Makefile.am          |   5 +-
 libnetclient/test/echoserver.py        |  12 +-
 libnetclient/test/start-test-env.sh.in |   4 +-
 libnetclient/test/tests.c              | 193 ++++++++-
 meson.build                            |  37 --
 src/ab-window.c                        |   1 +
 src/folder-conf.c                      |  58 ++-
 src/mailbox-conf.c                     | 252 +++++-------
 src/mailbox-conf.h                     |  14 +-
 src/mailbox-node.c                     |   8 +-
 src/main.c                             |   2 -
 src/save-restore.c                     |   3 -
 51 files changed, 1496 insertions(+), 3249 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index 1a83e730..3e59017c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,64 @@
+2018-06-05  Albrecht Dreß <albrecht dress arcor de>
+
+       IMAP goes GIO
+
+       Changes to libnetclient/*:
+       As I mentioned above, in the libnetclient library I added a module
+       which “simulates” the character-buffering methods of libbalsa/imap/siobuf.[hc].
+       Other improvements include:
+       - transparent compression (RFC 4978) support – which revealed a bug
+         in GIO sending crap when finalising the connection.
+         This is not really harmful, but may confuse a network-based IDS
+         (see <https://bugzilla.gnome.org/show_bug.cgi?id=795985>);
+       - helper function for wiping auth data with random chars
+         before freeing the string;
+       - improved unit tests.
+
+       Changes to libbalsa/imap/*:
+       - siobuf.[hc] are removed, siobuf-nc.h providing a “glue layer”
+         for libnetclient is added
+       - auth-cram.c, imap-auth.[ch]: partly re-written; uses libnetclient signals;
+         replace fixed-length strings by dynamically allocated glib strings
+         which is safer; simplifications by using libnetclient functions
+       - auth-gssapi.c: simplified by using libnetclient helpers;
+         glib strings as above
+       - imap-commands.c, imap-handle.[ch], imap_search.c, imap_tst.c:
+         simplifications by using libnetclient functions, removed some unused functions
+       - imap-tls.c, imap_compress.[ch]: massive simplification
+         as all “real” work is implemented in GIO via libnetclient
+       - imap_private.h: modification of struct _ImapMboxHandle
+         to use libnetclient stuff, and remove obsolete fields
+       - util.c: simplified quoting function, removed unused unquoting
+       In all modules, I replaced the mixture of debugging functions ([f]printf)
+       by g_debug etc.
+
+       Changes to libbalsa/*:
+       - imap-server.c: cleaned up unused monitor cb, use unified security
+         (from libnetclient) instead of separate ssl/tls settings
+       - libbalsa.c: replace OpenSSL-based certificate functions
+         by GTlsCertificate and GnuTLS (if GCR is not available,
+         remember that GIO is based on GnuTLS)
+       - misc.c: tiny improvement for assuring ~/.balsa
+       - server.[ch]: use NetClientCryptMode instead of use_ssl and tls_mode;
+         remove obsolete libbalsa_server_user_cb (replaced by libnetclient's signals);
+         simplify libbalsa_server_check_cert
+       - smtp-server.c: use changed server api
+
+       Changes to libinit_balsa/*:
+       - assistant_page_user.c: use changed server api
+
+       Changes to src/*:
+       - folder-conf.c: configure IMAP according to changed server api
+         (note: widget (de)activation logic not yet fully functional)
+       - src/mailbox-conf.[ch]: ditto, but with a working (de)activation logic
+         (I think)
+       - mailbox-node.c: use g_debug instead of printf
+       - main.c: remove IMAP debug option (use G_MESSAGES_DEBUG, as always)
+       - save-restore.c: remove obsolete item
+
+       On the top-level:
+       - the configure/meson checks for OpenSSL and ZLib have been removed
+
 2018-06-05  Peter Bloomfield  <pbloomfield bellsouth net>
 
        * libbalsa/address-book-rubrica.c (extract_net): Fix a typo that
diff --git a/configure.ac b/configure.ac
index 9b9bfea5..5c5fcba1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -233,9 +233,6 @@ dnl #####################################################################
 dnl 4. Libraries.
 dnl #####################################################################
 
-dnl Make sure ld finds zlib:
-LIBS="$LIBS -lz"
-
 PKG_CHECK_MODULES(BALSA, [
 glib-2.0 >= 2.56.0
 gtk+-4.0
@@ -451,18 +448,6 @@ else
     AC_MSG_RESULT([no])
 fi
 
-# OpenSSL configuration.
-#
-PKG_CHECK_MODULES(OPENSSL, [openssl],
-   [BALSA_CFLAGS="$OPENSSL_CFLAGS $BALSA_CFLAGS"
-    BALSA_LIBS="$OPENSSL_LIBS $BALSA_LIBS"],
-   [ AC_CHECK_HEADERS([openssl/ssl.h], [],
-                      [AC_MSG_ERROR([OpenSSL headers not found])], [])
-     AC_SEARCH_LIBS(SSL_library_init, ssl,
-                    [BALSA_LIBS="$BALSA_LIBS -lssl -lcrypto"],
-                    [AC_MSG_ERROR([libssl not found])], [-lcrypto]) ]
-)
-
 # KRB5/GSSAPI configuration.
 #
 if test "x$with_gss" != xno  ; then
@@ -626,7 +611,6 @@ AC_STDC_HEADERS
 
 AC_CHECK_DECLS([ctime_r], [], [], [[#include <time.h>]])
 AC_CHECK_FUNCS([ctime_r])
-AC_CHECK_HEADER([zlib.h],,AC_MSG_ERROR([zlib library required]))
 
 # more warnings.
 #
diff --git a/libbalsa/imap-server.c b/libbalsa/imap-server.c
index f6858ee9..86852ae9 100644
--- a/libbalsa/imap-server.c
+++ b/libbalsa/imap-server.c
@@ -42,8 +42,6 @@
 #include "imap-commands.h"
 #include <glib/gi18n.h>
 
-#define REQ_SSL(s) libbalsa_server_get_use_ssl(LIBBALSA_SERVER(s))
-
 /** wait 60 seconds for packets */
 #define IMAP_CMD_TIMEOUT (60*1000)
 
@@ -119,10 +117,12 @@ static void libbalsa_imap_server_set_username(LibBalsaServer * server,
         set_username(server, name);
 }
 static void
-libbalsa_imap_server_set_host(LibBalsaServer * server,
-                              const gchar * host, gboolean use_ssl)
+libbalsa_imap_server_set_host(LibBalsaServer     *server,
+                              const gchar        *host,
+                              NetClientCryptMode  security)
 {
-    if(libbalsa_server_get_username(server) && host) { /* we have been initialized... */
+    if (libbalsa_server_get_username(server) != NULL && host != NULL) {
+        /* we have been initialized... */
         LibBalsaImapServer *imap_server = LIBBALSA_IMAP_SERVER(server);
         g_mutex_lock(&imap_servers_lock);
         g_hash_table_steal(imap_servers, imap_server->key);
@@ -132,9 +132,11 @@ libbalsa_imap_server_set_host(LibBalsaServer * server,
         g_hash_table_insert(imap_servers, imap_server->key, imap_server);
         g_mutex_unlock(&imap_servers_lock);
     }
+
     LIBBALSA_SERVER_CLASS(libbalsa_imap_server_parent_class)->
-        set_host(server, host, use_ssl);
+        set_host(server, host, security);
 }
+
 static void
 libbalsa_imap_server_class_init(LibBalsaImapServerClass * klass)
 {
@@ -192,55 +194,6 @@ libbalsa_imap_server_finalize(GObject * object)
     G_OBJECT_CLASS(libbalsa_imap_server_parent_class)->finalize(object);
 }
 
-gint ImapDebug = 0;
-#define BALSA_TEST_IMAP 1
-
-static void
-monitor_cb(const char *buffer, int length, int direction, void *arg)
-{
-#if BALSA_TEST_IMAP
-  if (ImapDebug) {
-    const gchar *passwd = NULL;
-    int i;
-
-    if (direction) {
-      const gchar *login;
-      int login_length;
-
-      login = g_strstr_len(buffer, length, "LOGIN ");
-      if (login) {
-        login_length = 6;
-      } else {
-        login = g_strstr_len(buffer, length, "AUTHENTICATE PLAIN");
-        login_length = 18;
-      }
-
-      if (login) {
-        const gchar *user = login + login_length;
-        passwd = g_strstr_len(user, length - (user - buffer), " ");
-        if (passwd) {
-          int new_len = ++passwd - buffer;
-          if (new_len < length)
-            length = new_len;
-          else
-            passwd = NULL;
-        }
-      }
-    }
-
-    printf("IMAP %c: ", direction ? 'C' : 'S');
-    for (i = 0; i < length; i++)
-      putchar(buffer[i]);
-
-    if (passwd)
-      puts("(password hidden)");
-
-    fflush(NULL);
-  }
-#endif                          /* BALSA_TEST_IMAP */
-  if (direction)
-    ((struct handle_info *) arg)->last_used = time(NULL);
-}
 
 static void
 is_info_cb(ImapMboxHandle *h, ImapResponse rc, const gchar* str, void *arg)
@@ -275,7 +228,6 @@ lb_imap_server_info_new(LibBalsaServer *server)
 {
     ImapMboxHandle *handle;
     struct handle_info *info;
-    ImapTlsMode mode;
 
     /* We do not ask for password now since the authentication might
      * not require it. Instead, we handle authentication requiests in
@@ -285,16 +237,10 @@ lb_imap_server_info_new(LibBalsaServer *server)
     imap_handle_set_timeout(handle, IMAP_CMD_TIMEOUT);
     info = g_new0(struct handle_info, 1);
     info->handle = handle;
-    imap_handle_set_monitorcb(handle, monitor_cb, info);
     imap_handle_set_infocb(handle,    is_info_cb, server);
-    imap_handle_set_usercb(handle,    libbalsa_server_user_cb, server);
-    switch(libbalsa_server_get_tls_mode(server)) {
-    case LIBBALSA_TLS_DISABLED: mode = IMAP_TLS_DISABLED; break;
-    default:
-    case LIBBALSA_TLS_ENABLED : mode = IMAP_TLS_ENABLED;  break;
-    case LIBBALSA_TLS_REQUIRED: mode = IMAP_TLS_REQUIRED; break;
-    }
-    imap_handle_set_tls_mode(handle, mode);
+    imap_handle_set_authcb(handle, G_CALLBACK(libbalsa_server_get_auth), server);
+    imap_handle_set_certcb(handle, G_CALLBACK(libbalsa_server_check_cert));
+    imap_handle_set_tls_mode(handle, libbalsa_server_get_security(server));
     imap_handle_set_option(handle, IMAP_OPT_ANONYMOUS,
                            libbalsa_server_get_try_anonymous(server));
     imap_handle_set_option(handle, IMAP_OPT_CLIENT_SORT, TRUE);
@@ -318,7 +264,7 @@ lb_imap_server_info_free(struct handle_info *info)
 {
     g_assert(info != NULL);
 
-    imap_handle_force_disconnect(info->handle);
+    //imap_handle_force_disconnect(info->handle); -- FIXME unref'ing handle will disconnect?
     g_object_unref(info->handle);
     g_free(info);
 }
@@ -438,9 +384,10 @@ libbalsa_imap_server_new_from_config(void)
     LibBalsaImapServer *imap_server;
     LibBalsaServer *server;
     gboolean d, d1;
-    gint tls_mode, conn_limit;
+    gint conn_limit;
 
     host = libbalsa_conf_get_string("Server");
+g_print("%s host %s\n", G_STRFUNC, host);
     if(strrchr(host, ':') == NULL) {
         gint port;
         port = libbalsa_conf_get_int_with_default("Port", &d);
@@ -448,6 +395,7 @@ libbalsa_imap_server_new_from_config(void)
             gchar *newhost = g_strdup_printf("%s:%d", host, port);
             g_free(host);
             host = newhost;
+g_print("%s host from newhost %s\n", G_STRFUNC, host);
         }
     }
     user = libbalsa_conf_private_get_string("Username");
@@ -458,22 +406,15 @@ libbalsa_imap_server_new_from_config(void)
     server = LIBBALSA_SERVER(imap_server);
 
     if (libbalsa_server_get_username(server) == NULL) {
-        gboolean use_ssl;
-
         libbalsa_server_set_username(server, user);
-        use_ssl = libbalsa_conf_get_bool("SSL=false");
-        use_ssl = use_ssl || libbalsa_server_get_use_ssl(server);
-        libbalsa_server_set_host(server, host, use_ssl);
     }
     g_free(user);
     g_free(host);
 
     d1 = libbalsa_conf_get_bool_with_default("Anonymous", &d);
-    if(!d) libbalsa_server_set_try_anonymous(server, !!d1);
-
-    tls_mode = libbalsa_conf_get_int_with_default("TLSMode", &d);
-    if(!d) libbalsa_server_set_tls_mode(server, tls_mode);
-
+    if(!d)
+        libbalsa_server_set_try_anonymous(server, !!d1);
+    libbalsa_server_load_security_config(server);
     conn_limit = libbalsa_conf_get_int_with_default("ConnectionLimit", &d);
     if(!d) imap_server->max_connections = conn_limit;
     d1 = libbalsa_conf_get_bool_with_default("PersistentCache", &d);
@@ -648,8 +589,7 @@ libbalsa_imap_server_get_handle(LibBalsaImapServer *imap_server, GError **err)
         if(imap_mbox_is_disconnected(info->handle)) {
             ImapResult rc;
 
-            rc=imap_mbox_handle_connect(info->handle, libbalsa_server_get_host(server),
-                                        REQ_SSL(server));
+            rc=imap_mbox_handle_connect(info->handle, libbalsa_server_get_host(server));
             if(rc != IMAP_SUCCESS) {
                 handle_connection_error(rc, info, server, err);
                 g_mutex_unlock(&imap_server->lock);
@@ -746,8 +686,7 @@ libbalsa_imap_server_get_handle_with_user(LibBalsaImapServer *imap_server,
     if (imap_mbox_is_disconnected(info->handle)) {
         ImapResult rc;
 
-        rc=imap_mbox_handle_connect(info->handle, libbalsa_server_get_host(server),
-                                    REQ_SSL(server));
+        rc=imap_mbox_handle_connect(info->handle, libbalsa_server_get_host(server));
         if(rc != IMAP_SUCCESS) {
             handle_connection_error(rc, info, server, err);
             g_mutex_unlock(&imap_server->lock);
diff --git a/libbalsa/imap-server.h b/libbalsa/imap-server.h
index 9e4322e3..ef1d3f67 100644
--- a/libbalsa/imap-server.h
+++ b/libbalsa/imap-server.h
@@ -76,5 +76,4 @@ void     libbalsa_imap_server_set_use_idle(LibBalsaImapServer *server,
                                            gboolean            use_idle);
 gboolean libbalsa_imap_server_get_use_idle(LibBalsaImapServer *server);
 
-extern gint ImapDebug;
 #endif /* __IMAP_SERVER_H__ */
diff --git a/libbalsa/imap/Makefile.am b/libbalsa/imap/Makefile.am
index f379389c..7f3a7c79 100644
--- a/libbalsa/imap/Makefile.am
+++ b/libbalsa/imap/Makefile.am
@@ -33,8 +33,7 @@ libimap_a_SOURCES = \
        libimap-marshal.c       \
        libimap-marshal.h       \
        libimap.h       \
-       siobuf.c        \
-       siobuf.h        \
+       siobuf-nc.h     \
        util.c          \
        util.h
 
@@ -44,6 +43,7 @@ EXTRA_DIST = \
 AM_CPPFLAGS = -I${top_builddir} -I${top_srcdir} -I${top_srcdir}/libbalsa \
        -I${top_srcdir}/libnetclient \
        -I${top_srcdir}/libbalsa/imap \
+       -DG_LOG_DOMAIN=\"imap\" \
        $(BALSA_CFLAGS)
 
 AM_CFLAGS   = $(LIBIMAP_CFLAGS) -ansi
diff --git a/libbalsa/imap/auth-cram.c b/libbalsa/imap/auth-cram.c
index c56e11a6..980662a6 100644
--- a/libbalsa/imap/auth-cram.c
+++ b/libbalsa/imap/auth-cram.c
@@ -21,37 +21,30 @@
 
 /* IMAP login/authentication code */
 
-#include <stdio.h>
-#include <stdlib.h>
 #include <string.h>
-#include <glib.h>
 
 #include "imap-auth.h"
 #include "net-client-utils.h"
 
 #include "imap_private.h"
 
-#define LONG_STRING 1024
-
 /* imap_auth_cram_md5: AUTH=CRAM-MD5 support. */
 ImapResult
 imap_auth_cram(ImapMboxHandle* handle)
 {
-  char ibuf[LONG_STRING*2];
+  gchar *challenge;
   gchar *auth_buf;
   unsigned cmdno;
-  int rc, ok;
-  char *user = NULL, *pass = NULL;
+  int rc;
+  gchar **auth_data;
 
   if (!imap_mbox_handle_can_do(handle, IMCAP_ACRAM_MD5))
     return IMAP_AUTH_UNAVAIL;
 
-  ok = 0;
-  if(!ok && handle->user_cb)
-    handle->user_cb(IME_GET_USER_PASS, handle->user_arg, 
-                    "CRAM-MD5", &user, &pass, &ok);
-  if(!ok || user == NULL || pass == NULL) {
+  g_signal_emit_by_name(handle->sio, "auth", TRUE, &auth_data);
+  if((auth_data == NULL) || (auth_data[0] == NULL) || (auth_data[1] == NULL)) {
     imap_mbox_handle_set_msg(handle, "Authentication cancelled");
+       g_strfreev(auth_data);
     return IMAP_AUTH_CANCELLED;
   }
 
@@ -65,29 +58,29 @@ imap_auth_cram(ImapMboxHandle* handle)
    * primary host name of the server. The syntax of the unencoded form must
    * correspond to that of an RFC 822 'msg-id' [RFC822] as described in [POP3].
    */
-  imap_handle_flush(handle);
-  do
-    rc = imap_cmd_step(handle, cmdno);
-  while(rc == IMR_UNTAGGED);
+  rc = imap_cmd_process_untagged(handle, cmdno);
 
   if (rc != IMR_RESPOND) {
-    g_warning("cram-md5: unexpected response:\n");
+    g_warning("cram-md5: unexpected response: %d", rc);
     return IMAP_AUTH_FAILURE;
   }
-  imap_mbox_gets(handle, ibuf, sizeof(ibuf)); /* check error */
-  auth_buf = net_client_cram_calc(ibuf, G_CHECKSUM_MD5, user, pass);
-  g_free(user);
-  memset(pass, 0, strlen(pass));
-  g_free(pass);
+  challenge = net_client_siobuf_get_line(handle->sio, NULL);
+  if (challenge != NULL) {
+         auth_buf = net_client_cram_calc(challenge, G_CHECKSUM_MD5, auth_data[0], auth_data[1]);
+  } else {
+         auth_buf = NULL;
+  }
+  g_free(challenge);
+  net_client_free_authstr(auth_data[0]);
+  net_client_free_authstr(auth_data[1]);
+  g_free(auth_data);
+  if (auth_buf == NULL) {
+         return IMAP_AUTH_FAILURE;
+  }
 
-  imap_handle_write(handle, auth_buf, strlen(auth_buf));
-  imap_handle_write(handle, "\r\n", 2U);
-  imap_handle_flush(handle);
-  memset(auth_buf, 0, strlen(auth_buf));
-  g_free(auth_buf);
-  do
-    rc = imap_cmd_step (handle, cmdno);
-  while (rc == IMR_UNTAGGED);
+  net_client_write_line(NET_CLIENT(handle->sio), "%s", NULL, auth_buf);
+  net_client_free_authstr(auth_buf);
+  rc = imap_cmd_process_untagged(handle, cmdno);
 
   return rc == IMR_OK ? IMAP_SUCCESS : IMAP_AUTH_FAILURE;
 }
diff --git a/libbalsa/imap/auth-gssapi.c b/libbalsa/imap/auth-gssapi.c
index 480223cf..1c382d50 100644
--- a/libbalsa/imap/auth-gssapi.c
+++ b/libbalsa/imap/auth-gssapi.c
@@ -19,11 +19,6 @@
 /* IMAP login/authentication code, GSSAPI method, see RFC2222 and RFC2078 */
 
 #include "config.h"
-
-#define _XOPEN_SOURCE 500
-#include <stdio.h>
-#include <string.h>
-
 #include "imap-auth.h"
 
 #if defined(HAVE_GSSAPI)
@@ -34,304 +29,136 @@
 #endif
 
 #include "imap_private.h"
-#include "siobuf.h"
-#include "util.h"
-
-#define LONG_STRING 2048
+#include "siobuf-nc.h"
+#include "net-client-utils.h"
 
-enum {
-    GSSAPI_P_NONE      = 1 << 0,
-    GSSAPI_P_INTEGRITY = 1 << 1,
-    GSSAPI_P_PRIVACY   = 1 << 2
-};
 
-#define WAIT_FOR_PROMPT(rc,handle,cmdno, buf, len) \
-    do (rc) = imap_cmd_step((handle), (cmdno)); while((rc) == IMR_UNTAGGED);
-
-static gboolean ag_get_target(const char *host, gss_name_t *target_name);
-static OM_uint32 ag_get_token(gss_ctx_id_t *context, gss_name_t target,
-                              gss_buffer_t sec_token,
-                              char *client_token, ssize_t token_sz);
-static void ag_parse_request(ImapMboxHandle *handle, char *buf, ssize_t buf_sz,
-                             gss_buffer_desc *request);
-static gboolean ag_negotiate_parameters(ImapMboxHandle *handle,
-                                        const char *user, unsigned cmdno,
-                                        gss_ctx_id_t context, int *rc);
-
-/* imap_auth_gssapi: gssapi support. */
-ImapResult
-imap_auth_gssapi(ImapMboxHandle* handle)
+static gboolean
+imap_gss_auth_init(ImapMboxHandle* handle, NetClientGssCtx *gss_ctx, unsigned *cmdno, GError **error)
 {
-    static const char Gssapi_cmd[] = "AUTHENTICATE GSSAPI";
-    unsigned cmdno;
-    int rc, ok;
-    char *user = NULL;
-    OM_uint32 state, min_stat;
-    gss_ctx_id_t context;
-    gss_name_t target_name;
-    gss_buffer_t sec_token;
-    char client_token[LONG_STRING];
-    char request_buf[LONG_STRING];
-    gss_buffer_desc request;
-    int c;
-    gboolean sasl_ir;
-
-    if (!imap_mbox_handle_can_do(handle, IMCAP_AGSSAPI))
-        return IMAP_AUTH_UNAVAIL;
-    sasl_ir = imap_mbox_handle_can_do(handle, IMCAP_SASLIR);
+       gint state;
+       gchar *output_token;
+       ImapResponse rc;
+       gboolean result;
 
-    /* Acquire initial credentials. */
-    sec_token = GSS_C_NO_BUFFER;
-    context   = GSS_C_NO_CONTEXT;
-    
-    if( !ag_get_target(handle->host, &target_name)) {
-        imap_mbox_handle_set_msg(handle, "Could not get service name");
-        return IMAP_AUTH_UNAVAIL;
-    }
-
-    state = ag_get_token(&context, target_name, sec_token,
-                         client_token, sizeof(client_token));
-    if (state != GSS_S_COMPLETE && state != GSS_S_CONTINUE_NEEDED) {
-        imap_mbox_handle_set_msg(handle, "GSS ignored - no ticket.");
-        printf("GSSAPI: ignored - no ticket (%d).\n", state);
-        gss_release_name (&min_stat, &target_name);
-        return IMAP_AUTH_UNAVAIL;
-    }
-
-    /* get user name */
-    ok = 0;
-    if(!ok && handle->user_cb)
-        handle->user_cb(IME_GET_USER, handle->user_arg, 
-                        "GASSAPI", &user, &ok);
-    if(!ok || user == NULL) {
-        imap_mbox_handle_set_msg(handle, "Authentication cancelled");
-        return IMAP_AUTH_CANCELLED;
-    }
-    
-    /* start the negotiation */
-    if(sasl_ir) { /* save one RTT */
+       state = net_client_gss_auth_step(gss_ctx, NULL, &output_token, error);
+       if (state >= 0) {
         ImapCmdTag tag;
-        if(IMAP_MBOX_IS_DISCONNECTED(handle))
-            return IMAP_AUTH_UNAVAIL;
-        cmdno = imap_make_tag(tag);
-        sio_write(handle->sio, tag, strlen(tag));
-        sio_write(handle->sio, " ", 1);
-        sio_write(handle->sio, Gssapi_cmd, strlen(Gssapi_cmd));
-        sio_write(handle->sio, " ", 1);
-        sio_write(handle->sio, client_token, strlen(client_token));
-        sio_write(handle->sio, "\r\n", 2);
-    } else {
-        if(imap_cmd_start(handle, Gssapi_cmd, &cmdno) <0)
-            return IMAP_AUTH_FAILURE;
-        imap_handle_flush(handle);
-        
-        WAIT_FOR_PROMPT(rc,handle,cmdno, client_token,sizeof(client_token));
-        
-        if (rc != IMR_RESPOND) {
-            g_warning("gssapi: unexpected response.\n");
-            gss_release_name (&min_stat, &target_name);
-            return IMAP_AUTH_FAILURE;
-        }
-        while( (c=sio_getc((handle)->sio)) != EOF && c != '\n');
-        
-        /* now start the security context initialisation loop... */
-        sio_printf(handle->sio, "%s\r\n", client_token);
-    }
-    imap_handle_flush(handle);
-    
-    /* The negotiation loop as in  RFC2222 */
-    while(state == GSS_S_CONTINUE_NEEDED) {
-        WAIT_FOR_PROMPT(rc,handle,cmdno,client_token,sizeof(client_token));
-        if (rc != IMR_RESPOND) {
-            g_warning("gssapi: unexpected response in the loop.\n");
-            gss_release_name (&min_stat, &target_name);
-            return IMAP_AUTH_UNAVAIL;      
-        }
-
-        ag_parse_request(handle, request_buf, sizeof(request_buf), &request);
-        sec_token = &request;
-        
-        /* Respond to the challenge. */
-        state = ag_get_token(&context, target_name, sec_token,
-                             client_token, sizeof(client_token));
-        if (state != GSS_S_COMPLETE && state != GSS_S_CONTINUE_NEEDED) {
-            imap_mbox_handle_set_msg(handle,
-                                     "Error exchanging GSS credentials");
-            gss_release_name (&min_stat, &target_name);
-            goto negotiation_aborted;
-        }
-        sio_printf(handle->sio, "%s\r\n", client_token);
-        imap_handle_flush(handle);
-    }
-    
-    gss_release_name (&min_stat, &target_name);
-    
-    /* get security flags and buffer size */
-    WAIT_FOR_PROMPT(rc,handle,cmdno,client_token,sizeof(client_token));
-    if (rc != IMR_RESPOND) return IMAP_AUTH_UNAVAIL;
 
-    if(!ag_negotiate_parameters(handle, user, cmdno, context, &rc))
-        goto negotiation_aborted;
-
-    /* clean up. */
-    state = gss_delete_sec_context(&min_stat, &context, &request);
-    if (state != GSS_S_COMPLETE)
-        g_warning("gss_delete_sec_context() failed");
-    gss_release_buffer (&min_stat, &request);
-    return rc == IMR_OK ? IMAP_SUCCESS : IMAP_AUTH_UNAVAIL;
- negotiation_aborted:
-    sio_write(handle->sio, "*\r\n", 3); imap_handle_flush(handle);
-    WAIT_FOR_PROMPT(rc,handle,cmdno,client_token, sizeof(client_token));
-    return IMAP_AUTH_FAILURE;
+        *cmdno = imap_make_tag(tag);
+               if (imap_mbox_handle_can_do(handle, IMCAP_SASLIR)) {
+                       result = net_client_write_line(NET_CLIENT(handle->sio), "%s AUTHENTICATE GSSAPI %s", 
error, tag, output_token);
+               } else {
+                       result = net_client_write_line(NET_CLIENT(handle->sio), "%s AUTHENTICATE GSSAPI", 
error, tag);
+                       if (result) {
+                               rc = imap_cmd_process_untagged(handle, *cmdno);
+
+                               if (rc == IMR_RESPOND) {
+                                       net_client_siobuf_discard_line(handle->sio, NULL);
+                                       result = net_client_write_line(NET_CLIENT(handle->sio), "%s", error, 
output_token);
+                               } else {
+                                       result = FALSE;
+                               }
+                       }
+               }
+               g_free(output_token);
+       } else {
+               result = FALSE;
+       }
+
+       return result;
 }
 
-/* ag_get_target: get an IMAP service ticket name for the server */
 static gboolean
-ag_get_target(const char *host, gss_name_t *target_name)
+imap_gss_auth_loop(ImapMboxHandle* handle, NetClientGssCtx *gss_ctx, unsigned cmdno, GError **error)
 {
-    OM_uint32 maj_stat, min_stat;
-    gss_buffer_desc request;
-    char buf[LONG_STRING];
-    gss_OID mech_name;
-
-    snprintf (buf, sizeof (buf), "imap@%s", host);
-    request.value = buf;
-    request.length = strlen(buf) + 1;
-    maj_stat = gss_import_name(&min_stat, &request, GSS_C_NT_HOSTBASED_SERVICE,
-                               target_name);
-    if(maj_stat != GSS_S_COMPLETE)
-        return FALSE;
-    maj_stat = gss_display_name(&min_stat, *target_name, &request,
-                                &mech_name);
-    printf("GSSAPI: Using service name [%s]\n",(char*) request.value);
-    maj_stat = gss_release_buffer (&min_stat, &request);
-
-    return maj_stat == GSS_S_COMPLETE;
+    int rc;
+       gchar *input_token;
+       gint state = 0;
+       gboolean result;
+
+       do {
+               rc = imap_cmd_process_untagged(handle, cmdno);
+               result = FALSE;
+               if (rc == IMR_RESPOND) {
+                       input_token = net_client_siobuf_get_line(handle->sio, error);
+                       if (input_token != NULL) {
+                               result = TRUE;
+                       }
+               }
+
+               if (result) {
+                       gchar *output_token = NULL;
+
+                       if (state == 0) {
+                               state = net_client_gss_auth_step(gss_ctx, input_token, &output_token, error);
+                       } else {
+                               output_token = net_client_gss_auth_finish(gss_ctx, input_token, error);
+                               if (output_token == NULL) {
+                                       state = -1;
+                               } else {
+                                       state = 2;
+                               }
+                       }
+                       g_free(input_token);
+                       if (state >= 0) {
+                               result = net_client_write_line(NET_CLIENT(handle->sio), "%s", NULL, 
output_token);
+                       }
+                       g_free(output_token);
+               }
+       } while (result && (state != 2));
+
+       return result && (state == 2);
 }
 
-/* ag_get_token obtains next CLIENT_TOKEN as a response to SEC_TOKEN.
- */
-static OM_uint32
-ag_get_token(gss_ctx_id_t *context, gss_name_t target, gss_buffer_t sec_token,
-             char *client_token, ssize_t token_sz)
+/* imap_auth_gssapi: gssapi support. */
+ImapResult
+imap_auth_gssapi(ImapMboxHandle* handle)
 {
-    OM_uint32 state, min_stat;
-    gss_buffer_desc send_token;
-    unsigned cflags;
-    gint outlen;
-    gint b64state = 0;
-    gint b64save = 0;
+    NetClientGssCtx *gss_ctx;
+    GError *error = NULL;
+    ImapResult retval;
 
-    *client_token = '\0';
-    state = gss_init_sec_context
-        (&min_stat, GSS_C_NO_CREDENTIAL, context,
-         target, GSS_C_NO_OID, GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, 0, 
-         GSS_C_NO_CHANNEL_BINDINGS, sec_token, NULL, &send_token,
-         &cflags, NULL);
-
-    if (state != GSS_S_COMPLETE && state != GSS_S_CONTINUE_NEEDED)
-        return state;
-
-    outlen = g_base64_encode_step(send_token.value, send_token.length, FALSE,
-                                  client_token, &b64state, &b64save);
-    outlen += g_base64_encode_close(FALSE, client_token + outlen, &b64state, &b64save);
-    gss_release_buffer(&min_stat, &send_token);
-    return state;
-}
-
-static void
-ag_parse_request(ImapMboxHandle *handle, char *buf, ssize_t buf_sz,
-                 gss_buffer_desc *request)
-{
-    char line[LONG_STRING];
-    gint b64state = 0;
-    guint b64save = 0;
+    if (!imap_mbox_handle_can_do(handle, IMCAP_AGSSAPI)) {
+        return IMAP_AUTH_UNAVAIL;
+    }
 
-    sio_gets(handle->sio, line, LONG_STRING); /* FIXME: error checking */
-    request->length =
-        g_base64_decode_step(line, strlen(line), (guchar *) buf, &b64state, &b64save);
-    request->value = buf;
-}
+    /* try to create the context */
+    gss_ctx = net_client_gss_ctx_new("imap", handle->host, "test", &error);
+    if (gss_ctx == NULL) {
+       retval = IMAP_AUTH_UNAVAIL;
+    } else {
+       gboolean result;
+        unsigned cmdno;
+        int rc;
+
+       result = imap_gss_auth_init(handle, gss_ctx, &cmdno, &error);
+       if (result) {
+               result = imap_gss_auth_loop(handle, gss_ctx, cmdno, &error);
+               if (!result) {
+                       /* cancel the auth process */
+                       (void) net_client_write_line(NET_CLIENT(handle->sio), "*", NULL);
+               }
+               rc = imap_cmd_process_untagged(handle, cmdno);
+       }
+
+               net_client_gss_ctx_free(gss_ctx);
+               retval = (result && (rc == IMR_OK)) ? IMAP_SUCCESS : IMAP_AUTH_UNAVAIL;
+    }
 
-/* ag_negotiate_parameters() implements the final phase, establishes
-   the security levels and attempts to set the user whose mailboxes
-   are to be accessed.
-*/
-static gboolean
-ag_negotiate_parameters(ImapMboxHandle *handle, const char * user,
-                        unsigned cmdno, gss_ctx_id_t context, int *rc)
-{
-    OM_uint32 state, min_stat;
-    gss_buffer_desc request_buf, send_token;
-    char buf[LONG_STRING];
-    gss_qop_t quality;
-    int cflags;
-    char server_conf_flags;
-    unsigned char *t;
-    unsigned long buf_size;
-    gint outlen;
-    gint b64state = 0;
-    gint b64save = 0;
+    if (error != NULL) {
+        gchar *err_msg;
 
-    ag_parse_request(handle, buf, sizeof(buf), &request_buf);
-    state = gss_unwrap(&min_stat, context, &request_buf, &send_token,
-                       &cflags, &quality);
-    if (state != GSS_S_COMPLETE) {
-        imap_mbox_handle_set_msg(handle,
-                                 "Could not unwrap security level data");
-        gss_release_buffer (&min_stat, &send_token);
-        return FALSE;
-    }
-    
-    /* first octet is security levels supported. We want NONE */
-    server_conf_flags = *((char*) send_token.value);
-    if ( !(server_conf_flags & GSSAPI_P_NONE) ) {
-        imap_mbox_handle_set_msg(handle,
-                                 "Server requires integrity or privacy");
-        gss_release_buffer (&min_stat, &send_token);
-        return FALSE;
+       g_message("%s: %s", __func__, error->message);
+       err_msg = g_strdup_printf("GSSAPI auth failed: %s", error->message);
+       imap_mbox_handle_set_msg(handle, err_msg);
+       g_free(err_msg);
+       g_error_free(error);
     }
-    
-    /* we don't care about buffer size if we don't wrap content. But
-     * here it is */
-    t = send_token.value;
-    buf_size = (t[1] << 16) | (t[2]<<8) | t[3];
-    gss_release_buffer (&min_stat, &send_token);
-    printf("GSSAPI: Security level flags: %c%c%c\n",
-           server_conf_flags & GSSAPI_P_NONE      ? 'N' : '-',
-           server_conf_flags & GSSAPI_P_INTEGRITY ? 'I' : '-',
-           server_conf_flags & GSSAPI_P_PRIVACY   ? 'P' : '-');
-    printf("GSSAPI: Maximum GSS token size is %lu\n", buf_size);
-    
-    /* Set P_NONE and accept the buf_size. */
-    buf[0] = GSSAPI_P_NONE;
-    buf[1] = (buf_size >> 16) & 0xff;
-    buf[2] = (buf_size >> 8)  & 0xff;
-    buf[3] = (buf_size)       & 0xff;
-    strncpy (buf + 4, user, sizeof(buf)-4);
-    request_buf.value = buf;
-    request_buf.length = 4 + strlen(user) + 1;
-    state = gss_wrap(&min_stat, context, 0, GSS_C_QOP_DEFAULT,
-                     &request_buf, &cflags, &send_token);
-    if (state != GSS_S_COMPLETE) {
-        imap_mbox_handle_set_msg(handle, "Error creating login request");
-        return FALSE;
-    }
-    
-    outlen = g_base64_encode_step(send_token.value,
-                                  MIN(send_token.length, ((sizeof buf - 1) / 4 - 1) * 3),
-                                  FALSE, buf, &b64state, &b64save);
-    outlen += g_base64_encode_close(FALSE, buf + outlen, &b64state, &b64save);
-    buf[outlen] = '\0';
-    sio_printf(handle->sio, "%s\r\n", buf); imap_handle_flush(handle);
-    WAIT_FOR_PROMPT(*rc,handle,cmdno,buf,sizeof(buf));
-    if (*rc == IMR_RESPOND)
-        return FALSE;
 
-    return TRUE; /* the negotiation was successful but if we got rc ==
-                    IMR_NO, the user was not allowed to access the
-                    mailbox. */
+    return retval;
 }
+
 #else /* defined(HAVE_GSSAPI) */
 
 ImapResult
diff --git a/libbalsa/imap/imap-auth.c b/libbalsa/imap/imap-auth.c
index adaa7d47..febc0859 100644
--- a/libbalsa/imap/imap-auth.c
+++ b/libbalsa/imap/imap-auth.c
@@ -27,10 +27,14 @@
 #include "imap-auth.h"
 #include "util.h"
 #include "imap_private.h"
-#include "siobuf.h"
+#include "siobuf-nc.h"
+#include "net-client-utils.h"
 
 static ImapResult imap_auth_anonymous(ImapMboxHandle* handle);
 static ImapResult imap_auth_plain(ImapMboxHandle* handle);
+static ImapResult imap_auth_login(ImapMboxHandle* handle);
+
+typedef ImapResult (*ImapAuthenticator)(ImapMboxHandle* handle);
 
 /* ordered from strongest to weakest. Auth anonymous does not really
  * belong here, does it? */
@@ -70,49 +74,59 @@ imap_authenticate(ImapMboxHandle* handle)
 /* =================================================================== */
 /*                           AUTHENTICATORS                            */
 /* =================================================================== */
-#define SHORT_STRING 64
 /* imap_auth_login: Plain LOGIN support */
-ImapResult
+static ImapResult
 imap_auth_login(ImapMboxHandle* handle)
 {
-  char q_user[SHORT_STRING], q_pass[SHORT_STRING];
-  char buf[2*SHORT_STRING+7];
-  char *user = NULL, *pass = NULL;
-  ImapResponse rc;
-  int ok;
+  gchar **auth_data;
+  ImapResult result;
   
   if (imap_mbox_handle_can_do(handle, IMCAP_LOGINDISABLED))
     return IMAP_AUTH_UNAVAIL;
   
-  ok = 0;
-  if(!ok && handle->user_cb)
-    handle->user_cb(IME_GET_USER_PASS, handle->user_arg,
-                    "LOGIN", &user, &pass, &ok);
-  if(!ok || user == NULL || pass == NULL) {
+  g_signal_emit_by_name(handle->sio, "auth", TRUE, &auth_data);
+  if((auth_data == NULL) || (auth_data[0] == NULL) || (auth_data[1] == NULL)) {
     imap_mbox_handle_set_msg(handle, "Authentication cancelled");
+       g_strfreev(auth_data);
     return IMAP_AUTH_CANCELLED;
   }
 
-  imap_quote_string(q_user, sizeof (q_user), user);
-  imap_quote_string(q_pass, sizeof (q_pass), pass);
-  g_free(user); g_free(pass); /* FIXME: clean passwd first */
-  g_snprintf (buf, sizeof (buf), "LOGIN %s %s", q_user, q_pass);
-  rc = imap_cmd_exec(handle, buf);
-  return  (rc== IMR_OK) ?  IMAP_SUCCESS : IMAP_AUTH_FAILURE;
+  /* RFC 6855, Sect. 5, explicitly forbids UTF-8 usernames or passwords */
+  if (!g_str_is_ascii(auth_data[0]) || !g_str_is_ascii(auth_data[1])) {
+         imap_mbox_handle_set_msg(handle, "Cannot LOGIN with UTF-8 username or password");
+         result = IMAP_AUTH_CANCELLED;
+  } else {
+         gchar *q_user;
+         gchar *q_pass;
+         gchar *buf;
+         ImapResponse rc;
+
+         q_user = imap_quote_string(auth_data[0]);
+         q_pass = imap_quote_string(auth_data[1]);
+         buf = g_strjoin(" ", "LOGIN", q_user, q_pass, NULL);
+         net_client_free_authstr(q_user);
+         net_client_free_authstr(q_pass);
+         rc = imap_cmd_exec(handle, buf);
+         net_client_free_authstr(buf);
+
+         result = (rc == IMR_OK) ? IMAP_SUCCESS : IMAP_AUTH_FAILURE;
+  }
+
+  net_client_free_authstr(auth_data[0]);
+  net_client_free_authstr(auth_data[1]);
+  g_free(auth_data);
+  return result;
 }
 
 /* =================================================================== */
 /* SASL PLAIN RFC-2595                                                 */
 /* =================================================================== */
-#define WAIT_FOR_PROMPT(rc,handle,cmdno) \
-    do (rc) = imap_cmd_step((handle), (cmdno)); while((rc) == IMR_UNTAGGED);
-
 static ImapResult
 imap_auth_sasl(ImapMboxHandle* handle, ImapCapability cap,
               const char *sasl_cmd,
               gboolean (*getmsg)(ImapMboxHandle *h, char **msg, int *msglen))
 {
-  char *msg = NULL, *msg64;
+  char *msg64;
   ImapResponse rc;
   int msglen;
   unsigned cmdno;
@@ -122,77 +136,56 @@ imap_auth_sasl(ImapMboxHandle* handle, ImapCapability cap,
     return IMAP_AUTH_UNAVAIL;
   sasl_ir = imap_mbox_handle_can_do(handle, IMCAP_SASLIR);
   
-  if(!getmsg(handle, &msg, &msglen)) {
+  if(!getmsg(handle, &msg64, &msglen)) {
     imap_mbox_handle_set_msg(handle, "Authentication cancelled");
     return IMAP_AUTH_CANCELLED;
   }
   
-  msg64 = g_base64_encode((const guchar *) msg, msglen);
-  g_free(msg);
-
   if(sasl_ir) { /* save one RTT */
     ImapCmdTag tag;
     if(IMAP_MBOX_IS_DISCONNECTED(handle))
       return IMAP_AUTH_UNAVAIL;
     cmdno = imap_make_tag(tag);
-    sio_write(handle->sio, tag, strlen(tag));
-    sio_write(handle->sio, " ", 1);
-    sio_write(handle->sio, sasl_cmd, strlen(sasl_cmd));
-    sio_write(handle->sio, " ", 1);
+    net_client_write_line(NET_CLIENT(handle->sio), "%s %s %s",
+       NULL, tag, sasl_cmd, msg64);
   } else {
-    int c;
     if(imap_cmd_start(handle, sasl_cmd, &cmdno) <0) {
-      g_free(msg64);
+      net_client_free_authstr(msg64);
       return IMAP_AUTH_FAILURE;
     }
-    imap_handle_flush(handle);
-    WAIT_FOR_PROMPT(rc,handle,cmdno);
+    rc = imap_cmd_process_untagged(handle, cmdno);
     
     if (rc != IMR_RESPOND) {
-      g_warning("imap %s: unexpected response.\n", sasl_cmd);
-      g_free(msg64);
-      return IMAP_AUTH_FAILURE;
-    }
-    while( (c=sio_getc((handle)->sio)) != EOF && c != '\n');
-    if(c == EOF) {
-      imap_handle_disconnect(handle);
-      g_free(msg64);
+      g_warning("imap %s: unexpected response.", sasl_cmd);
+      net_client_free_authstr(msg64);
       return IMAP_AUTH_FAILURE;
     }
+    net_client_siobuf_discard_line(handle->sio, NULL);
+    net_client_write_line(NET_CLIENT(handle->sio), "%s", NULL, msg64);
   }
-  sio_write(handle->sio, msg64, strlen(msg64));
-  sio_write(handle->sio, "\r\n", 2);
-  g_free(msg64);
-  imap_handle_flush(handle);
-  do
-    rc = imap_cmd_step (handle, cmdno);
-  while (rc == IMR_UNTAGGED);
+  net_client_free_authstr(msg64);
+  rc = imap_cmd_process_untagged(handle, cmdno);
   return  (rc== IMR_OK) ?  IMAP_SUCCESS : IMAP_AUTH_FAILURE;
 }
 
 static gboolean
 getmsg_plain(ImapMboxHandle *h, char **retmsg, int *retmsglen)
 {
-  char *user = NULL, *pass = NULL, *msg;
-  int ok, userlen, passlen, msglen;
-  ok = 0;
-  if(!ok && h->user_cb)
-    h->user_cb(IME_GET_USER_PASS, h->user_arg,
-                    "LOGIN", &user, &pass, &ok);
-  if(!ok || user == NULL || pass == NULL)
-    return 0;
-
-  userlen = strlen(user);
-  passlen = strlen(pass);
-  msglen  = 2*userlen + passlen + 2;
-  msg     = g_malloc(msglen+1);
-  strcpy(msg, user); 
-  strcpy(msg+userlen+1, user);
-  strcpy(msg+userlen*2+2, pass); 
-  g_free(user); g_free(pass);
-  *retmsg = msg;
-  *retmsglen = msglen;
-  return 1;
+       gchar **auth_data;
+       gboolean result;
+
+       g_signal_emit_by_name(h->sio, "auth", TRUE, &auth_data);
+       if ((auth_data == NULL) || (auth_data[0] == NULL) || (auth_data[1] == NULL)) {
+               result = FALSE;
+       } else {
+               *retmsg = net_client_auth_plain_calc(auth_data[0], auth_data[1]);
+               *retmsglen = strlen(*retmsg);
+               result = TRUE;
+       }
+       net_client_free_authstr(auth_data[0]);
+       net_client_free_authstr(auth_data[1]);
+       g_free(auth_data);
+       return result;
 }
 
 static ImapResult
@@ -209,14 +202,19 @@ imap_auth_plain(ImapMboxHandle* handle)
 static gboolean
 getmsg_anonymous(ImapMboxHandle *h, char **retmsg, int *retmsglen)
 {
-  int ok = 0;
-  if(!ok && h->user_cb)
-    h->user_cb(IME_GET_USER, h->user_arg,
-              "ANONYMOUS", retmsg, &ok);
-  if(!ok || *retmsg == NULL)
-    return 0;
-  *retmsglen = strlen(*retmsg);
-  return 1;
+       gchar **auth_data;
+       gboolean result;
+
+       g_signal_emit_by_name(h->sio, "auth", FALSE, &auth_data);
+       if((auth_data == NULL) || (auth_data[0] == NULL)) {
+               result = FALSE;
+       } else {
+               *retmsg = g_base64_encode((const guchar *) auth_data[0], strlen(auth_data[0]));
+               *retmsglen = strlen(*retmsg);
+               result = TRUE;
+       }
+       g_strfreev(auth_data);
+       return result;
 }
 
 static ImapResult
diff --git a/libbalsa/imap/imap-auth.h b/libbalsa/imap/imap-auth.h
index f8923a49..19bf2de4 100644
--- a/libbalsa/imap/imap-auth.h
+++ b/libbalsa/imap/imap-auth.h
@@ -20,10 +20,8 @@
 #include "libimap.h"
 #include "imap-handle.h"
 
-typedef ImapResult (*ImapAuthenticator)(ImapMboxHandle* handle);
 ImapResult imap_authenticate(ImapMboxHandle* handle);
 ImapResult imap_auth_cram(ImapMboxHandle* handle);
-ImapResult imap_auth_login(ImapMboxHandle* handle);
 ImapResult imap_auth_gssapi(ImapMboxHandle* handle);
 
 #endif
diff --git a/libbalsa/imap/imap-commands.c b/libbalsa/imap/imap-commands.c
index b5efb468..5a73defe 100644
--- a/libbalsa/imap/imap-commands.c
+++ b/libbalsa/imap/imap-commands.c
@@ -23,7 +23,7 @@
 #include "imap-handle.h"
 #include "imap-commands.h"
 #include "imap_private.h"
-#include "siobuf.h"
+#include "siobuf-nc.h"
 #include "util.h"
 
 #define ELEMENTS(x) (sizeof (x) / sizeof(x[0]))
@@ -122,7 +122,7 @@ imap_check_capability(ImapMboxHandle* handle)
 
   if (!(imap_mbox_handle_can_do(handle, IMCAP_IMAP4) ||
         imap_mbox_handle_can_do(handle, IMCAP_IMAP4REV1))) {
-    g_warning("IMAP4rev1 required but not provided.\n");
+    g_warning("IMAP4rev1 required but not provided.");
     return FALSE;
   }  
   return TRUE;
@@ -495,11 +495,8 @@ append_commit(ImapMboxHandle *handle, unsigned cmdno, ImapSequence *uid_seq)
     handle->uidplus.dst = uid_seq->ranges;
     handle->uidplus.store_response = 1;
   }
-  sio_write(handle->sio, "\r\n", 2);
-  sio_flush(handle->sio);
-  do {
-    rc = imap_cmd_step (handle, cmdno);
-  } while (rc == IMR_UNTAGGED);
+  net_client_siobuf_flush(handle->sio, NULL);
+  rc = imap_cmd_process_untagged(handle, cmdno);
 
   if(uid_seq) {
     if(uid_seq->uid_validity == 0) {
@@ -579,27 +576,21 @@ imap_mbox_append_multi_real(ImapMboxHandle *handle,
       /* MULTIAPPEND continuation */
       if(flags) {
        gchar *str = enum_flag_to_str(flags);
-       sio_printf(handle->sio, " (%s) {%lu%s}\r\n", str,
+       sio_printf(handle->sio, " (%s) {%lu%s}", str,
                   (unsigned long)msg_size, litstr);
        g_free(str);
       } else 
-       sio_printf(handle->sio, " {%lu%s}\r\n",
+       sio_printf(handle->sio, " {%lu%s}",
                   (unsigned long)msg_size, litstr);
     }
 
     if(use_literal)
       rc = IMR_RESPOND; /* we do it without flushing */
     else {
-      sio_flush(handle->sio);
-      do {
-       rc = imap_cmd_step (handle, cmdno);
-      } while (rc == IMR_UNTAGGED);
+       net_client_siobuf_flush(handle->sio, NULL);
+       rc = imap_cmd_process_untagged(handle, cmdno);
       if(rc != IMR_RESPOND) return rc;
-      EAT_LINE(handle, c);
-      if(c == -1) {
-       imap_handle_disconnect(handle);
-       return IMR_SEVERED;
-      }
+      net_client_siobuf_discard_line(handle->sio, NULL);
     }
 
     for(s=0; s<msg_size; s+= delta) {
@@ -940,12 +931,9 @@ imap_assure_needed_flags(ImapMboxHandle *h, ImapMsgFlag needed_flags)
     }
   }
   if(cmd) { /* was ever altered */
-    sio_flush(h->sio);
     for(i=0; i<issued_cmd; i++) {
       h->search_arg = &flag[i];
-      do {
-        rc = imap_cmd_step(h, cmdno[i]);
-      } while (rc == IMR_UNTAGGED);
+      rc = imap_cmd_process_untagged(h, cmdno[i]);
     }
     imap_handle_idle_enable(h, 30);
   }
@@ -1040,7 +1028,7 @@ set_avail_headers(ImapMboxHandle *h, const char *seq, ImapFetchType ift)
         }
       
       break;
-    default: g_warning("unexpected sequence %s\n", seq);
+    default: g_warning("unexpected sequence %s", seq);
     }
     if(*tmp==',') tmp++;
     s = tmp;
@@ -1681,11 +1669,8 @@ imap_mbox_thread(ImapMboxHandle *h, const char *how, ImapSearchKey *filter)
         return rc;
     }
 
-    sio_write(h->sio, "\r\n", 2);
-    imap_handle_flush(h);
-    do
-      rc = imap_cmd_step(h, cmdno);
-    while(rc == IMR_UNTAGGED);
+    net_client_siobuf_flush(h->sio, NULL);
+    rc = imap_cmd_process_untagged(h, cmdno);
     imap_handle_idle_enable(h, 30);
   }
  exit_cleanup:
@@ -1998,12 +1983,9 @@ imap_mbox_sort_filter(ImapMboxHandle *handle, ImapSortKey key, int ascending,
             != IMR_OK)
           return rc;
       }
-      sio_write(handle->sio, "\r\n", 2);
       imap_handle_idle_enable(handle, 30);
-      imap_handle_flush(handle);
-      do
-        rc = imap_cmd_step(handle, cmdno);
-      while(rc == IMR_UNTAGGED);
+      net_client_siobuf_flush(handle->sio, NULL);
+      rc = imap_cmd_process_untagged(handle, cmdno);
     } else {                                           /* CASE 2b */
       /* try client-side sorting... */
       if(handle->enable_client_sort) {
diff --git a/libbalsa/imap/imap-handle.c b/libbalsa/imap/imap-handle.c
index bbf6d76f..b9f6cbc3 100644
--- a/libbalsa/imap/imap-handle.c
+++ b/libbalsa/imap/imap-handle.c
@@ -20,9 +20,6 @@
 #define _XOPEN_SOURCE 500
 #define _DEFAULT_SOURCE     1
 
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
 #include <glib.h>
 #include <glib-object.h>
 #include <ctype.h>
@@ -34,25 +31,14 @@
 #include <unistd.h>
 #include <gmime/gmime-utils.h>
 
-#if defined(HAVE_RES_INIT)
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#endif                          /* defined(HAVE_RES_INIT) */
-
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-
 #include "libimap-marshal.h"
 #include "imap-auth.h"
 #include "imap-handle.h"
 #include "imap-commands.h"
 #include "imap_private.h"
-#include "siobuf.h"
+#include "siobuf-nc.h"
 #include "util.h"
 
-#define ASYNC_DEBUG 0
-
 #define LONG_STRING 512
 #define ELEMENTS(x) (sizeof (x) / sizeof(x[0]))
 
@@ -107,6 +93,10 @@ static ImapResponse ir_handle_response(ImapMboxHandle *h);
 static ImapAddress* imap_address_from_string(const gchar *string, gchar **n);
 static gchar*       imap_address_to_string(const ImapAddress *addr);
 
+static gboolean async_process(GSocket      *source,
+                                                         GIOCondition  condition,
+                                                         gpointer      data);
+
 static GType
 imap_mbox_handle_get_type()
 {
@@ -145,8 +135,7 @@ imap_mbox_handle_init(ImapMboxHandle *handle)
   handle->msg_cache = NULL;
   handle->flag_cache=  g_array_new(FALSE, TRUE, sizeof(ImapFlagCache));
   handle->doing_logout = FALSE;
-  handle->using_tls = 0;
-  handle->tls_mode = IMAP_TLS_ENABLED;
+  handle->tls_mode = NET_CLIENT_CRYPT_STARTTLS;
   handle->idle_state = IDLE_INACTIVE;
   handle->cmd_info = NULL;
   handle->status_resps = g_hash_table_new_full(g_str_hash, g_str_equal,
@@ -154,6 +143,9 @@ imap_mbox_handle_init(ImapMboxHandle *handle)
 
   handle->info_cb  = NULL;
   handle->info_arg = NULL;
+  handle->auth_cb = NULL;
+  handle->auth_arg = NULL;
+  handle->cert_cb = NULL;
   handle->op_cancelled = 0;
   handle->enable_anonymous = 0;
   handle->enable_client_sort = 0;
@@ -234,7 +226,7 @@ imap_handle_set_option(ImapMboxHandle *h, ImapOption opt, gboolean state)
   case IMAP_OPT_CLIENT_SORT: h->enable_client_sort = !!state; break;
   case IMAP_OPT_COMPRESS:    h->enable_compress    = !!state; break;
   case IMAP_OPT_IDLE:        h->enable_idle        = !!state; break;
-  default: g_warning("imap_set_option: invalid option\n");
+  default: g_warning("imap_set_option: invalid option");
   }
 }
 
@@ -246,17 +238,16 @@ imap_handle_set_infocb(ImapMboxHandle* h, ImapInfoCb cb, void *arg)
 }
 
 void
-imap_handle_set_usercb(ImapMboxHandle* h, ImapUserCb cb, void *arg)
+imap_handle_set_authcb(ImapMboxHandle* h, GCallback cb, void *arg)
 {
-  h->user_cb  = cb;
-  h->user_arg = arg;
+       h->auth_cb  = cb;
+       h->auth_arg = arg;
 }
 
 void
-imap_handle_set_monitorcb(ImapMboxHandle* h, ImapMonitorCb cb, void*arg)
+imap_handle_set_certcb(ImapMboxHandle* h, GCallback cb)
 {
-  h->monitor_cb  = cb;
-  h->monitor_arg = arg;
+       h->cert_cb  = cb;
 }
 
 void
@@ -329,63 +320,83 @@ imap_handle_set_timeout(ImapMboxHandle *h, int milliseconds)
   int old_timeout = h->timeout;
   h->timeout = milliseconds;
   if(h->sio)
-    sio_set_timeout(h->sio, milliseconds);
+    net_client_set_timeout(NET_CLIENT(h->sio), (milliseconds + 500) / 1000);
   return old_timeout;
 }
 
+/* Called with a locked handle. */
+static void
+socket_source_add(ImapMboxHandle *h)
+{
+       if (h->sock_source == NULL) {
+           h->sock_source = g_socket_create_source(net_client_get_socket(NET_CLIENT(h->sio)), 
G_IO_IN|G_IO_HUP, NULL);
+           g_source_set_callback(h->sock_source, (GSourceFunc) async_process, h, NULL);
+           g_source_attach(h->sock_source, NULL);
+           g_debug("async_process() registered");
+       }
+}
+
+/* Called with a locked handle. */
+static void
+socket_source_remove(ImapMboxHandle *h)
+{
+       if (h->sock_source != NULL) {
+               g_source_destroy(h->sock_source);
+               g_source_unref(h->sock_source);
+               h->sock_source = NULL;
+           g_debug("async_process() removed");
+       }
+}
+
+
 /** Called with a locked handle. */
 static gboolean
 async_process_real(ImapMboxHandle *h)
 {
-  ImapResponse rc = IMR_UNTAGGED;
-  unsigned async_cmd;
-  int retval;
-
-  async_cmd = cmdi_get_pending(h->cmd_info);
-  if(ASYNC_DEBUG) printf("async_process() enter loop\n");
-  while( (retval = sio_poll(h->sio, TRUE, FALSE, TRUE)) != -1 &&
-         (retval & SIO_READ) != 0) {
-    rc=imap_cmd_step(h, async_cmd);
-    if(h->idle_state == IDLE_RESPONSE_PENDING) {
-      int c;
-      if(rc != IMR_RESPOND) {
-       g_message("async_process_real() expected IMR_RESPOND but got %d\n", rc);
-       imap_handle_disconnect(h);
-       return FALSE;
-      }
-      EAT_LINE(h, c);
-      if (c == '\n') {
-       h->idle_state = IDLE_ACTIVE;
-       if (ASYNC_DEBUG) printf("IDLE is now ACTIVE\n");
-      }
-    } else if (rc == IMR_UNKNOWN ||
-       rc == IMR_SEVERED || rc == IMR_BYE || rc == IMR_PROTOCOL ||
-       rc  == IMR_BAD) {
-      printf("async_process() got unexpected response %i!\n"
-             "Last message was: \"%s\" - shutting down connection.\n",
-             rc, h->last_msg);
-      imap_handle_disconnect(h);
-      return FALSE;
-    }
-    async_cmd = cmdi_get_pending(h->cmd_info);
-    if(ASYNC_DEBUG)
-      printf("async_process() loop iteration finished, next async_cmd=%x\n",
-           async_cmd);
-  }
-  if(ASYNC_DEBUG) printf("async_process() loop left\n");
-  if(h->idle_state == IDLE_INACTIVE && async_cmd == 0) {
-    if(ASYNC_DEBUG) printf("Last async command completed.\n");
-    if(h->async_watch_id) {
-      g_source_remove(h->async_watch_id);
-      h->async_watch_id = 0;
-    }
-    imap_handle_idle_enable(h, IDLE_TIMEOUT);
-  }
-  if(ASYNC_DEBUG)
-    printf("async_process() sio: %d rc: %d returns %d (%d cmds in queue)\n",
-           retval, rc, h->idle_state == IDLE_INACTIVE && async_cmd == 0,
-           g_list_length(h->cmd_info));
-  return h->idle_state != IDLE_INACTIVE || async_cmd != 0;
+       ImapResponse rc = IMR_UNTAGGED;
+       unsigned async_cmd;
+
+       g_debug("%s: ENTER", __func__);
+       async_cmd = cmdi_get_pending(h->cmd_info);
+       g_debug("%s: enter loop, cmnd %u", __func__, async_cmd);
+       while (net_client_can_read(NET_CLIENT(h->sio))) {
+               rc = imap_cmd_step(h, async_cmd);
+               if (h->idle_state == IDLE_RESPONSE_PENDING) {
+                       int c;
+                       if(rc != IMR_RESPOND) {
+                               g_message("%s: expected IMR_RESPOND but got %d", __func__, rc);
+                               imap_handle_disconnect(h);
+                               return G_SOURCE_REMOVE;
+                       }
+                       EAT_LINE(h, c);
+                       if (c == '\n') {
+                               h->idle_state = IDLE_ACTIVE;
+                               g_debug("%s: IDLE is now ACTIVE", __func__);
+                       }
+               } else if (rc == IMR_UNKNOWN ||
+                       rc == IMR_SEVERED || rc == IMR_BYE || rc == IMR_PROTOCOL ||
+                       rc  == IMR_BAD) {
+                       g_debug("%s: got unexpected response %i! "
+                               "Last message was: \"%s\" - shutting down connection.",
+                               __func__, rc, h->last_msg);
+                       imap_handle_disconnect(h);
+                       return G_SOURCE_REMOVE;
+               }
+               async_cmd = cmdi_get_pending(h->cmd_info);
+               g_debug("%s: loop iteration finished, next async_cmd=%x", __func__,
+                       async_cmd);
+       }
+       g_debug("%s: loop left", __func__);
+       if (h->idle_state == IDLE_INACTIVE && async_cmd == 0) {
+               g_debug("%s: Last async command completed.", __func__);
+               socket_source_remove(h);
+               imap_handle_idle_enable(h, IDLE_TIMEOUT);
+       }
+       g_debug("%s: rc: %d returns %d (%d cmds in queue)", __func__,
+               rc, h->idle_state == IDLE_INACTIVE && async_cmd == 0,
+               g_list_length(h->cmd_info));
+       g_debug("%s: DONE", __func__);
+       return h->idle_state != IDLE_INACTIVE || async_cmd != 0;
 }
 
 /* imap_handle_idle_enable: enables calling IDLE command after seconds
@@ -402,31 +413,35 @@ async_process_real(ImapMboxHandle *h)
    by IDLE and STORE commands, for example. */
 
 static gboolean
-async_process(GIOChannel *source, GIOCondition condition, gpointer data)
-{
-  ImapMboxHandle *h = (ImapMboxHandle*)data;
-  gboolean retval_async;
-
-  g_return_val_if_fail(h, FALSE);
-
-  if(ASYNC_DEBUG) printf("async_process() ENTER\n");
-  if(!g_mutex_trylock(&h->mutex))
-    return FALSE;/* async data on already locked handle? Don't try again. */
-  if(ASYNC_DEBUG) printf("async_process() LOCKED\n");
-  if(h->state == IMHS_DISCONNECTED) {
-    if(ASYNC_DEBUG) printf("async_process() on disconnected\n");
-    g_mutex_unlock(&h->mutex);
-    return FALSE;
-  }
-  if( (condition & G_IO_HUP) == G_IO_HUP) {
-      imap_handle_disconnect(h);
-      g_mutex_unlock(&h->mutex);
-      return FALSE;
-  }
-  retval_async = async_process_real(h);
+async_process(GSocket      *source,
+                         GIOCondition  condition,
+                         gpointer      data)
+{
+       ImapMboxHandle *h = (ImapMboxHandle *) data;
+       gboolean retval_async;
+
+       g_return_val_if_fail(h, FALSE);
+
+       g_debug("%s: ENTER", __func__);
+       if (g_mutex_trylock(&h->mutex)) {
+               g_debug("%s: LOCKED", __func__);
+               if (h->state == IMHS_DISCONNECTED) {
+                       g_debug("%s: on disconnected", __func__);
+                       retval_async = G_SOURCE_REMOVE;
+               } else if ((condition & G_IO_HUP) == G_IO_HUP) {
+                       g_debug("%s: hangup", __func__);
+                       imap_handle_disconnect(h);
+                       retval_async = G_SOURCE_REMOVE;
+               } else {
+                       retval_async = async_process_real(h);
+               }
+               g_mutex_unlock(&h->mutex);
+       } else {
+               retval_async = G_SOURCE_REMOVE;         /* async data on already locked handle? Don't try 
again. */
+       }
 
-  g_mutex_unlock(&h->mutex);
-  return retval_async;
+       g_debug("%s: DONE (keep: %d)", __func__, retval_async);
+       return retval_async;
 }
 
 static gboolean
@@ -450,16 +465,10 @@ idle_start(gpointer data)
   IMAP_REQUIRED_STATE3(h, IMHS_CONNECTED, IMHS_AUTHENTICATED,
                        IMHS_SELECTED, FALSE);
 
-  asyncno = imap_make_tag(tag); sio_write(h->sio, tag, strlen(tag));
-  sio_write(h->sio, " IDLE\r\n", 7); sio_flush(h->sio);
+  asyncno = imap_make_tag(tag);
+  net_client_write_line(NET_CLIENT(h->sio), "%s IDLE", NULL, tag);
   cmdi_add_handler(&h->cmd_info, asyncno, cmdi_empty, NULL);
-  if(!h->iochannel) {
-    h->iochannel = g_io_channel_unix_new(h->sd);
-    g_io_channel_set_encoding(h->iochannel, NULL, NULL);
-  }
-  if(ASYNC_DEBUG) printf("async_process() registered\n");
-  h->async_watch_id = g_io_add_watch(h->iochannel, G_IO_IN|G_IO_HUP,
-                                    async_process, h);
+  socket_source_add(h);
   h->idle_state = IDLE_RESPONSE_PENDING;
 
   g_mutex_unlock(&h->mutex);
@@ -480,15 +489,10 @@ imap_cmd_issue(ImapMboxHandle* h, const char* cmd)
   if (imap_cmd_start(h, cmd, &async_cmd)<0)
     return IMR_SEVERED;  /* irrecoverable connection error. */
 
-  sio_flush(h->sio);
-  if(ASYNC_DEBUG) printf("command '%s' issued.\n", cmd);
+  g_debug("command '%s' issued.", cmd);
   cmdi_add_handler(&h->cmd_info, async_cmd, cmdi_empty, NULL);
-  if(!h->iochannel) {
-    h->iochannel = g_io_channel_unix_new(h->sd);
-    g_io_channel_set_encoding(h->iochannel, NULL, NULL);
-  }
-  h->async_watch_id = g_io_add_watch(h->iochannel, G_IO_IN|G_IO_HUP,
-                                     async_process, h);
+  socket_source_add(h);
+
   return IMR_OK /* async_cmd */;
 }
 
@@ -498,7 +502,7 @@ imap_handle_idle_enable(ImapMboxHandle *h, int seconds)
   if( !h->enable_idle || !imap_mbox_handle_can_do(h, IMCAP_IDLE))
     return FALSE;
   if(h->idle_state != IDLE_INACTIVE) {
-    fprintf(stderr, "IDLE already enabled\n");
+    g_warning("IDLE already enabled");
     return FALSE;
   }
   if(!h->idle_enable_id)
@@ -513,17 +517,14 @@ imap_handle_idle_disable(ImapMboxHandle *h)
     g_source_remove(h->idle_enable_id);
     h->idle_enable_id = 0;
   }
-  if(h->async_watch_id) {
-    g_source_remove(h->async_watch_id);
-    h->async_watch_id = 0;
+  if(h->sock_source != NULL) {
+       socket_source_remove(h);
     if(h->sio && h->idle_state == IDLE_RESPONSE_PENDING) {
       int c;
       ImapResponse rc;
       unsigned async_cmd = cmdi_get_pending(h->cmd_info);
 
-      do {
-       rc = imap_cmd_step(h, async_cmd);
-      } while (rc == IMR_UNTAGGED);
+      rc = imap_cmd_process_untagged(h, async_cmd);
       if(rc != IMR_RESPOND) {
        imap_handle_disconnect(h);
        return FALSE;
@@ -537,7 +538,7 @@ imap_handle_idle_disable(ImapMboxHandle *h)
     }
     if (h->sio &&  h->idle_state == IDLE_ACTIVE) {
       /* we might have been disconnected before */
-      sio_write(h->sio,"DONE\r\n",6); sio_flush(h->sio);
+      net_client_write_line(NET_CLIENT(h->sio), "DONE", NULL);
       h->idle_state = IDLE_INACTIVE;
     }
   }
@@ -554,22 +555,12 @@ imap_handle_op_cancelled(ImapMboxHandle *h)
 void
 imap_handle_disconnect(ImapMboxHandle *h)
 {
-  /* cppcheck-suppress unreadVariable */
-  gboolean still_connected __attribute__ ((__unused__));
-
-  still_connected = imap_handle_idle_disable(h);
+  gboolean G_GNUC_UNUSED dummy;
+  dummy = imap_handle_idle_disable(h);
   if(h->sio) {
-    sio_detach(h->sio); h->sio = NULL;
-    imap_compress_release(&h->compress);
-  }
-  if(h->iochannel) {
-    g_io_channel_unref(h->iochannel); h->iochannel = NULL;
+    g_object_unref(h->sio); h->sio = NULL;
   }
-  if(h->async_watch_id) {
-    g_source_remove(h->async_watch_id);
-    h->async_watch_id = 0;
-  }
-  close(h->sd);
+  socket_source_remove(h);
   h->state = IMHS_DISCONNECTED;
 }
 
@@ -583,14 +574,13 @@ int imap_mbox_is_selected     (ImapMboxHandle *h)
 { return IMAP_MBOX_IS_SELECTED(h); }
 
 ImapResult
-imap_mbox_handle_connect(ImapMboxHandle* ret, const char *host, int over_ssl)
+imap_mbox_handle_connect(ImapMboxHandle* ret, const char *host)
 {
   ImapResult rc;
 
   g_return_val_if_fail(imap_mbox_is_disconnected(ret), IMAP_CONNECT_FAILED);
 
   g_mutex_lock(&ret->mutex);
-  ret->over_ssl = over_ssl;
 
   g_free(ret->host);   ret->host   = g_strdup(host);
 
@@ -670,10 +660,10 @@ imap_handle_force_disconnect(ImapMboxHandle *h)
   g_mutex_unlock(&h->mutex);
 }
 
-ImapTlsMode
-imap_handle_set_tls_mode(ImapMboxHandle* r, ImapTlsMode state)
+NetClientCryptMode
+imap_handle_set_tls_mode(ImapMboxHandle* r, NetClientCryptMode state)
 {
-  ImapTlsMode res;
+  NetClientCryptMode res;
   g_return_val_if_fail(r,0);
   res = r->tls_mode;
   r->tls_mode = state;
@@ -689,60 +679,7 @@ struct ListData {
   void * cb_data;
 };
 
-int
-imap_socket_open(const char* host, const char *def_port)
-{
-  static const int USEIPV6 = 1;
-  int rc, fd = -1;
-  
-  /* --- IPv4/6 --- */
-  /* "65536\0" */
-  const char *port;
-  char *hostname;
-  struct addrinfo hints;
-  struct addrinfo* res;
-  struct addrinfo* cur;
-  
-  /* we accept v4 or v6 STREAM sockets */
-  memset (&hints, 0, sizeof (hints));
-
-  hints.ai_family = USEIPV6 ? AF_UNSPEC : AF_INET;
-  hints.ai_socktype = SOCK_STREAM;
-
-  port = strrchr(host, ':');
-  if (port) {
-    hostname = g_strndup(host, port-host);
-    port ++;
-  } else {
-    port = def_port;
-    hostname = g_strdup(host);
-  }
-  rc = getaddrinfo(hostname, port, &hints, &res);
-#if defined(HAVE_RES_INIT)
-  if (rc == EAI_AGAIN) {
-    res_init();
-    rc = getaddrinfo(hostname, port, &hints, &res);
-  }
-#endif                          /* defined(HAVE_RES_INIT) */
-  g_free(hostname);
-  if(rc)
-    return -1;
-  
-  for (cur = res; cur != NULL; cur = cur->ai_next) {
-    fd = socket (cur->ai_family, cur->ai_socktype, cur->ai_protocol);
-    if (fd >= 0) {
-      if ((rc=connect(fd, cur->ai_addr, cur->ai_addrlen)) == 0) {
-       break;
-      } else {
-       close (fd);
-        fd = -1;
-      }
-    }
-  }
-  freeaddrinfo (res);
-  return fd; /* FIXME: provide more info why the connection failed. */
-}
-
+#if 0
 static int
 imap_timeout_cb(void *arg)
 {
@@ -762,13 +699,13 @@ imap_timeout_cb(void *arg)
 
   return ok;
 }
+#endif
 
 static ImapResult
 imap_mbox_connect(ImapMboxHandle* handle)
 {
-  static const int SIO_BUFSZ=8192;
   ImapResponse resp;
-  const char *service = "imap";
+  GError *error = NULL;
 
   /* reset some handle status */
   handle->op_cancelled = FALSE;
@@ -776,72 +713,58 @@ imap_mbox_connect(ImapMboxHandle* handle)
   handle->can_fetch_body = TRUE;
   handle->idle_state = IDLE_INACTIVE;
   if(handle->sio) {
-    sio_detach(handle->sio); handle->sio = NULL;
-    imap_compress_release(&handle->compress);
+    g_object_unref(handle->sio); handle->sio = NULL;
   }
 
-  handle->using_tls = 0;
-  if(handle->over_ssl) service = "imaps";
-
-  handle->sd = imap_socket_open(handle->host, service);
-  if(handle->sd<0)
-    return IMAP_CONNECT_FAILED;
-  
-  /* Add buffering to the socket */
-  handle->sio = sio_attach(handle->sd, handle->sd, SIO_BUFSZ);
-  if (handle->sio == NULL) {
-    close(handle->sd);
-    return IMAP_NOMEM;
+  handle->sio = net_client_siobuf_new(handle->host,
+         handle->tls_mode == NET_CLIENT_CRYPT_ENCRYPTED ? 993 : 143);
+  g_signal_connect(G_OBJECT(handle->sio), "auth", handle->auth_cb, handle->auth_arg);
+  g_signal_connect(G_OBJECT(handle->sio), "cert-check", handle->cert_cb, handle->sio);
+  if (!net_client_connect(NET_CLIENT(handle->sio), &error)) {
+       imap_mbox_handle_set_msg(handle, error->message);
+       g_clear_error(&error);
+       return IMAP_CONNECT_FAILED;
   }
-  imap_compress_init(&handle->compress);
+  
+#if 0
   if(handle->timeout>0) {
     sio_set_timeout(handle->sio, handle->timeout);
     sio_set_timeoutcb(handle->sio, imap_timeout_cb, handle);
   }
-  if(handle->over_ssl) {
-    SSL *ssl = imap_create_ssl();
-    if(!ssl) {
-      imap_mbox_handle_set_msg(handle,"SSL context could not be created");
-      return IMAP_UNSECURE;
-    }
-    if(imap_setup_ssl(handle->sio, handle->host, ssl,
-                      handle->user_cb, handle->user_arg)) 
-      handle->using_tls = 1;
-    else {
-      imap_mbox_handle_set_msg(handle,"SSL negotiation failed");
-      imap_handle_disconnect(handle);
+#endif
+  if (handle->tls_mode == NET_CLIENT_CRYPT_ENCRYPTED) {
+    if (!net_client_start_tls(NET_CLIENT(handle->sio), &error)) {
+      imap_mbox_handle_set_msg(handle, error->message);
+         g_clear_error(&error);
       return IMAP_UNSECURE;
     }
   }
-  if(handle->monitor_cb) 
-    sio_set_monitorcb(handle->sio, handle->monitor_cb, handle->monitor_arg);
 
   handle->state = IMHS_CONNECTED;
   if ( (resp=imap_cmd_step(handle, 0)) != IMR_UNTAGGED) {
-    g_message("imap_mbox_connect:unexpected initial response(%d):\n%s\n",
+    g_message("imap_mbox_connect:unexpected initial response(%d): %s",
              resp, handle->last_msg);
     imap_handle_disconnect(handle);
     return IMAP_PROTOCOL_ERROR;
   }
   handle->can_fetch_body = 
     (strncmp(handle->last_msg, "Microsoft Exchange", 18) != 0);
-  if(handle->over_ssl)
-    resp = IMR_OK; /* secured already with SSL */
-  else if(handle->tls_mode != IMAP_TLS_DISABLED &&
-          imap_mbox_handle_can_do(handle, IMCAP_STARTTLS)) {
+  if((handle->tls_mode == NET_CLIENT_CRYPT_ENCRYPTED) ||
+        (handle->tls_mode == NET_CLIENT_CRYPT_NONE)) {
+    resp = IMAP_SUCCESS; /* secured already with SSL, or no encryption requested */
+  } else if(imap_mbox_handle_can_do(handle, IMCAP_STARTTLS)) {
     if( imap_handle_starttls(handle) != IMR_OK) {
       imap_mbox_handle_set_msg(handle,"TLS negotiation failed");
-      return IMAP_UNSECURE; /* TLS negotiation error */
+      resp = IMAP_UNSECURE; /* TLS negotiation error */
+    } else {
+      resp = IMAP_SUCCESS; /* secured with TLS */
     }
-    resp = IMR_OK; /* secured with TLS */
-  } else
-    resp = IMR_NO; /* not over SSL and TLS unavailable */
-  if(handle->tls_mode == IMAP_TLS_REQUIRED && resp != IMR_OK) {
-    imap_mbox_handle_set_msg(handle,"TLS required but not available");
-    return IMAP_UNSECURE;
+  } else {
+       imap_mbox_handle_set_msg(handle,"TLS required but not available");
+    resp = IMR_NO; /* TLS unavailable */
   }
 
-  return IMAP_SUCCESS;
+  return resp;
 }
 
 unsigned
@@ -853,7 +776,7 @@ imap_make_tag(ImapCmdTag tag)
 }
 
 static int
-imap_get_atom(struct siobuf *sio, char* atom, size_t len)
+imap_get_atom(NetClientSioBuf *sio, char* atom, size_t len)
 {
   unsigned i;
   int c = 0;
@@ -866,7 +789,7 @@ imap_get_atom(struct siobuf *sio, char* atom, size_t len)
 
 #define IS_FLAG_CHAR(c) (strchr("(){ %*\"]",(c))==NULL&&(c)>0x1f&&(c)!=0x7f)
 static int
-imap_get_flag(struct siobuf *sio, char* flag, size_t len)
+imap_get_flag(NetClientSioBuf *sio, char* flag, size_t len)
 {
   unsigned i;
   int c = 0;
@@ -886,7 +809,7 @@ imap_get_flag(struct siobuf *sio, char* flag, size_t len)
 */
 #define IS_TAG_CHAR(c) (strchr("(){ %\"\\]",(c))==NULL&&(c)>0x1f&&(c)!=0x7f)
 static int
-imap_cmd_get_tag(struct siobuf *sio, char* tag, size_t len)
+imap_cmd_get_tag(NetClientSioBuf *sio, char* tag, size_t len)
 {
   unsigned i;
   int c = 0;
@@ -1092,80 +1015,6 @@ imap_mbox_handle_get_msg(ImapMboxHandle* h, unsigned seqno)
   return h->msg_cache[seqno-1];
 }
 
-ImapMessage*
-imap_mbox_handle_get_msg_v(ImapMboxHandle* h, unsigned no)
-{
-  g_return_val_if_fail(h, 0);
-  g_return_val_if_fail(no-1<h->exists, NULL);
-  if(mbox_view_is_active(&h->mbox_view))
-    no = mbox_view_get_msg_no(&h->mbox_view, no);
-  return h->msg_cache[no-1];
-}
-unsigned
-imap_mbox_get_msg_no(ImapMboxHandle* h, unsigned no)
-{
-  g_return_val_if_fail(h, 0);
-  if(!mbox_view_is_active(&h->mbox_view))
-    return no;
-  else
-    return mbox_view_get_msg_no(&h->mbox_view, no);
-}
-
-unsigned
-imap_mbox_get_rev_no(ImapMboxHandle* h, unsigned seqno)
-{
-  if(!mbox_view_is_active(&h->mbox_view))
-    return seqno;
-  else
-    return mbox_view_get_rev_no(&h->mbox_view, seqno);
-}
-
-
-static void
-set_view_cb(ImapMboxHandle* handle, unsigned seqno, void*arg)
-{
-  mbox_view_append_no(&handle->mbox_view, seqno);
-}
-
-unsigned
-imap_mbox_set_view(ImapMboxHandle *h, ImapMsgFlag fl, gboolean state)
-{
-  char *flag;
-  gchar * cmd;
-  const gchar *cmd_prefix;
-  void *arg;
-  ImapSearchCb cb;
-  ImapResponse rc;
-
-  mbox_view_dispose(&h->mbox_view);
-  if(fl==0)
-    return 1;
-
-  if(imap_mbox_handle_can_do(h, IMCAP_ESEARCH))
-    cmd_prefix = "SEARCH RETURN (ALL) ";
-  else
-    cmd_prefix = "SEARCH ALL ";
-
-  switch(fl) {
-  case IMSGF_SEEN:     flag = "SEEN"; break;
-  case IMSGF_ANSWERED: flag = "ANSWERED"; break;
-  case IMSGF_FLAGGED:  flag = "FLAGGED"; break;
-  case IMSGF_DELETED:  flag = "DELETED"; break;
-  case IMSGF_DRAFT:    flag = "DRAFT"; break;
-  case IMSGF_RECENT:   flag = "RECENT"; break;
-  default: return 1;
-  }
-  cb  = h->search_cb;  h->search_cb  = (ImapSearchCb)set_view_cb;
-  arg = h->search_arg; h->search_arg = NULL;
-  g_free(h->mbox_view.filter_str);
-  h->mbox_view.filter_str = g_strconcat(state ? "" : "UN", flag, NULL);
-  cmd = g_strconcat(cmd_prefix, h->mbox_view.filter_str, NULL);
-  rc = imap_cmd_exec(h, cmd);
-  g_free(cmd);
-  h->search_cb = cb; h->search_arg = arg;
-  return rc == IMR_OK;
-}
-
 const char*
 imap_mbox_get_filter(ImapMboxHandle *h)
 {
@@ -1549,7 +1398,7 @@ imap_sequence_nth(ImapSequence *i_seq, unsigned nth)
       return r->lo + nth;
     nth -= range_length;
   }
-  g_warning("imap_sequence_nth: too large parameter; returning bogus data\n");
+  g_warning("imap_sequence_nth: too large parameter; returning bogus data");
   return 0;
 }
 
@@ -1966,10 +1815,7 @@ imap_cmd_start(ImapMboxHandle* handle, const char* cmd, unsigned *cmdno)
     return -1;
 
   *cmdno = imap_make_tag(tag);
-  sio_write(handle->sio, tag, strlen(tag));
-  sio_write(handle->sio, " ", 1);
-  sio_write(handle->sio, cmd, strlen(cmd));
-  sio_write(handle->sio, "\r\n", 2);
+  net_client_write_line(NET_CLIENT(handle->sio), "%s %s", NULL, tag, cmd);
   return 1;
 }
 
@@ -1990,18 +1836,11 @@ imap_cmd_step(ImapMboxHandle* handle, unsigned lastcmd)
   g_return_val_if_fail(handle, IMR_BAD);
   g_return_val_if_fail(handle->state != IMHS_DISCONNECTED, IMR_BAD);
 
-  if(ERR_peek_error()) {
-    fprintf(stderr, "OpenSSL error in %s():\n", __FUNCTION__);
-    ERR_print_errors_fp(stderr);
-    fprintf(stderr, "\nEnd of print_errors - severing the connection...\n");
-    imap_handle_disconnect(handle);
-    return IMR_SEVERED;
-  }
   ci = cmdi_find_by_no(handle->cmd_info, lastcmd);
   if(ci && ci->completed) {
     /* The response to this command has been encountered earlier,
        send it. */
-    printf("Sending stored response to %x and removing info.\n",  lastcmd);
+    g_debug("Sending stored response to %x and removing info.",  lastcmd);
     rc = ci->rc;
     handle->cmd_info = g_list_remove(handle->cmd_info, ci);
     g_free(ci);
@@ -2009,7 +1848,7 @@ imap_cmd_step(ImapMboxHandle* handle, unsigned lastcmd)
   }
 
   if( imap_cmd_get_tag(handle->sio, tag, sizeof(tag))<0) {
-    printf("IMAP connection to %s severed.\n", handle->host);
+    g_debug("IMAP connection to %s severed.", handle->host);
     imap_handle_disconnect(handle);
     return IMR_SEVERED;
   }
@@ -2029,7 +1868,7 @@ imap_cmd_step(ImapMboxHandle* handle, unsigned lastcmd)
   /* tagged completion code is the only alternative. */
   /* our command tags are hexadecimal numbers, at most 7 chars */
   if(sscanf(tag, "%7x", &cmdno) != 1) {
-    printf("scanning '%s' for tag number failed. Cannot recover.\n", tag);
+    g_warning("scanning '%s' for tag number failed. Cannot recover.", tag);
     imap_handle_disconnect(handle);
     return IMR_BAD;
   }
@@ -2042,17 +1881,17 @@ imap_cmd_step(ImapMboxHandle* handle, unsigned lastcmd)
   ci = cmdi_find_by_no(handle->cmd_info, cmdno);
 #ifdef DEBUG
   if(lastcmd != cmdno)
-    printf("Looking for %x and encountered response to %x (%p)\n",
+    g_debug("Looking for %x and encountered response to %x (%p)",
            lastcmd, cmdno, ci);
 #endif
   if(ci) {
     if(ci->complete_cb && !ci->complete_cb(handle, ci->cb_data)) {
       ci->rc = rc;
       ci->completed = 1;
-      printf("Cmd %x marked as completed with rc=%d\n", cmdno, rc);
+      g_debug("Cmd %x marked as completed with rc=%d", cmdno, rc);
     } else {
 #ifdef DEBUG
-      printf("CmdInfo for cmd %x removed\n", cmdno);
+      g_debug("CmdInfo for cmd %x removed", cmdno);
 #endif
       handle->cmd_info = g_list_remove(handle->cmd_info, ci);
       g_free(ci);
@@ -2064,6 +1903,17 @@ imap_cmd_step(ImapMboxHandle* handle, unsigned lastcmd)
     return lastcmd == cmdno ? rc : IMR_UNTAGGED;
 }
 
+ImapResponse
+imap_cmd_process_untagged(ImapMboxHandle* handle, unsigned cmdno)
+{
+       ImapResponse rc;
+
+       do {
+               rc = imap_cmd_step(handle, cmdno);
+       } while (rc == IMR_UNTAGGED);
+       return rc;
+}
+
 /**executes a command, and wait for the response from the server.
  * Also, handle untagged responses.
  * Returns ImapResponse.
@@ -2088,13 +1938,10 @@ imap_cmd_exec_cmdno(ImapMboxHandle* handle, const char* cmd,
 
   if(ret_cmdno) *ret_cmdno = cmdno;
   g_return_val_if_fail(handle->state != IMHS_DISCONNECTED && 1, IMR_BAD);
-  sio_flush(handle->sio);
   if(handle->state == IMHS_DISCONNECTED)
     return IMR_SEVERED;
 
-  do {
-    rc = imap_cmd_step (handle, cmdno);
-  } while (rc == IMR_UNTAGGED);
+  rc = imap_cmd_process_untagged(handle, cmdno);
 
   imap_handle_idle_enable(handle, IDLE_TIMEOUT);
 
@@ -2135,14 +1982,11 @@ imap_cmd_exec_cmds(ImapMboxHandle* handle, const char** cmds,
   }
   if (rc == IMR_OK) {
     g_return_val_if_fail(handle->state != IMHS_DISCONNECTED && 1, IMR_BAD);
-    sio_flush(handle->sio);
     if(handle->state == IMHS_DISCONNECTED)
       rc = IMR_SEVERED;
     else {
       for (cmd_count=0; cmds[cmd_count]; ++cmd_count) {
-       do {
-         rc = imap_cmd_step (handle, cmdnos[cmd_count]);
-       } while (rc == IMR_UNTAGGED);
+         rc = imap_cmd_process_untagged(handle, cmdnos[cmd_count]);
 
        if ( !(rc == IMR_OK || rc == IMR_NO || rc == IMR_BAD) ) {
          ret_rc = rc;
@@ -2162,57 +2006,8 @@ imap_cmd_exec_cmds(ImapMboxHandle* handle, const char** cmds,
   return ret_rc;
 }
 
-int
-imap_handle_write(ImapMboxHandle *conn, const char *buf, size_t len)
-{
-  g_return_val_if_fail(conn, -1);
-  g_return_val_if_fail(conn->sio, -1);
-
-  sio_write(conn->sio, buf, len); /* why it is void? */
-  return 0;
-}
-
-void
-imap_handle_flush(ImapMboxHandle *handle)
-{
-  g_return_if_fail(handle);
-  g_return_if_fail(handle->sio);
-  sio_flush(handle->sio);
-}
-
-char*
-imap_mbox_gets(ImapMboxHandle *h, char* buf, size_t sz)
-{
-  char* rc;
-  g_return_val_if_fail(h, NULL);
-  g_return_val_if_fail(h->sio, NULL);
-
-  rc = sio_gets(h->sio, buf, sz);
-  if(rc == NULL)
-      imap_handle_disconnect(h);
-  return rc;
-}
-
-const char*
-lbi_strerror(ImapResult rc)
-{
-  switch(rc) {
-   
-  case IMAP_SUCCESS:        return "action succeeded";
-  case IMAP_NOMEM:          return "not enough memory";
-  case IMAP_CONNECT_FAILED: return "transport level connect failed";
-  case IMAP_PROTOCOL_ERROR: return "unexpected server response";
-  case IMAP_AUTH_FAILURE:   return "authentication failure";
-  case IMAP_AUTH_UNAVAIL:   return "no supported authentication method available ";
-  case IMAP_UNSECURE:       return "secure connection requested but "
-                              "could not be established.";
-  case IMAP_SELECT_FAILED: return "SELECT command failed";
-  default: return "Unknown error";
-  }
-}
-
 static GString*
-imap_get_string_with_lookahead(struct siobuf* sio, int c)
+imap_get_string_with_lookahead(NetClientSioBuf *sio, int c)
 { /* string */  
   GString *res = NULL;
   if(c=='"') { /* quoted */
@@ -2236,8 +2031,8 @@ imap_get_string_with_lookahead(struct siobuf* sio, int c)
     if(len==0 || buf[len-1] != '}') return NULL;
     buf[len-1] = '\0';
     len = strtol(buf, NULL, 10);
-    if( c != 0x0d) { printf("lit1:%d\n",c); return NULL;}
-    if( (c=sio_getc(sio)) != 0x0a) { printf("lit1:%d\n",c); return NULL;}
+    if( c != 0x0d) { g_debug("lit1:%d",c); return NULL;}
+    if( (c=sio_getc(sio)) != 0x0a) { g_debug("lit1:%d",c); return NULL;}
     res = g_string_sized_new(len+1);
     if(len>0) sio_read(sio, res->str, len);
     res->len = len;
@@ -2248,14 +2043,14 @@ imap_get_string_with_lookahead(struct siobuf* sio, int c)
 
 /* see the spec for the definition of string */
 static char*
-imap_get_string(struct siobuf* sio)
+imap_get_string(NetClientSioBuf *sio)
 {
   GString * s = imap_get_string_with_lookahead(sio, sio_getc(sio));
   return s ? g_string_free(s, FALSE) : NULL;
 }
 
 static gboolean
-imap_is_nil (struct siobuf *sio, int c)
+imap_is_nil (NetClientSioBuf *sio, int c)
 {
   return g_ascii_toupper (c) == 'N' && g_ascii_toupper (sio_getc (sio)) == 'I'
     && g_ascii_toupper (sio_getc (sio)) == 'L';
@@ -2263,7 +2058,7 @@ imap_is_nil (struct siobuf *sio, int c)
 
 /* see the spec for the definition of nstring */
 static char*
-imap_get_nstring(struct siobuf* sio)
+imap_get_nstring(NetClientSioBuf *sio)
 {
   int c = sio_getc(sio);
   if(toupper(c)=='N') { /* nil */
@@ -2278,7 +2073,7 @@ imap_get_nstring(struct siobuf* sio)
 /* see the spec for the definition of astring */
 #define IS_ASTRING_CHAR(c) (strchr("(){ %*\"\\", (c))==0&&(c)>0x1F&&(c)!=0x7F)
 static char*
-imap_get_astring(struct siobuf *sio, int* lookahead)
+imap_get_astring(NetClientSioBuf *sio, int* lookahead)
 {
   char* res;
   int c = sio_getc(sio);
@@ -2300,7 +2095,7 @@ imap_get_astring(struct siobuf *sio, int* lookahead)
 
 /* nstring / literal8 as in the BINARY extension */
 static GString*
-imap_get_binary_string(struct siobuf *sio)
+imap_get_binary_string(NetClientSioBuf *sio)
 {
   int c = sio_getc(sio);
   if(toupper(c)=='N') { /* nil */
@@ -2322,14 +2117,14 @@ imap_get_binary_string(struct siobuf *sio)
 #include "imap-handle.h"
 
 static int
-ignore_bad_charset(struct siobuf *sio, int c)
+ignore_bad_charset(NetClientSioBuf *sio, int c)
 {
   while(c==' ') {
     gchar * astring = imap_get_astring(sio, &c); 
     g_free(astring);
   }
   if(c != ')')
-    fprintf(stderr,"ignore_bad_charset: expected ')' got '%c'\n", c);
+    g_warning("ignore_bad_charset: expected ')' got '%c'", c);
   else c = sio_getc(sio);
   return c;
 }
@@ -2459,7 +2254,7 @@ ir_get_append_copy_uids(ImapMboxHandle *h, gboolean append_only)
     if( (rc = imap_get_sequence(h, NULL, NULL)) != IMR_OK)
       return rc;
     if( (c=sio_getc(h->sio)) != ' ') {
-      printf("Expected ' ' found '%c'\n", c);
+      g_debug("Expected ' ' found '%c'", c);
       return IMR_PROTOCOL;
     }
   }
@@ -2519,7 +2314,7 @@ ir_resp_text_code(ImapMboxHandle *h)
   default: while( c != ']' && (c=sio_getc(h->sio)) != EOF) ; break;
   }
   if(c != ']')
-    printf("ir_resp_text_code, on exit c=%c\n", c);
+    g_debug("ir_resp_text_code, on exit c=%c", c);
   return c == ']' ? rc : IMR_PROTOCOL;
 }
 
@@ -2551,7 +2346,7 @@ ir_ok(ImapMboxHandle *h)
     if(h->info_cb)
       h->info_cb(h, rc, line, h->info_arg);
     else
-      printf("INFO : '%s'\n", line);
+      g_debug("INFO : '%s'", line);
     rc = IMR_OK; /* in case it was IMR_ALERT */
   }
   return rc;
@@ -2569,7 +2364,7 @@ ir_no(ImapMboxHandle *h)
     if(h->info_cb)
       h->info_cb(h, IMR_NO, line, h->info_arg);
     else
-      printf("WARN : '%s'\n", line);
+      g_debug("WARN : '%s'", line);
   }
   return IMR_NO;
 }
@@ -2585,7 +2380,7 @@ ir_bad(ImapMboxHandle *h)
     if(h->info_cb)
       h->info_cb(h, IMR_BAD, line, h->info_arg);
     else
-      printf("ERROR: %s\n", line);
+      g_debug("ERROR: %s", line);
   }
   return IMR_BAD;
 }
@@ -2612,10 +2407,8 @@ ir_bye(ImapMboxHandle *h)
     imap_mbox_handle_set_state(h, IMHS_DISCONNECTED);
     /* we close the connection here unless we are doing logout. */
     if(h->sio) {
-      sio_detach(h->sio); h->sio = NULL; 
-      imap_compress_release(&h->compress);
+      g_object_unref(h->sio); h->sio = NULL;
     }
-    close(h->sd);
   }
   return IMR_BYE;
 }
@@ -2624,11 +2417,11 @@ static ImapResponse
 ir_check_crlf(ImapMboxHandle *h, int c)
 {
   if( c != 0x0d) {
-    printf("CR:%d\n",c);
+    g_debug("CR:%d",c);
     return IMR_PROTOCOL;
   }
   if( (c=sio_getc(h->sio)) != 0x0a) {
-    printf("LF:%d\n",c);
+    g_debug("LF:%d",c);
     return IMR_PROTOCOL;
   }
   return IMR_OK;
@@ -2766,7 +2559,7 @@ ir_esearch(ImapMboxHandle *h)
     c = imap_get_atom(h->sio, atom, sizeof(atom));
     if(c == EOF) return IMR_SEVERED;
     if(g_ascii_strcasecmp(atom, "TAG")) { /* TAG is the only acceptable response here! */
-      printf("ESearch expected TAG encountered %s\n", atom);
+      g_debug("ESearch expected TAG encountered %s", atom);
       return IMR_PROTOCOL; 
     }
     if(c != ' ')
@@ -2843,7 +2636,7 @@ static ImapResponse
 ir_flags(ImapMboxHandle *h)
 {
   /* FIXME: implement! */
-  int c; EAT_LINE(h, c);
+  net_client_siobuf_discard_line(h->sio, NULL);
   return IMR_OK;
 }
 
@@ -2946,7 +2739,7 @@ ir_quotaroot(ImapMboxHandle *h)
   mbox = imap_get_astring(h->sio, &eol);
   if (mbox) {
     if (strcmp(mbox, mbx7))
-      fprintf(stderr, "expected QUOTAROOT for %s, not for %s\n", mbx7, mbox);
+      g_debug("expected QUOTAROOT for %s, not for %s", mbx7, mbox);
     else {
       if (eol == ' ')
         h->quota_root = imap_get_astring(h->sio, &eol);
@@ -2973,7 +2766,7 @@ ir_quota(ImapMboxHandle *h)
   h->quota_max_k = h->quota_used_k = 0;
   if (root) {
     if (strcmp(root, h->quota_root))
-      fprintf(stderr, "expected QUOTA for %s, not for %s\n", h->quota_root,
+      g_debug("expected QUOTA for %s, not for %s", h->quota_root,
               root);
     else {
       while ((c = sio_getc(h->sio)) != -1 && c == ' ');
@@ -2997,7 +2790,7 @@ ir_quota(ImapMboxHandle *h)
               h->quota_used_k = strtoul(usage, &endptr1, 10);
               h->quota_max_k = strtoul(limit, &endptr2, 10);
               if (*endptr1 != '\0' || *endptr2 != '\0') {
-                fprintf(stderr, "bad QUOTA '%s %s %s'\n", resource, usage,
+                g_debug("bad QUOTA '%s %s %s'", resource, usage,
                         limit);
                 h->quota_max_k = h->quota_used_k = 0;
                 c = ')';
@@ -3071,7 +2864,7 @@ ir_myrights(ImapMboxHandle *h)
   mbox = imap_get_astring(h->sio, &eol);
   if (mbox && eol == ' ') {
     if (strcmp(mbox, mbx7))
-      fprintf(stderr, "expected MYRIGHTS for %s, not for %s\n", mbx7, mbox);
+      g_debug("expected MYRIGHTS for %s, not for %s", mbx7, mbox);
     else {
       retval = extract_acl(h, "\n", &h->rights, NULL);
       h->has_rights = 1;
@@ -3110,7 +2903,7 @@ ir_getacl(ImapMboxHandle *h)
 
   mbx7 = imap_utf8_to_mailbox(h->mbox);
   if (strcmp(mbox, mbx7)) {
-    fprintf(stderr, "expected ACL for %s, not for %s\n", mbx7, mbox);
+    g_debug("expected ACL for %s, not for %s", mbx7, mbox);
     retval = IMR_NO;
   } else if (eol == '\n') {
     retval = IMR_OK;
@@ -3215,7 +3008,7 @@ imap_address_to_string(const ImapAddress *addr)
    (eg., when end of list is found instead).
 */
 static ImapAddress*
-imap_get_address(struct siobuf* sio)
+imap_get_address(NetClientSioBuf *sio)
 {
   char *addr[4], *p;
   ImapAddress *res = NULL;
@@ -3275,7 +3068,7 @@ imap_get_address(struct siobuf* sio)
 }
 
 static ImapResponse
-imap_get_addr_list (struct siobuf *sio, ImapAddress ** list)
+imap_get_addr_list (NetClientSioBuf *sio, ImapAddress ** list)
 {
   int c;
   ImapAddress *res;
@@ -3304,7 +3097,7 @@ imap_get_addr_list (struct siobuf *sio, ImapAddress ** list)
 }
 
 static ImapResponse
-ir_envelope(struct siobuf *sio, ImapEnvelope *env)
+ir_envelope(NetClientSioBuf *sio, ImapEnvelope *env)
 {
   int c;
   char *date, *str;
@@ -3315,14 +3108,14 @@ ir_envelope(struct siobuf *sio, ImapEnvelope *env)
 #if GMAIL_BUG_20100725 == 1
   /* GMAIL returns sometimes NIL instead of the envelope. */
   if (c == 'N') {
-      printf("GMail message/rfc822 bug detected.\n");      
+      g_debug("GMail message/rfc822 bug detected.");
       env = NULL;
       if (sio_getc(sio) == 'I' &&
           sio_getc(sio) == 'L') return IMR_PARSE;
   }
 #endif /* GMAIL_BUG_20100725 */
   if( c != '(') {
-      printf("envelope's ( expected but got '%c'\n", c);
+      g_debug("envelope's ( expected but got '%c'", c);
       return IMR_PROTOCOL;
   }
 
@@ -3355,10 +3148,10 @@ ir_envelope(struct siobuf *sio, ImapEnvelope *env)
   if( (c=sio_getc(sio)) != ' ') return IMR_PROTOCOL;
   str = imap_get_nstring(sio);
   if(env) env->in_reply_to = str; else g_free(str);
-  if( (c=sio_getc(sio)) != ' ') { printf("c=%c\n",c); return IMR_PROTOCOL;}
+  if( (c=sio_getc(sio)) != ' ') { g_debug("c=%c",c); return IMR_PROTOCOL;}
   str = imap_get_nstring(sio);
   if(env) env->message_id = str; else g_free(str);
-  if( (c=sio_getc(sio)) != ')') { printf("c=%d\n",c);return IMR_PROTOCOL;}
+  if( (c=sio_getc(sio)) != ')') { g_debug("c=%d",c);return IMR_PROTOCOL;}
   return IMR_OK;
 }
 
@@ -3420,7 +3213,7 @@ ir_msg_att_rfc822_size(ImapMboxHandle *h, int c, unsigned seqno)
 }
 
 static ImapResponse
-ir_media(struct siobuf* sio, ImapMediaBasic *imb, ImapBody *body)
+ir_media(NetClientSioBuf *sio, ImapMediaBasic *imb, ImapBody *body)
 {
   gchar *type, *subtype;
 
@@ -3455,7 +3248,7 @@ ir_media(struct siobuf* sio, ImapMediaBasic *imb, ImapBody *body)
 }
 
 static ImapResponse
-ir_body_fld_param_hash(struct siobuf* sio, GHashTable * params)
+ir_body_fld_param_hash(NetClientSioBuf *sio, GHashTable * params)
 {
   int c;
   gchar *key, *val;
@@ -3478,13 +3271,13 @@ ir_body_fld_param_hash(struct siobuf* sio, GHashTable * params)
 }
 
 static ImapResponse
-ir_body_fld_param(struct siobuf* sio, ImapBody *body)
+ir_body_fld_param(NetClientSioBuf *sio, ImapBody *body)
 {
   return ir_body_fld_param_hash(sio, body ? body->params : NULL);
 }
 
 static ImapResponse
-ir_body_fld_id(struct siobuf* sio, ImapBody *body)
+ir_body_fld_id(NetClientSioBuf *sio, ImapBody *body)
 {
   gchar* id = imap_get_nstring(sio);
 
@@ -3496,7 +3289,7 @@ ir_body_fld_id(struct siobuf* sio, ImapBody *body)
 }
 
 static ImapResponse
-ir_body_fld_desc(struct siobuf* sio, ImapBody *body)
+ir_body_fld_desc(NetClientSioBuf *sio, ImapBody *body)
 {
   gchar* desc = imap_get_nstring(sio);
   if(body)
@@ -3507,7 +3300,7 @@ ir_body_fld_desc(struct siobuf* sio, ImapBody *body)
 }
 
 static ImapResponse
-ir_body_fld_enc(struct siobuf* sio, ImapBody *body)
+ir_body_fld_enc(NetClientSioBuf *sio, ImapBody *body)
 {
   gchar* str = imap_get_string(sio);
   ImapBodyEncoding enc;
@@ -3527,7 +3320,7 @@ ir_body_fld_enc(struct siobuf* sio, ImapBody *body)
 }
 
 static ImapResponse
-ir_body_fld_octets(struct siobuf* sio, ImapBody *body)
+ir_body_fld_octets(NetClientSioBuf *sio, ImapBody *body)
 {
   char buf[12];
   int c = imap_get_atom(sio, buf, sizeof(buf));
@@ -3539,7 +3332,7 @@ ir_body_fld_octets(struct siobuf* sio, ImapBody *body)
 }
 
 static ImapResponse
-ir_body_fields(struct siobuf* sio, ImapBody *body)
+ir_body_fields(NetClientSioBuf *sio, ImapBody *body)
 {
   ImapResponse rc;
   int c;
@@ -3547,7 +3340,7 @@ ir_body_fields(struct siobuf* sio, ImapBody *body)
   if( (rc=ir_body_fld_param (sio, body))!=IMR_OK) return rc;
   if(sio_getc(sio) != ' ') return IMR_PROTOCOL;
   if( (rc=ir_body_fld_id    (sio, body))!=IMR_OK) return rc;
-  if((c=sio_getc(sio)) != ' ') { printf("err=%c\n", c); return IMR_PROTOCOL; }
+  if((c=sio_getc(sio)) != ' ') { g_debug("err=%c", c); return IMR_PROTOCOL; }
   if( (rc=ir_body_fld_desc  (sio, body))!=IMR_OK) return rc;
   if(sio_getc(sio) != ' ') return IMR_PROTOCOL;
   if( (rc=ir_body_fld_enc   (sio, body))!=IMR_OK) return rc;
@@ -3558,7 +3351,7 @@ ir_body_fields(struct siobuf* sio, ImapBody *body)
 }
 
 static ImapResponse
-ir_body_fld_lines(struct siobuf* sio, ImapBody* body)
+ir_body_fld_lines(NetClientSioBuf *sio, ImapBody* body)
 {
   char buf[12];
   int c = imap_get_atom(sio, buf, sizeof(buf));
@@ -3571,7 +3364,7 @@ ir_body_fld_lines(struct siobuf* sio, ImapBody* body)
 
 /* body_fld_dsp = "(" string SP body_fld_param ")" / nil */
 static ImapResponse
-ir_body_fld_dsp (struct siobuf *sio, ImapBody * body)
+ir_body_fld_dsp (NetClientSioBuf *sio, ImapBody * body)
 {
   ImapResponse rc;
   int c;
@@ -3625,7 +3418,7 @@ ir_body_fld_dsp (struct siobuf *sio, ImapBody * body)
 
 /* body-fld-lang = nstring / "(" string *(SP string) ")" */
 static ImapResponse
-ir_body_fld_lang (struct siobuf *sio, ImapBody * body)
+ir_body_fld_lang (NetClientSioBuf *sio, ImapBody * body)
 {
   int c;
 
@@ -3667,7 +3460,7 @@ ir_body_fld_lang (struct siobuf *sio, ImapBody * body)
  *                  "(" body-extension *(SP body-extension) ")"
  */
 static ImapResponse
-ir_body_extension (struct siobuf *sio, ImapBody * body)
+ir_body_extension (NetClientSioBuf *sio, ImapBody * body)
 {
   int c;
 
@@ -3716,7 +3509,7 @@ typedef enum _ImapBodyExtensibility ImapBodyExtensibility;
  */
 
 static ImapResponse
-ir_body_ext_mpart (struct siobuf *sio, ImapBody * body,
+ir_body_ext_mpart (NetClientSioBuf *sio, ImapBody * body,
                   ImapBodyExtensibility type)
 {
   ImapResponse rc;
@@ -3795,7 +3588,7 @@ ir_body_ext_mpart (struct siobuf *sio, ImapBody * body,
  *                   ; "BODY" fetch
  */
 static ImapResponse
-ir_body_ext_1part (struct siobuf *sio, ImapBody * body,
+ir_body_ext_1part (NetClientSioBuf *sio, ImapBody * body,
                   ImapBodyExtensibility type)
 {
   ImapResponse rc;
@@ -3812,8 +3605,8 @@ ir_body_ext_1part (struct siobuf *sio, ImapBody * body,
     sio_ungetc(sio);
     if(isdigit(c)) { 
       char buf[20];
-      printf("Incorrect GMail number-of-lines entry detected. "
-            "Working around.\n");
+      g_debug("Incorrect GMail number-of-lines entry detected. "
+            "Working around.");
       c = imap_get_atom(sio, buf, sizeof(buf));
       if(c != ' ')
        return IMR_PROTOCOL;
@@ -3883,10 +3676,10 @@ ir_body_ext_1part (struct siobuf *sio, ImapBody * body,
 /* body-type-mpart = 1*body SP media-subtype
  *                   [SP body-ext-mpart]
  */
-static ImapResponse ir_body (struct siobuf *sio, int c, ImapBody * body,
+static ImapResponse ir_body (NetClientSioBuf *sio, int c, ImapBody * body,
                             ImapBodyExtensibility type);
 static ImapResponse
-ir_body_type_mpart (struct siobuf *sio, ImapBody * body,
+ir_body_type_mpart (NetClientSioBuf *sio, ImapBody * body,
                    ImapBodyExtensibility type)
 {
   ImapResponse rc;
@@ -3942,7 +3735,7 @@ ir_body_type_mpart (struct siobuf *sio, ImapBody * body,
  *                   [SP body-ext-1part]
  */
 static ImapResponse
-ir_body_type_1part (struct siobuf *sio, ImapBody * body,
+ir_body_type_1part (NetClientSioBuf *sio, ImapBody * body,
                    ImapBodyExtensibility type)
 {
   ImapResponse rc;
@@ -4045,7 +3838,7 @@ ir_body_type_1part (struct siobuf *sio, ImapBody * body,
 
 /* body = "(" (body-type-1part / body-type-mpart) ")" */
 static ImapResponse
-ir_body (struct siobuf *sio, int c, ImapBody * body,
+ir_body (NetClientSioBuf *sio, int c, ImapBody * body,
         ImapBodyExtensibility type)
 {
   ImapResponse rc;
@@ -4070,7 +3863,7 @@ ir_body (struct siobuf *sio, int c, ImapBody * body,
 
 /* read [section] and following string. FIXME: other kinds of body. */ 
 static ImapResponse
-ir_body_section(struct siobuf *sio, unsigned seqno,
+ir_body_section(NetClientSioBuf *sio, unsigned seqno,
                ImapFetchBodyType body_type,
                ImapFetchBodyInternalCb body_cb, void *arg)
 {
diff --git a/libbalsa/imap/imap-handle.h b/libbalsa/imap/imap-handle.h
index 875cdb22..55373baa 100644
--- a/libbalsa/imap/imap-handle.h
+++ b/libbalsa/imap/imap-handle.h
@@ -19,6 +19,7 @@
 
 #include <glib.h>
 
+#include "net-client.h"
 #include "libimap.h"
 
 typedef enum {
@@ -120,22 +121,21 @@ typedef void(*ImapListCb)(ImapMboxHandle*handle, int delim,
 
 ImapMboxHandle *imap_mbox_handle_new(void);
 void imap_handle_set_option(ImapMboxHandle *h, ImapOption opt, gboolean state);
-void imap_handle_set_monitorcb(ImapMboxHandle* h, ImapMonitorCb cb, void*);
 void imap_handle_set_infocb(ImapMboxHandle* h, ImapInfoCb cb, void*);
-void imap_handle_set_usercb(ImapMboxHandle* h, ImapUserCb cb, void*);
 void imap_handle_set_flagscb(ImapMboxHandle* h, ImapFlagsCb cb, void*);
+void imap_handle_set_authcb(ImapMboxHandle* h, GCallback cb, void *arg);
+void imap_handle_set_certcb(ImapMboxHandle* h, GCallback cb);
 int imap_handle_set_timeout(ImapMboxHandle *, int milliseconds);
 gboolean imap_handle_idle_enable(ImapMboxHandle *, int seconds);
 gboolean imap_handle_idle_disable(ImapMboxHandle *)
     __attribute__ ((warn_unused_result));
 gboolean imap_handle_op_cancelled(ImapMboxHandle *h);
-ImapResult imap_mbox_handle_connect(ImapMboxHandle* r, const char *hst, 
-                                    int over_ssl);
+ImapResult imap_mbox_handle_connect(ImapMboxHandle* r, const char *hst);
 ImapResult imap_mbox_handle_reconnect(ImapMboxHandle* r,
                                       gboolean *readonly);
 void imap_handle_force_disconnect(ImapMboxHandle *h);
 
-ImapTlsMode imap_handle_set_tls_mode(ImapMboxHandle *h, ImapTlsMode option);
+NetClientCryptMode imap_handle_set_tls_mode(ImapMboxHandle *h, NetClientCryptMode option);
 
 /* int below is a boolean */
 int      imap_mbox_handle_can_do(ImapMboxHandle* handle, ImapCapability cap);
@@ -159,17 +159,11 @@ ImapResponse imap_mbox_handle_fetch_env(ImapMboxHandle* handle,
                                         const gchar *seq);
 
 ImapMessage* imap_mbox_handle_get_msg(ImapMboxHandle* handle, unsigned seqno);
-ImapMessage* imap_mbox_handle_get_msg_v(ImapMboxHandle* handle, unsigned no);
-unsigned imap_mbox_get_msg_no(ImapMboxHandle* h, unsigned no);
-unsigned imap_mbox_get_rev_no(ImapMboxHandle* h, unsigned seqno);
 
 unsigned imap_mbox_handle_first_unseen(ImapMboxHandle* handle);
-unsigned imap_mbox_find_next(ImapMboxHandle* handle, unsigned start, 
-                             const char *search_str);
 ImapResponse imap_mbox_find_all(ImapMboxHandle *h, const char *search_str,
                                 unsigned *msgcnt, unsigned**msgs);
 
-unsigned imap_mbox_set_view(ImapMboxHandle *h, ImapMsgFlag f, gboolean state);
 unsigned imap_mbox_set_sort(ImapMboxHandle *h, ImapSortKey isr, 
                             int ascending);
 const char *imap_mbox_get_filter(ImapMboxHandle *h);
diff --git a/libbalsa/imap/imap-tls.c b/libbalsa/imap/imap-tls.c
index 4376080c..d07275b7 100644
--- a/libbalsa/imap/imap-tls.c
+++ b/libbalsa/imap/imap-tls.c
@@ -41,347 +41,28 @@
  */
 
 #include "config.h"
-
-#include <string.h>
-#include <openssl/ssl.h>
-#include <openssl/x509v3.h>
-#include <openssl/err.h>
-
-/* Support for SSLv3 should *not* be enabled as it is unsafe (see
- * <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566> and
- * <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730>.
- *
- * Uncomment the following line if you *really* want to enable SSLv3 support.
- * Otherwise, only the "safe" protocols TLS 1.0, TLS 1.1 and TLS 1.2 are used
- * (note that TLS 1.1 and TLS 1.2 support depends upon the OpenSSL version) */
-/* #define ENABLE_SSL3 1 */
-
-#include "siobuf.h"
+#include "siobuf-nc.h"
 #include "imap_private.h"
 
-static SSL_CTX *global_ssl_context = NULL;
-static GMutex global_tls_lock;
-
-  /* Setting callbacks is not required any more with 1.1.0-pre4 and newer */
-#if OPENSSL_VERSION_NUMBER < 0x010100004L
-/* OpenSSL static locks */
-static GMutex *mutexes = NULL;
-
-static void
-locking_function(int mode, int n, const char *file, int line)
-{
-  if(mode & CRYPTO_LOCK)
-         g_mutex_lock(&mutexes[n]);
-  else
-         g_mutex_unlock(&mutexes[n]);
-}
-
-static unsigned long
-id_function(void)
-{
-  return (unsigned long) g_thread_self();
-}
-
-/* OpenSSL dynamic locks */
-struct CRYPTO_dynlock_value {
-  GMutex mutex;
-};
-
-static struct CRYPTO_dynlock_value*
-dyn_create_function(const char *file, int line)
-{
-  struct CRYPTO_dynlock_value *value =
-    (struct CRYPTO_dynlock_value*)malloc(sizeof(struct CRYPTO_dynlock_value));
-
-  if(!value)
-    return NULL;
-  g_mutex_init(&value->mutex);
-  return value;
-}
-
-static void
-dyn_lock_function(int mode, struct CRYPTO_dynlock_value *l,
-                  const char *file, int line)
-{
-  if(mode & CRYPTO_LOCK)
-         g_mutex_lock(&l->mutex);
-  else
-         g_mutex_unlock(&l->mutex);
-}
-
-static void
-dyn_destroy_function(struct CRYPTO_dynlock_value *l,
-                     const char *file, int line)
-{
-       g_mutex_clear(&l->mutex);
-  free(l);
-}
-
-static int
-imaptls_thread_setup(void)
-{
-  int i, mutex_cnt = CRYPTO_num_locks();
-
-  mutexes = (GMutex*)malloc(mutex_cnt*sizeof(GMutex));
-  if(!mutexes)
-    return 0;
-  for(i=0; i<mutex_cnt; i++)
-         g_mutex_init(&mutexes[i]);
-  CRYPTO_set_id_callback(id_function);
-  CRYPTO_set_locking_callback(locking_function);
-  
-  /* dynamic locking for future releases of OpenSSL */
-  CRYPTO_set_dynlock_create_callback (dyn_create_function);
-  CRYPTO_set_dynlock_lock_callback   (dyn_lock_function);
-  CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
-  return 1;
-}
-
-#if defined(DO_PROPER_OPENSSL_CLEANUP)
-static int
-imaptls_thread_cleanup(void)
-{
-  int i, mutex_cnt = CRYPTO_num_locks();
-  if(!mutexes)
-    return 0;
-  CRYPTO_set_id_callback(NULL);
-  CRYPTO_set_locking_callback(NULL);
-  CRYPTO_set_dynlock_create_callback(NULL);
-  CRYPTO_set_dynlock_lock_callback(NULL);
-  CRYPTO_set_dynlock_destroy_callback(NULL);
-  for(i=0; i<mutex_cnt; i++)
-         g_mutex_clear(&mutexes[i]);
-  free(mutexes); mutexes = NULL;
-  return 1;
-}
-#endif /* DO_PROPER_OPENSSL_CLEANUP */
-#else
-static int imaptls_thread_setup() { return 0; }
-#endif /* OPENSSL_VERSION_NUMBER < OPENSSL_VER(1,1,0,0,4) */
-
-SSL*
-imap_create_ssl(void)
-{
-  SSL *ssl;
-
-  g_mutex_lock(&global_tls_lock);
-  if(!global_ssl_context) {
-    /* Initialize OpenSSL library, follow "Network Security with
-       OpenSSL", ISBN 0-596-00270-X, guidelines. Example 4-2. */
-    imaptls_thread_setup();
-    SSL_library_init();
-    SSL_load_error_strings();
-#if 0
-    global_ssl_context = SSL_CTX_new (TLSv1_client_method ());
-#else
-    /* Note: SSLv23_client_method() actually enables *all* protocols, including
-     * SSLv(2|3) and TLSv1.(0|1|2), so we must switch all unsafe ones off */
-    global_ssl_context = SSL_CTX_new (SSLv23_client_method ());
-    if(!global_ssl_context) {
-        fprintf(stderr, "Could not initialize SSL Context.\n");
-        ERR_print_errors_fp(stderr);
-        fprintf(stderr, "\nEnd of print_errors\n");
-        g_mutex_unlock(&global_tls_lock);
-        return NULL;
-    }
-
-#ifdef ENABLE_SSL3
-    SSL_CTX_set_options(global_ssl_context, SSL_OP_ALL|SSL_OP_NO_SSLv2);
-#else
-    SSL_CTX_set_options(global_ssl_context, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
-#endif
-#endif
-    /* no client certificate password support yet
-     * SSL_CTX_set_default_passwd_cb (ctx, ctx_password_cb);
-     * SSL_CTX_set_default_passwd_cb_userdata (ctx, ctx_password_cb_arg); 
-     */
-
-    /* Load the trusted CAs here. We just trust the system CA for the
-       moment but we could try to be compatible with libESMTP in this
-       respect.
-    */
-   SSL_CTX_set_default_verify_paths (global_ssl_context);
-  }
-  g_mutex_unlock(&global_tls_lock);
-
-  ssl = SSL_new(global_ssl_context);
-
-  /* setup client certificates here */
-  return ssl;
-}
-
-/* check_server_identity() follows example 5-8 in the OpenSSL book. */
-static int
-host_matches_domain(const char* host, const char*domain, int host_len)
-{ 
-  if(!domain || !host)
-    return 0;
-  if(domain[0] == '*') { /* RFC2595, section 2.4 */
-    int domain_len = strlen(domain);
-    if(domain_len<2 || domain[1] != '.') /* wrong wildcard format! */
-      return 0;
-    if(host_len - domain_len + 2<= 0) /* host much shorter than wildcard */
-      return 0;
-    return g_ascii_strcasecmp(host + host_len - domain_len+2, 
-                              domain+2) == 0;
-  } else 
-    return g_ascii_strncasecmp(host, domain, host_len) == 0;
-}
-
-static int
-imap_check_server_identity(SSL *ssl, const char *host,
-                           ImapUserCb user_cb, void *user_arg)
-{
-  long vfy_result;
-  X509 *cert;
-  X509_NAME *subj;
-  int ok, host_len;
-  gchar *colon;
-  int has_extension_with_dns_name = 0;
-  STACK_OF(GENERAL_NAME) *altnames;
-
-  if(!host)
-    return 0;
-  /* Check whether the certificate matches the server. */
-  cert = SSL_get_peer_certificate(ssl);
-  if(!cert)
-    return 0;
-
-  colon = strchr(host, ':');
-  host_len = colon ? colon - host : (int)strlen(host);
-  ok = 0;
-
-  altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
-
-  if (altnames) {
-    int i;
-
-    for (i=0; i< sk_GENERAL_NAME_num(altnames); i++) {
-      const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(altnames, i);
-
-      /* We handle only GEN_DNS. GEN_IP (certificates for IP numbers)
-         are too weird to be real in IMAP case. */
-      if (current_name->type == GEN_DNS) {
-        const ASN1_IA5STRING *ia5 = current_name->d.ia5;
-        const char *name = (const char*)ia5->data;
-        has_extension_with_dns_name = 1;
-
-        if (strlen(name) == (size_t)ia5->length &&
-            host_matches_domain(host, name, host_len)) {
-          /* printf("verified name using extension\n"); */
-          ok = 1;
-          break;
-        }
-      }
-    }
-    sk_GENERAL_NAME_pop_free(altnames, GENERAL_NAME_free);
-  }
-
-  if (!has_extension_with_dns_name) {
-    char data[256];
-    size_t name_len;
-    if( (subj = X509_get_subject_name(cert)) &&
-        (name_len = 
-         X509_NAME_get_text_by_NID(subj, NID_commonName,
-                                   data, sizeof(data)))){
-      data[sizeof(data)-1] = 0;
-
-      /* Remember to check whether there was no truncation or NUL
-         characters embedded in the text. */
-      if(name_len == strlen(data) &&
-         host_matches_domain(host, data, host_len)) {
-        ok =1;
-        /* printf("verified name using common name\n"); */
-      }
-    }
-  }
-
-  X509_free(cert);
-  if(ok)
-    vfy_result = SSL_get_verify_result(ssl);
-  else
-    vfy_result = X509_V_ERR_APPLICATION_VERIFICATION;
-
-  if(vfy_result == X509_V_OK)
-    return 1;
-  /* There was a problem with the verification, one has to leave it up
-   * to the application what to do with this.
-   */
-  ok = 0;
-  if(user_cb)
-    user_cb(IME_TLS_VERIFY_ERROR, user_arg, &ok, 
-            vfy_result, ssl);
-  return ok;
-}
-
-static int
-check_cipher_strength(SSL *ssl, ImapUserCb user_cb, void *user_arg)
-{
-  int ok, bits = SSL_get_cipher_bits(ssl, NULL);
-
-  if (bits > 40) 
-    return 1;
-  ok = 0;
-  if (user_cb != NULL)
-    user_cb(IME_TLS_WEAK_CIPHER, user_arg,
-                    bits, &ok);
-  return ok;
-}
-
-int
-imap_setup_ssl(struct siobuf *sio, const char* host, SSL *ssl,
-               ImapUserCb user_cb, void *user_arg)
-{
-  if(ERR_peek_error()) {
-    fprintf(stderr, "OpenSSL error in %s():\n", __FUNCTION__);
-    ERR_print_errors_fp(stderr);
-    fprintf(stderr, "\nEnd of print_errors\n");
-  }
-  if(sio_set_tlsclient_ssl (sio, ssl)) {
-    if(!imap_check_server_identity(ssl, host, user_cb, user_arg)) {
-      printf("Server identity not confirmed\n");
-      return 0;
-    }
-    if(!check_cipher_strength(ssl, user_cb, user_arg)) {
-      printf("Cipher too weak\n");
-      return 0;
-    }
-    return 1;
-  } else {
-    printf("set_tlsclient failed for %s\n", host);
-    return 0;
-  }
-}
-
 ImapResponse
 imap_handle_starttls(ImapMboxHandle *handle)
 {
-  ImapResponse rc;
-  SSL *ssl;
-
-  IMAP_REQUIRED_STATE1(handle, IMHS_CONNECTED, IMR_BAD);
-  if(!imap_mbox_handle_can_do(handle, IMCAP_STARTTLS)) 
-    return IMR_NO;
-
-
-  ssl = imap_create_ssl();
-  if(!ssl) { 
-    printf("ssl=%p ctx=%p\n", ssl, global_ssl_context);
-    return IMR_NO;
-  }
-
-  if( (rc=imap_cmd_exec(handle, "StartTLS")) != IMR_OK) {
-    SSL_free(ssl);
-    return rc;
-  }
-  if(imap_setup_ssl(handle->sio, handle->host, ssl,
-                    handle->user_cb, handle->user_arg)) {
-    handle->using_tls = 1;
-    handle->has_capabilities = 0;
-    return IMR_OK;
-  } else {
-    /* ssl is owned now by sio, no need to free it SSL_free(ssl); */
-    imap_handle_disconnect(handle);
-    return IMR_NO;
-  }
+       ImapResponse rc;
+
+       IMAP_REQUIRED_STATE1(handle, IMHS_CONNECTED, IMR_BAD);
+       if (!imap_mbox_handle_can_do(handle, IMCAP_STARTTLS))
+               return IMR_NO;
+
+       rc = imap_cmd_exec(handle, "StartTLS");
+       if (rc != IMR_OK) {
+               return rc;
+       }
+       if (net_client_start_tls(NET_CLIENT(handle->sio), NULL)) {
+               handle->has_capabilities = 0;
+               return IMR_OK;
+       } else {
+               /* ssl is owned now by sio, no need to free it SSL_free(ssl); */
+               imap_handle_disconnect(handle);
+               return IMR_NO;
+       }
 }
diff --git a/libbalsa/imap/imap_compress.c b/libbalsa/imap/imap_compress.c
index a974b6d2..0010ab97 100644
--- a/libbalsa/imap/imap_compress.c
+++ b/libbalsa/imap/imap_compress.c
@@ -15,169 +15,26 @@
  * along with this program; if not, see <http://www.gnu.org/licenses/>.
  */
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <zlib.h>
-#include "siobuf.h"
+#include "siobuf-nc.h"
 #include "imap-handle.h"
 #include "imap_private.h"
 
-/** Arbitrary. Current choice is as good as any other. */
-static const unsigned IMAP_COMPRESS_BUFFER_SIZE = 8192;
-
-static int
-imap_compress_cb(char **dstbuf, int *dstlen,
-                 const char *srcbuf, int srclen, void *arg)
-{
-  struct ImapCompressContext *icb = &((ImapMboxHandle*)arg)->compress;
-  int err;
-
-  *dstbuf = icb->out_buffer;
-
-  if (*dstlen == 0) { /* first call */
-    icb->out_stream.next_in  = (Bytef*)srcbuf;
-    icb->out_stream.avail_in = srclen;
-    icb->out_uncompressed += srclen;
-  }
-
-  icb->out_stream.next_out = (Byte*)*dstbuf;
-  icb->out_stream.avail_out = IMAP_COMPRESS_BUFFER_SIZE;
-
-  err = deflate(&icb->out_stream, srclen ? Z_NO_FLUSH : Z_SYNC_FLUSH);
-  if ( !(err == Z_OK || err == Z_STREAM_END || err == Z_BUF_ERROR) ) {
-    fprintf(stderr, "deflate error1 %d\n", err);
-    *dstlen = -1;
-  } else {
-    *dstlen = IMAP_COMPRESS_BUFFER_SIZE - icb->out_stream.avail_out;
-    /* printf("imap_compress_cb %d bytes to %d\n", srclen, *dstlen); */
-    icb->out_compressed += *dstlen;
-  }
-
-  return *dstlen;
-}
-
-static int
-imap_decompress_cb(char **dstbuf, int *dstlen,
-                   const char *srcbuf, int srclen, void *arg)
-{
-  struct ImapCompressContext *icb = &((ImapMboxHandle*)arg)->compress;
-  int err;
-
-  *dstbuf = icb->in_buffer;
-
-  if (srclen) {
-    icb->in_stream.next_in  = (Bytef*)srcbuf;
-    icb->in_stream.avail_in = srclen;
-    icb->in_compressed += srclen;
-  }
-
-  icb->in_stream.next_out = (Byte*)*dstbuf;
-  icb->in_stream.avail_out =  IMAP_COMPRESS_BUFFER_SIZE;
-  err = inflate(&icb->in_stream, Z_SYNC_FLUSH);
-  
-  if (!(err == Z_OK || err == Z_BUF_ERROR || err == Z_STREAM_END)) {
-    fprintf(stderr, "inflate error %d\n", err);
-    *dstlen = -1;
-  } else {
-    *dstlen = IMAP_COMPRESS_BUFFER_SIZE - icb->in_stream.avail_out;
-    /* printf("imap_decompress_cb %d bytes to %d\n", srclen, *dstlen); */
-    icb->in_uncompressed += *dstlen;
-  }
-  return *dstlen;
-}
-
 /** Enables COMPRESS extension if available. Assumes that the handle
     is already locked. */
 ImapResponse
 imap_compress(ImapMboxHandle *handle)
 {
-  struct ImapCompressContext *icb;
-  int err;
-
-  if (!handle->enable_compress ||
-      !imap_mbox_handle_can_do(handle, IMCAP_COMPRESS_DEFLATE))
-    return IMR_NO;
-
-  if (imap_cmd_exec(handle, "COMPRESS DEFLATE") != IMR_OK)
-    return IMR_NO;
-
-  icb = &handle->compress;
-  icb->in_buffer = malloc(IMAP_COMPRESS_BUFFER_SIZE);
-  icb->out_buffer = malloc(IMAP_COMPRESS_BUFFER_SIZE);
-
-  if (!icb->in_buffer || !icb->out_buffer)
-    return IMR_NO;
-
-  /* Compression enabled. Everything that we send and receive now must
-     go through compression/decompression routines enabled in sio. */
-
-  icb->out_stream.zalloc = Z_NULL;
-  icb->out_stream.zfree = Z_NULL;
-  icb->out_stream.opaque = (voidpf)0;
-
-  /* amazingly enough, deflateInit() won't do */
-  err = deflateInit2(&icb->out_stream, Z_DEFAULT_COMPRESSION, Z_DEFLATED,
-                     -15, 8, Z_DEFAULT_STRATEGY);
-  if (err != Z_OK) {
-    fprintf(stderr, "deflateInit error: %d\n", err);
-    return IMR_NO;
-  }
-
-  icb->in_stream.next_in = Z_NULL;
-  icb->in_stream.avail_in = 0;
-  icb->in_stream.zalloc = Z_NULL;
-  icb->in_stream.zfree = Z_NULL;
-  icb->in_stream.opaque = (voidpf)0;
-
-  /* amazingly enough, inflateInit() won't do */
-  err = inflateInit2(&icb->in_stream, -15);
-  if (err != Z_OK) {
-    fprintf(stderr, "inflateInit error: %d\n", err);
-    return IMR_NO;
-  }
-
-  if (handle->sio) {
-    sio_set_securitycb(handle->sio, imap_compress_cb, imap_decompress_cb,
-                       handle);
-    return IMR_OK;
-  } else {
-    fprintf(stderr, "SIO not set!\n");
-    return IMR_NO;
-  }
-}
-
-void
-imap_compress_init(struct ImapCompressContext *buf)
-{
-  memset(buf, 0, sizeof(struct ImapCompressContext));
+       if (!handle->enable_compress ||
+               !imap_mbox_handle_can_do(handle, IMCAP_COMPRESS_DEFLATE))
+               return IMR_NO;
+
+       if (imap_cmd_exec(handle, "COMPRESS DEFLATE") != IMR_OK)
+               return IMR_NO;
+
+       if (net_client_start_compression(NET_CLIENT(handle->sio), NULL)) {
+               return IMR_OK;
+       } else {
+               g_warning("%s: SIO not set!", __func__);
+               return IMR_NO;
+       }
 }
-
-/** releases any data that might have been allocated by compression routines. */
-
-void
-imap_compress_release(struct ImapCompressContext *buf)
-{
-
-  if (buf->in_buffer) {
-    inflateEnd(&buf->in_stream);
-    free(buf->in_buffer);
-  }
-
-  if (buf->out_buffer) {
-    deflateEnd(&buf->out_stream);
-    free(buf->out_buffer);
-  }
-  if (buf->in_uncompressed) {
-    printf("IMAP server compression %lu -> %lu sent %5.1f %% over wire\n",
-           buf->in_compressed, buf->in_uncompressed,  
-           100.0*(buf->in_compressed/(float)buf->in_uncompressed));
-  }
-  if (buf->in_uncompressed) {
-    printf("IMAP client compression %lu -> %lu sent %5.1f %% over wire\n",
-           buf->out_uncompressed, buf->out_compressed,  
-           100.0*(buf->out_compressed/(float)buf->out_uncompressed));
-  }
-}
-
-
diff --git a/libbalsa/imap/imap_compress.h b/libbalsa/imap/imap_compress.h
index 85f5c720..ac5e5977 100644
--- a/libbalsa/imap/imap_compress.h
+++ b/libbalsa/imap/imap_compress.h
@@ -17,22 +17,8 @@
  * along with this program; if not, see <http://www.gnu.org/licenses/>.
  */
 
-#include <zlib.h>
-
 #include "imap-handle.h"
 
-struct ImapCompressContext {
-  z_stream out_stream;
-  z_stream in_stream;
-  char *in_buffer;
-  char *out_buffer;
-  unsigned long in_uncompressed, in_compressed;
-  unsigned long out_uncompressed, out_compressed;
-};
-
 ImapResponse imap_compress(ImapMboxHandle* h);
 
-void imap_compress_init(struct ImapCompressContext *buf);
-void imap_compress_release(struct ImapCompressContext *buf);
-
 #endif /* __IMAP_COMPRESS_H__ */
diff --git a/libbalsa/imap/imap_private.h b/libbalsa/imap/imap_private.h
index 7f7dcc86..e9821ead 100644
--- a/libbalsa/imap/imap_private.h
+++ b/libbalsa/imap/imap_private.h
@@ -19,10 +19,11 @@
 
 #include <glib.h>
 #include <glib-object.h>
-#include <openssl/ssl.h>
 
 #include "config.h"
 
+#include "net-client-siobuf.h"
+
 #include "imap-commands.h"
 #include "imap_compress.h"
 
@@ -54,8 +55,8 @@ typedef struct {
 struct _ImapMboxHandle {
   GObject object;
 
-  int sd; /* socket descriptor */
-  struct siobuf * sio;
+  NetClientSioBuf *sio;
+
   char *host;
   char* mbox; /* currently selected mailbox, if any */
   int timeout; /* timeout in milliseconds */
@@ -82,9 +83,6 @@ struct _ImapMboxHandle {
                           * processing of current line is finished. */
   GNode *thread_root; /* deprecated! */
 
-  /** Compression data */
-  struct ImapCompressContext compress;
-
   struct {
     GList* src; /**< returned by COPY */
     GList* dst; /**< returned by APPEND and COPY */
@@ -96,28 +94,27 @@ struct _ImapMboxHandle {
   gboolean doing_logout;
   ImapInfoCb info_cb;
   void *info_arg;
-  ImapUserCb user_cb; /* for user interaction, if really necessary */
-  void *user_arg;
+
+  GCallback auth_cb;   /* authentication callback ("auth" signal) */
+  void *auth_arg;
+
+  GCallback cert_cb;   /* untrusted certificate callback ("cert-check" signal) */
 
   ImapFlagsCb flags_cb;
   void *flags_arg;
   ImapFetchBodyInternalCb body_cb;
   void *body_arg;
 
-  ImapMonitorCb monitor_cb;
-  void *monitor_arg;
-
   ImapSearchCb search_cb;
   void *search_arg;
 
   GHashTable *status_resps; /* A hash of STATUS responses that we wait for */
 
-  GIOChannel *iochannel; /* IO channel used for monitoring the connection */
+  GSource *sock_source;
   GMutex mutex;
   guint idle_enable_id; /* callback to issue IDLE after a period of
                            inactivity */
-  guint async_watch_id;  /* callback to process incoming data */
-  ImapTlsMode tls_mode; /* disabled, enabled, required */
+  NetClientCryptMode tls_mode; /* disabled, enabled, required */
   enum { IDLE_INACTIVE, IDLE_RESPONSE_PENDING, IDLE_ACTIVE }
     idle_state; /*  IDLE State? */
   unsigned op_cancelled:1; /* last op timed out and was cancelled by user */
@@ -138,10 +135,6 @@ struct _ImapMboxHandle {
   gulong quota_max_k;         /**< max. available quota in kByte */
   gulong quota_used_k;        /**< used quota in kByte */
   gchar *quota_root;
-
-  unsigned over_ssl:1; /* transmission is to be made over SSL-protected
-                        * connection, usually to imaps port. */
-  unsigned using_tls:1;
 };
 
 #define IMAP_MBOX_IS_DISCONNECTED(h)  ((h)->state == IMHS_DISCONNECTED)
@@ -170,7 +163,7 @@ struct _ImapMboxHandle {
 
 #define IS_ATOM_CHAR(c) (strchr("(){ %*\"\\]",(c))==NULL&&(c)>0x1f&&(c)!=0x7f)
 
-#define EAT_LINE(h, c) while( (c=sio_getc(h->sio)) != -1 && c != '\n')
+#define EAT_LINE(h, c) c = net_client_siobuf_discard_line(h->sio, NULL)
 
 extern const char* imap_msg_flags[6];
 
@@ -189,7 +182,6 @@ ImapResponse imap_cmd_exec_cmds(ImapMboxHandle* handle, const char** cmds,
                                unsigned rc_to_return);
 
 ImapResponse imap_cmd_issue(ImapMboxHandle* handle, const char* cmd);
-char* imap_mbox_gets(ImapMboxHandle *h, char* buf, size_t sz);
 
 ImapResponse imap_write_key(ImapMboxHandle *handle, ImapSearchKey *s,
                             unsigned cmdno, int use_literal);
@@ -199,10 +191,6 @@ ImapResponse imap_search_exec_unlocked(ImapMboxHandle *h, gboolean uid,
 ImapResponse imap_assure_needed_flags(ImapMboxHandle *h,
                                       ImapMsgFlag needed_flags);
 
-SSL* imap_create_ssl(void);
-int imap_setup_ssl(struct siobuf *sio, const char* host, SSL *ssl,
-                   ImapUserCb user_cb, void *user_arg);
-
 void imap_handle_disconnect(ImapMboxHandle *h);
 ImapConnectionState imap_mbox_handle_get_state(ImapMboxHandle *h);
 void imap_mbox_handle_set_state(ImapMboxHandle *h,
@@ -219,12 +207,9 @@ gchar *imap_coalesce_set(int cnt, unsigned *seqnos);
 /* even more private functions */
 int imap_cmd_start(ImapMboxHandle* handle, const char* cmd, unsigned* cmdno);
 ImapResponse imap_cmd_step(ImapMboxHandle* handle, unsigned cmdno);
-int      imap_handle_write(ImapMboxHandle *conn, const char *buf, size_t len);
-void     imap_handle_flush(ImapMboxHandle *handle);
+ImapResponse imap_cmd_process_untagged(ImapMboxHandle* handle, unsigned cmdno);
 unsigned imap_make_tag(ImapCmdTag tag);
 void mbox_view_append_no(MboxView *mv, unsigned seqno);
 
-int imap_socket_open(const char* host, const char *def_port);
-
 extern const char* imap_status_item_names[5];
 #endif /* __IMAP_PRIVATE_H__ */
diff --git a/libbalsa/imap/imap_search.c b/libbalsa/imap/imap_search.c
index 354e7433..025c1822 100644
--- a/libbalsa/imap/imap_search.c
+++ b/libbalsa/imap/imap_search.c
@@ -22,7 +22,7 @@
 #include <glib.h>
 #include <time.h>
 
-#include "siobuf.h"
+#include "siobuf-nc.h"
 #include "imap_search.h"
 #include "imap_private.h"
 
@@ -258,7 +258,7 @@ imap_search_checks(const ImapSearchKey *s, ImapSearchKeyType s_type)
 void
 imap_search_key_set_next(ImapSearchKey *list, ImapSearchKey *next)
 {
-  if(list->next) g_warning("I may be loosing my tail now!\n");
+  if(list->next) g_warning("I may be loosing my tail now!");
   list->next = next;
 }
 static void
@@ -319,13 +319,11 @@ imap_write_key_string(ImapMboxHandle *handle, ImapSearchKey *k,
       int c;
       ImapResponse rc;
       unsigned len = strlen(k->d.string.s);
-      sio_printf(handle->sio, "{%u}\r\n", len);
-      imap_handle_flush(handle);
-      do
-        rc = imap_cmd_step(handle, cmdno);
-      while(rc == IMR_UNTAGGED);
+      sio_printf(handle->sio, "{%u}", len);
+      net_client_siobuf_flush(handle->sio, NULL);
+      rc = imap_cmd_process_untagged(handle, cmdno);
       if (rc != IMR_RESPOND) {
-        fprintf(stderr, "%s(): unexpected response:\n", __FUNCTION__);
+        g_debug("%s(): unexpected response", __FUNCTION__);
         return rc;
       }
       /* consume to the end of line */
@@ -518,22 +516,16 @@ imap_search_exec_unlocked(ImapMboxHandle *h, gboolean uid,
       sio_printf(h->sio, "%s%s %s %u:%u ", tag, uid ? " UID" : "", cmd_string,
                lo, hi);
       if( (ir=imap_write_key(h, s, cmdno, can_do_literals)) == IMR_OK) {
-       sio_write(h->sio, "\r\n", 2);
-       imap_handle_flush(h);
-       do {
-         ir = imap_cmd_step(h, cmdno);
-       } while(ir == IMR_UNTAGGED);
+       net_client_siobuf_flush(h->sio, NULL);
+       ir = imap_cmd_process_untagged(h, cmdno);
       } else break;
     }
   } else { /* no split */
     cmdno = imap_make_tag(tag);
     sio_printf(h->sio, "%s%s %s ", tag, uid ? " UID" : "", cmd_string);
     if( (ir=imap_write_key(h, s, cmdno, can_do_literals)) == IMR_OK) {
-      sio_write(h->sio, "\r\n", 2);
-      imap_handle_flush(h);
-      do {
-         ir = imap_cmd_step(h, cmdno);
-      } while(ir == IMR_UNTAGGED);
+      net_client_siobuf_flush(h->sio, NULL);
+      ir = imap_cmd_process_untagged(h, cmdno);
     }
   }
   h->search_cb  = ocb;
diff --git a/libbalsa/imap/imap_tst.c b/libbalsa/imap/imap_tst.c
index f51e9622..7b14c8f9 100644
--- a/libbalsa/imap/imap_tst.c
+++ b/libbalsa/imap/imap_tst.c
@@ -38,36 +38,23 @@
 struct {
   char *user;
   char *password;
-  ImapTlsMode tls_mode;
-  gboolean over_ssl;
-  gboolean monitor;
+  NetClientCryptMode tls_mode;
   gboolean anonymous;
   gboolean compress;
-} TestContext = { NULL, NULL, IMAP_TLS_ENABLED, FALSE, FALSE, FALSE, FALSE };
-
-static void
-monitor_cb(const char *buffer, int length, int direction, void *arg)
-{
-  int i;
-  printf("IMAP %c: ", direction ? 'C' : 'S');
-  for (i = 0; i < length; i++)
-    putchar(buffer[i]);
-
-  fflush(NULL);
-}
+} TestContext = { NULL, NULL, NET_CLIENT_CRYPT_STARTTLS_OPT, FALSE, FALSE };
 
 
 static gchar*
-get_user(const char* method) {
+get_user() {
 
   if(TestContext.user) {
-    printf("Login with method %s as user: %s\n", method, TestContext.user);
+    printf("Login as user: %s\n", TestContext.user);
     return g_strdup(TestContext.user);
   } else {
     char buf[256];
     size_t len;
 
-    fprintf(stderr, "Login with method %s as user: ", method);
+    fprintf(stderr, "Login as user: ");
     fflush(stderr);
     if(!fgets(buf, sizeof(buf), stdin))
       return NULL;
@@ -110,54 +97,24 @@ get_password()
   }
 }
 
-static void
-user_cb(ImapUserEventType ue, void *arg, ...)
+static gchar **
+auth_cb(NetClient *client, gboolean need_passwd, gpointer user_data)
 {
-    va_list alist;
-    va_start(alist, arg);
-    switch(ue) {
-        int *ok;
-    case IME_GET_USER_PASS: {
-        gchar *method = va_arg(alist, gchar*);
-        gchar **user = va_arg(alist, gchar**);
-        gchar **pass = va_arg(alist, gchar**);
-        ok = va_arg(alist, int*);
-       g_free(*user); *user = get_user(method);
-       g_free(*pass); *pass = get_password();
-        *ok = 1; printf("Logging in with %s\n", method);
-        break;
-    }
-    case IME_GET_USER:  { /* for eg kerberos */
-        gchar **user;
-        gchar *method;
-        method = va_arg(alist, gchar*);
-        user = va_arg(alist, gchar**);
-        ok = va_arg(alist, int*);
-        *ok = 1; /* consider popping up a dialog window here */
-        g_free(*user); *user = get_user(method);
-        break;
-    }
-    case IME_TLS_VERIFY_ERROR:
-        ok = va_arg(alist, int*);
-       *ok = 1;
-        break;
-    case IME_TLS_NO_PEER_CERT: {
-        ok = va_arg(alist, int*); *ok = 0;
-        printf("IMAP:TLS: Server presented no cert!\n");
-        break;
-    }
-    case IME_TLS_WEAK_CIPHER: {
-        ok = va_arg(alist, int*); *ok = 1;
-        printf("IMAP:TLS: Weak cipher accepted.\n");
-        break;
-    }
-    case IME_TIMEOUT: {
-        ok = va_arg(alist, int*); *ok = 1;
-        break;
-    }
-    default: g_warning("unhandled imap event type! Fix the code."); break;
+    gchar **result = NULL;
+
+    result = g_new0(gchar *, 3U);
+    result[0] = get_user();
+    if (need_passwd) {
+       result[1] = get_password();
     }
-    va_end(alist);
+    return result;
+}
+
+static gboolean
+cert_cb(NetClient *client, GTlsCertificate *peer_cert, GTlsCertificateFlags errors, gpointer user_data)
+{
+       printf("cert error 0x%x, accepted...\n", errors);
+       return TRUE;
 }
 
 static ImapMboxHandle*
@@ -171,11 +128,11 @@ get_handle(const char *host)
 
   if(TestContext.compress)
     imap_handle_set_option(h, IMAP_OPT_COMPRESS, TRUE);
-  if(TestContext.monitor)
-    imap_handle_set_monitorcb(h, monitor_cb, NULL);
 
-  imap_handle_set_usercb(h, user_cb, NULL);
-  if(imap_mbox_handle_connect(h, host, TestContext.over_ssl) != IMAP_SUCCESS) {
+  imap_handle_set_authcb(h, G_CALLBACK(auth_cb), NULL);
+  imap_handle_set_certcb(h, G_CALLBACK(cert_cb));
+
+  if(imap_mbox_handle_connect(h, host) != IMAP_SUCCESS) {
     g_object_unref(h);
     return NULL;
   }
@@ -629,14 +586,10 @@ process_options(int argc, char *argv[])
       TestContext.anonymous = TRUE;
     } else if( strcmp(argv[first_arg], "-c") == 0) {
       TestContext.compress = TRUE;
-    } else if( strcmp(argv[first_arg], "-m") == 0) {
-      TestContext.monitor = TRUE;
-    } else if( strcmp(argv[first_arg], "-s") == 0) {
-      TestContext.over_ssl = TRUE;
     } else if( strcmp(argv[first_arg], "-T") == 0) {
-      TestContext.tls_mode = IMAP_TLS_REQUIRED;
+      TestContext.tls_mode = NET_CLIENT_CRYPT_STARTTLS;
     } else if( strcmp(argv[first_arg], "-t") == 0) {
-      TestContext.tls_mode = IMAP_TLS_DISABLED;
+      TestContext.tls_mode = NET_CLIENT_CRYPT_NONE;
     } else {
       break; /* break the loop - non-option encountered. */
     }
diff --git a/libbalsa/imap/libimap.h b/libbalsa/imap/libimap.h
index e44938f6..616989a5 100644
--- a/libbalsa/imap/libimap.h
+++ b/libbalsa/imap/libimap.h
@@ -42,12 +42,6 @@ typedef enum {
   IMAP_SELECT_FAILED /* SELECT command failed */
 } ImapResult;
 
-typedef enum {
-  IMAP_TLS_DISABLED,
-  IMAP_TLS_ENABLED,
-  IMAP_TLS_REQUIRED
-} ImapTlsMode;
-
 typedef enum { 
   IMLIST_MARKED = 0,
   IMLIST_UNMARKED,
@@ -273,8 +267,6 @@ void*        imap_message_serialize(ImapMessage *);
 ImapMessage* imap_message_deserialize(void *data);
 size_t imap_serialized_message_size(void *data);
 
-const char *lbi_strerror(ImapResult rc);
-
 /* RFC 4314: IMAP ACL's */
 typedef enum {
   IMAP_ACL_NONE = 0,
diff --git a/libbalsa/imap/util.c b/libbalsa/imap/util.c
index c9bd0893..6860ab3d 100644
--- a/libbalsa/imap/util.c
+++ b/libbalsa/imap/util.c
@@ -27,71 +27,28 @@
 
 #define SKIPWS(c) while (*(c) && isspace ((unsigned char) *(c))) c++;
 
-void
-imap_quote_string(char *dest, size_t dlen, const char *src)
+gchar *
+imap_quote_string(const gchar *src)
 {
-  char quote[] = "\"\\", *pt;
-  const char *s;
+       g_return_val_if_fail(src != NULL, NULL);
 
-  pt = dest;
-  s  = src;
+       if ((strchr(src, '"') == NULL) && (strchr(src, '\\') == NULL)) {
+               /* no need to quote... */
+               return g_strdup(src);
+       } else {
+               GString *buf;
 
-  *pt++ = '"';
-  /* save room for trailing quote-char */
-  dlen -= 2;
-  
-  for (; *s && dlen; s++)
-  {
-    if (strchr (quote, *s))
-    {
-      dlen -= 2;
-      if (!dlen)
-       break;
-      *pt++ = '\\';
-      *pt++ = *s;
-    }
-    else
-    {
-      *pt++ = *s;
-      dlen--;
-    }
-  }
-  *pt++ = '"';
-  *pt = 0;
-}
-
-/* imap_unquote_string: 
- *  modify the argument removing quote characters 
- */
-void
-imap_unquote_string (char *s)
-{
-  char *d = s;
-
-  if (*s == '\"')
-    s++;
-  else
-    return;
-
-  while (*s)
-  {
-    if (*s == '\"')
-    {
-      *d = '\0';
-      return;
-    }
-    if (*s == '\\')
-    {
-      s++;
-    }
-    if (*s)
-    {
-      *d = *s;
-      d++;
-      s++;
-    }
-  }
-  *d = '\0';
+               buf = g_string_sized_new(strlen(src + 3U));
+               g_string_append_c(buf, '"');
+               for (; *src != '\0'; src++) {
+                       if ((*src == '"') || (*src == '\\')) {
+                               g_string_append_c(buf, '\\');
+                       }
+                       g_string_append_c(buf, *src);
+               }
+               g_string_append_c(buf, '"');
+               return g_string_free(buf, FALSE);
+       }
 }
 
 /* imap_skip_atom: return index into string where next IMAP atom begins.
diff --git a/libbalsa/imap/util.h b/libbalsa/imap/util.h
index 583399d3..a01477f1 100644
--- a/libbalsa/imap/util.h
+++ b/libbalsa/imap/util.h
@@ -17,8 +17,10 @@
  * along with this program; if not, see <http://www.gnu.org/licenses/>.
  */
 
-void imap_quote_string(char *dest, size_t dlen, const char *src);
-void imap_unquote_string(char *s);
+#include <glib.h>
+
+gchar *imap_quote_string(const gchar *src)
+       G_GNUC_WARN_UNUSED_RESULT;
 char* imap_next_word(char *s);
 char* imap_skip_atom(char *s);
 
diff --git a/libbalsa/libbalsa.c b/libbalsa/libbalsa.c
index f8ca04de..9c74e9b9 100644
--- a/libbalsa/libbalsa.c
+++ b/libbalsa/libbalsa.c
@@ -30,9 +30,6 @@
 #include <sys/stat.h>
 #include <stdarg.h>
 #include <unistd.h>
-#include <openssl/ssl.h>
-#include <openssl/x509.h>
-#include <openssl/err.h>
 
 #ifdef HAVE_NOTIFY
 #include <libnotify/notify.h>
@@ -53,6 +50,8 @@
 #if HAVE_GCR
 #define GCR_API_SUBJECT_TO_CHANGE
 #include <gcr/gcr.h>
+#else
+#include <gnutls/x509.h>
 #endif
 
 #include "misc.h"
@@ -347,70 +346,10 @@ libbalsa_ask(gboolean (*cb)(void *arg), void *arg)
 }
 
 
-static int libbalsa_ask_for_cert_acceptance(X509 *cert,
-                                           const char *explanation);
-
-#ifndef HAVE_GCR
-
-static char*
-asn1time_to_string(ASN1_UTCTIME *tm)
-{
-    char buf[64];
-    BIO *bio  = BIO_new(BIO_s_mem());
-    strncpy(buf, _("Invalid date"), sizeof(buf)); buf[sizeof(buf)-1]='\0';
-
-    if(ASN1_TIME_print(bio, tm)) {
-        int cnt;
-        cnt = BIO_read(bio, buf, sizeof(buf)-1);
-        buf[cnt] = '\0';
-    }
-    BIO_free(bio);
-    return g_strdup(buf);
-}
-
-static char*
-x509_get_part (char *line, const char *ndx)
-{
-    static char ret[256];
-    char *c;
-
-    strncpy (ret, _("Unknown"), sizeof (ret)); ret[sizeof(ret)-1]='\0';
-
-    c = strstr(line, ndx);
-    if (c) {
-        char *c2;
-
-        c += strlen (ndx);
-        c2 = strchr (c, '/');
-        if (c2)
-            *c2 = '\0';
-        strncpy (ret, c, sizeof (ret));
-        if (c2)
-            *c2 = '/';
-    }
+static int libbalsa_ask_for_cert_acceptance(GTlsCertificate      *cert,
+                                                                                       GTlsCertificateFlags  
errors);
 
-    return ret;
-}
-static void
-x509_fingerprint (char *s, unsigned len, X509 * cert)
-{
-    unsigned j, i, n, c;
-    unsigned char md[EVP_MAX_MD_SIZE];
-
-
-    X509_digest(cert, EVP_md5(), md, &n);
-    if(len<3*n) n = len/3;
-    for (j=i=0; j<n; j++) {
-        c = (md[j] >>4) & 0xF; s[i++] = c<10 ? c + '0' : c+'A'-10;
-        c = md[j] & 0xF;       s[i++] = c<10 ? c + '0' : c+'A'-10;
-        if(j<n-1) s[i++] = ':';
-    }
-    s[i] = '\0';
-}
-
-#endif  /* HAVE_GCR */
-
-static GList *accepted_certs = NULL; /* certs accepted for this session */
+static GList *accepted_certs = NULL; /* GTlsCertificate items accepted for this session */
 static GMutex certificate_lock;
 
 void
@@ -418,74 +357,77 @@ libbalsa_certs_destroy(void)
 {
     g_mutex_lock(&certificate_lock);
 
-    libbalsa_clear_list(&accepted_certs, (GDestroyNotify) X509_free);
+    libbalsa_clear_list(&accepted_certs, g_object_unref);
 
     g_mutex_unlock(&certificate_lock);
 }
 
-/* compare Example 10-7 in the OpenSSL book */
+
+#define CERT_ACCEPT_NO                 0
+#define CERT_ACCEPT_SESSION            1
+#define CERT_ACCEPT_PERMANENT  2
+
+
 gboolean
-libbalsa_is_cert_known(X509* cert, long vfy_result)
+libbalsa_is_cert_known(GTlsCertificate      *cert,
+                                          GTlsCertificateFlags  errors)
 {
-    X509 *tmpcert = NULL;
-    FILE *fp;
-    gchar *cert_name;
-    gboolean res = FALSE;
-    GList *lst;
+       gchar *cert_file;
+       GList *cert_db;
+       gboolean cert_ok;
+       GList *lst;
 
-    g_mutex_lock(&certificate_lock);
-    for(lst = accepted_certs; lst; lst = lst->next) {
-        int X509_res = X509_cmp(cert, lst->data);
-        if(X509_res == 0) {
-               g_mutex_unlock(&certificate_lock);
-            return TRUE;
-       }
-    }
-    
-    cert_name = g_strconcat(g_get_home_dir(), "/.balsa/certificates", NULL);
-
-    fp = fopen(cert_name, "rt");
-    g_free(cert_name);
-    if(fp) {
-        /* 
-        printf("Looking for cert: %s\n", 
-               X509_NAME_oneline(X509_get_subject_name (cert),
-                                 buf, sizeof (buf)));
-        */
-        res = FALSE;
-        while ((tmpcert = PEM_read_X509(fp, NULL, NULL, NULL)) != NULL) {
-            res = X509_cmp(cert, tmpcert)==0;
-            X509_free(tmpcert);
-            if(res) break;
-        }
-        ERR_clear_error();
-        fclose(fp);
-    }
-    g_mutex_unlock(&certificate_lock);
-    
-    if(!res) {
-       const char *reason = X509_verify_cert_error_string(vfy_result);
-       res = libbalsa_ask_for_cert_acceptance(cert, reason);
+       /* check the list of accepted certificates for this session */
        g_mutex_lock(&certificate_lock);
-       if(res == 2) {
-           cert_name = g_strconcat(g_get_home_dir(),
-                                   "/.balsa/certificates", NULL);
-            libbalsa_assure_balsa_dir();
-           fp = fopen(cert_name, "a");
-           if (fp) {
-               if(PEM_write_X509 (fp, cert))
-                   res = TRUE;
-               fclose(fp);
-           }
-           g_free(cert_name);
+       for (lst = accepted_certs; lst; lst = lst->next) {
+               if (g_tls_certificate_is_same(cert, G_TLS_CERTIFICATE(lst->data))) {
+                       g_mutex_unlock(&certificate_lock);
+                       return TRUE;
+               }
        }
-       if(res == 1)
-           accepted_certs = 
-               g_list_prepend(accepted_certs, X509_dup(cert));
+
+       /* check the database of accepted certificates */
+       cert_file = g_build_filename(g_get_home_dir(), ".balsa", "certificates", NULL);
+       cert_db = g_tls_certificate_list_new_from_file(cert_file, NULL);
        g_mutex_unlock(&certificate_lock);
-    }
 
-    return res;
+       cert_ok = FALSE;
+       for (lst = cert_db; !cert_ok && (lst != NULL); lst = g_list_next(lst)) {
+               if (g_tls_certificate_is_same(cert, G_TLS_CERTIFICATE(lst->data))) {
+                       cert_ok = TRUE;
+               }
+       }
+       g_list_free_full(cert_db, g_object_unref);
+
+       /* ask the user if the certificate is not in the data base */
+       if (!cert_ok) {
+               int accepted;
+
+               accepted = libbalsa_ask_for_cert_acceptance(cert, errors);
+               g_mutex_lock(&certificate_lock);
+               if (accepted == CERT_ACCEPT_SESSION) {
+                       accepted_certs = g_list_prepend(accepted_certs, g_object_ref(cert));
+                       cert_ok = TRUE;
+               } else if (accepted == CERT_ACCEPT_PERMANENT) {
+                       gchar *pem_data;
+                       FILE *fd;
+
+                       g_object_get(G_OBJECT(cert), "certificate-pem", &pem_data, NULL);
+                       fd = fopen(cert_file, "a");
+                       if (fd != NULL) {
+                               fputs(pem_data, fd);
+                               fclose(fd);
+                       }
+                       g_free(pem_data);
+                       cert_ok = TRUE;
+               } else {
+                       /* nothing to do */
+               }
+               g_mutex_unlock(&certificate_lock);
+       }
+       g_free(cert_file);
+
+       return cert_ok;
 }
 
 /* libbalsa_ask_for_cert_acceptance():
@@ -497,7 +439,7 @@ libbalsa_is_cert_known(X509* cert, long vfy_result)
 
 */
 struct AskCertData {
-    X509 *certificate;
+    GTlsCertificate *certificate;
     const char *explanation;
 };
 
@@ -511,8 +453,7 @@ ask_cert_real(void *data)
     GtkWidget *cert_widget;
     GString *str;
     unsigned i;
-    unsigned char *der_buf = NULL;
-    int der_len;
+    GByteArray *cert_der;
     GcrCertificate *gcr_cert;
     GtkWidget *label;
     GtkBox *vbox;
@@ -526,9 +467,9 @@ ask_cert_real(void *data)
                                          _("_Reject"), GTK_RESPONSE_CANCEL,
                                          NULL);
     gtk_window_set_role(GTK_WINDOW(dialog), "tls_cert_dialog");
-    der_len = i2d_X509(acd->certificate, &der_buf);
-    gcr_cert = gcr_simple_certificate_new(der_buf, der_len);
-    OPENSSL_free(der_buf);
+    g_object_get(G_OBJECT(acd->certificate), "certificate", &cert_der, NULL);
+    gcr_cert = gcr_simple_certificate_new(cert_der->data, cert_der->len);
+    g_byte_array_unref(cert_der);
     cert_widget = GTK_WIDGET(gcr_certificate_widget_new(gcr_cert));
     g_object_unref(G_OBJECT(gcr_cert));
 
@@ -549,14 +490,14 @@ ask_cert_real(void *data)
 
     switch(gtk_dialog_run(GTK_DIALOG(dialog))) {
     case 0:
-       i = 1;
+       i = CERT_ACCEPT_SESSION;
        break;
     case 1:
-       i = 2;
+       i = CERT_ACCEPT_PERMANENT;
        break;
     case GTK_RESPONSE_CANCEL:
     default:
-       i = 0;
+       i = CERT_ACCEPT_NO;
        break;
     }
     gtk_widget_destroy(dialog);
@@ -565,53 +506,116 @@ ask_cert_real(void *data)
 
 #else
 
+static gnutls_x509_crt_t G_GNUC_WARN_UNUSED_RESULT
+get_gnutls_cert(GTlsCertificate *cert)
+{
+       gnutls_x509_crt_t res_crt;
+    int gnutls_res;
+
+    gnutls_res = gnutls_x509_crt_init(&res_crt);
+    if (gnutls_res == GNUTLS_E_SUCCESS) {
+       GByteArray *cert_der;
+
+       g_object_get(G_OBJECT(cert), "certificate", &cert_der, NULL);
+       if (cert_der != NULL) {
+               gnutls_datum_t data;
+
+               data.data = cert_der->data;
+               data.size = cert_der->len;
+               gnutls_res = gnutls_x509_crt_import(res_crt, &data, GNUTLS_X509_FMT_DER);
+               if (gnutls_res != GNUTLS_E_SUCCESS) {
+                       gnutls_x509_crt_deinit(res_crt);
+                       res_crt = NULL;
+               }
+               g_byte_array_unref(cert_der);
+       }
+    } else {
+       res_crt = NULL;
+    }
+    return res_crt;
+}
+
+static gchar * G_GNUC_WARN_UNUSED_RESULT
+gnutls_get_dn(gnutls_x509_crt_t cert, int (*load_fn)(gnutls_x509_crt_t cert, char *buf, size_t *buf_size))
+{
+    size_t buf_size;
+    gchar *str_buf;
+
+    buf_size = 0U;
+    (void) load_fn(cert, NULL, &buf_size);
+    str_buf = g_malloc0(buf_size + 1U);
+    if (load_fn(cert, str_buf, &buf_size) != GNUTLS_E_SUCCESS) {
+       g_free(str_buf);
+       str_buf = NULL;
+    } else {
+       libbalsa_utf8_sanitize(&str_buf, TRUE, NULL);
+    }
+    return str_buf;
+}
+
+static gchar * G_GNUC_WARN_UNUSED_RESULT
+x509_fingerprint(gnutls_x509_crt_t cert)
+{
+    size_t buf_size;
+    guint8 sha1_buf[20];
+    gchar *str_buf;
+    gint n;
+
+    buf_size = 20U;
+    g_message("%d", gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, sha1_buf, &buf_size));
+    str_buf = g_malloc0(60U);
+    for (n = 0; n < 20; n++) {
+       sprintf(&str_buf[3 * n], "%02x:", sha1_buf[n]);
+    }
+    str_buf[59] = '\0';
+    return str_buf;
+}
+
 static int
 ask_cert_real(void *data)
 {
-    static const char *part[] =
-        {"/CN=", "/Email=", "/O=", "/OU=", "/L=", "/ST=", "/C="};
-
     struct AskCertData *acd = (struct AskCertData*)data;
-    X509 *cert = acd->certificate;
-    char buf[256]; /* fingerprint requires EVP_MAX_MD_SIZE*3 */
-    char *name = NULL, *c, *valid_from, *valid_until;
+    gnutls_x509_crt_t cert;
+    gchar *name, *c, *valid_from, *valid_until;
     GtkWidget* dialog, *label;
     unsigned i;
+    GString* str;
     GtkBox *vbox;
 
-    GString* str = g_string_new("");
+    cert = get_gnutls_cert(acd->certificate);
+    if (cert == NULL) {
+       g_warning("%s: unable to create gnutls cert", __func__);
+       return CERT_ACCEPT_NO;
+    }
 
+    str = g_string_new("");
     g_string_printf(str, _("Authenticity of this certificate "
                            "could not be verified.\n"
                            "<b>Reason:</b> %s\n"
                            "<b>This certificate belongs to:</b>\n"),
                     acd->explanation);
 
-    name = X509_NAME_oneline(X509_get_subject_name (cert), buf, sizeof (buf));
-    for (i = 0; i < G_N_ELEMENTS(part); i++) {
-        g_string_append(str, x509_get_part (name, part[i]));
-        g_string_append_c(str, '\n');
-    }
+    name = gnutls_get_dn(cert, gnutls_x509_crt_get_dn);
+    g_string_append(str, name);
+    g_free(name);
 
     g_string_append(str, _("\n<b>This certificate was issued by:</b>\n"));
-    name = X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof (buf));
-    for (i = 0; i < G_N_ELEMENTS(part); i++) {
-        g_string_append(str, x509_get_part (name, part[i]));
-        g_string_append_c(str, '\n');
-    }
-
-    buf[0] = '\0';
-    x509_fingerprint (buf, sizeof (buf), cert);
-    valid_from  = asn1time_to_string(X509_get_notBefore(cert));
-    valid_until = asn1time_to_string(X509_get_notAfter(cert)),
-    c = g_strdup_printf(_("<b>This certificate is valid</b>\n"
-                          "from %s\n"
-                          "to %s\n"
-                          "<b>Fingerprint:</b> %s"),
-                        valid_from, valid_until,
-                        buf);
-    g_string_append(str, c); g_free(c);
-    g_free(valid_from); g_free(valid_until);
+    name = gnutls_get_dn(cert, gnutls_x509_crt_get_issuer_dn);
+    g_string_append_printf(str, "%s\n", name);
+    g_free(name);
+
+    name = x509_fingerprint(cert);
+    valid_from  = libbalsa_date_to_utf8(gnutls_x509_crt_get_activation_time(cert), "%x %X");
+    valid_until = libbalsa_date_to_utf8(gnutls_x509_crt_get_expiration_time(cert), "%x %X");
+    g_string_append_printf(str, _("<b>This certificate is valid</b>\n"
+                                                         "from %s\n"
+                                                         "to %s\n"
+                                         "<b>Fingerprint:</b> %s"),
+                               valid_from, valid_until, name);
+    g_free(name);
+    g_free(valid_from);
+    g_free(valid_until);
+    gnutls_x509_crt_deinit(cert);
 
     /* This string uses markup, so we must replace "&" with "&amp;" */
     c = str->str;
@@ -643,10 +647,10 @@ ask_cert_real(void *data)
     gtk_box_pack_start(vbox, label);
 
     switch(gtk_dialog_run(GTK_DIALOG(dialog))) {
-    case 0: i = 1; break;
-    case 1: i = 2; break;
+    case 0: i = CERT_ACCEPT_SESSION; break;
+    case 1: i = CERT_ACCEPT_PERMANENT; break;
     case GTK_RESPONSE_CANCEL:
-    default: i=0; break;
+    default: i=CERT_ACCEPT_NO; break;
     }
     gtk_widget_destroy(dialog);
     /* Process some events to let the window disappear:
@@ -660,54 +664,27 @@ ask_cert_real(void *data)
 #endif /* HAVE_GCR */
 
 static int
-libbalsa_ask_for_cert_acceptance(X509 *cert, const char *explanation)
+libbalsa_ask_for_cert_acceptance(GTlsCertificate      *cert,
+                                                                GTlsCertificateFlags  errors)
 {
     struct AskCertData acd;
     acd.certificate = cert;
-    acd.explanation = explanation;
-    return libbalsa_ask(ask_cert_real, &acd);
-}
-
-
-static int
-ask_timeout_real(void *data)
-{
-    const char *host = (const char*)data;
-    GtkWidget* dialog;
-    int i;
-
-    dialog = gtk_message_dialog_new(NULL, /* FIXME: NULL parent */
-                                    GTK_DIALOG_MODAL,
-                                    GTK_MESSAGE_INFO,
-                                    GTK_BUTTONS_YES_NO,
-                                    _("Connection to %s timed out. Abort?"),
-                                    host);
-    gtk_window_set_role(GTK_WINDOW(dialog), "timeout_dialog");
-    switch(gtk_dialog_run(GTK_DIALOG(dialog))) {
-    case GTK_RESPONSE_YES: i = 1; break;
-    case GTK_RESPONSE_NO: i = 0; break;
-    default: printf("Unknown response. Defaulting to 'yes'.\n");
-        i = 1;
+    if ((errors & G_TLS_CERTIFICATE_UNKNOWN_CA) == G_TLS_CERTIFICATE_UNKNOWN_CA) {
+       acd.explanation = _("the signing certificate authority is not known");
+    } else if ((errors & G_TLS_CERTIFICATE_BAD_IDENTITY) == G_TLS_CERTIFICATE_BAD_IDENTITY) {
+       acd.explanation = _("the certificate does not match the expected identity of the site that it was 
retrieved from");
+    } else if ((errors & G_TLS_CERTIFICATE_NOT_ACTIVATED) == G_TLS_CERTIFICATE_NOT_ACTIVATED) {
+       acd.explanation = _("the certificate's activation time is still in the future");
+    } else if ((errors & G_TLS_CERTIFICATE_EXPIRED) == G_TLS_CERTIFICATE_EXPIRED) {
+       acd.explanation = _("the certificate has expired");
+    } else if ((errors & G_TLS_CERTIFICATE_REVOKED) == G_TLS_CERTIFICATE_REVOKED) {
+       acd.explanation = _("the certificate has been revoked ");
+    } else if ((errors & G_TLS_CERTIFICATE_INSECURE) == G_TLS_CERTIFICATE_INSECURE) {
+       acd.explanation = _("the certificate's algorithm is considered insecure");
+    } else {
+       acd.explanation = _("an error occurred validating the certificate");
     }
-    gtk_widget_destroy(dialog);
-    /* Process some events to let the window disappear:
-     * not really necessary but helps with debugging. */
-   while(gtk_events_pending()) 
-        gtk_main_iteration_do(FALSE);
-    printf("%s returns %d\n", __FUNCTION__, i);
-    return i;
-}
-
-gboolean
-libbalsa_abort_on_timeout(const char *host)
-{  /* It appears not to be entirely thread safe... Some locks do not
-      get released as they should be. */
-    char *hostname;
-
-    hostname = g_alloca (strlen (host) + 1);
-    strcpy (hostname, host);
-    
-    return libbalsa_ask(ask_timeout_real, hostname) != 0; 
+    return libbalsa_ask(ask_cert_real, &acd);
 }
 
 
diff --git a/libbalsa/libbalsa.h b/libbalsa/libbalsa.h
index ffaffb75..4e9a7821 100644
--- a/libbalsa/libbalsa.h
+++ b/libbalsa/libbalsa.h
@@ -38,7 +38,6 @@ typedef struct _LibBalsaSmtpServer LibBalsaSmtpServer;
 typedef struct _LibbalsaVfs LibbalsaVfs;
 
 
-#include <openssl/ssl.h>
 #include "message.h"
 #include "body.h"
 #include "files.h"
@@ -134,11 +133,10 @@ gchar *libbalsa_guess_imap_inbox(void);
 gchar* libbalsa_date_to_utf8(time_t date, const gchar *date_string);
 LibBalsaMessageStatus libbalsa_get_icon_from_flags(LibBalsaMessageFlag flags);
 
-gboolean libbalsa_is_cert_known(X509* cert, long vfy_result);
+gboolean libbalsa_is_cert_known(GTlsCertificate      *cert,
+                                                               GTlsCertificateFlags  errors);
 void libbalsa_certs_destroy(void);
 
-gboolean libbalsa_abort_on_timeout(const char *host);
-
 GThread *libbalsa_get_main_thread(void);
 gboolean libbalsa_am_i_subthread(void);
 void libbalsa_message(const char *fmt, ...)
diff --git a/libbalsa/misc.c b/libbalsa/misc.c
index 50be883b..2208635a 100644
--- a/libbalsa/misc.c
+++ b/libbalsa/misc.c
@@ -990,8 +990,8 @@ libbalsa_create_size_group(GtkWidget * chooser)
 void
 libbalsa_assure_balsa_dir(void)
 {
-    gchar* dir = g_strconcat(g_get_home_dir(), "/.balsa", NULL);
-    mkdir(dir, S_IRUSR|S_IWUSR|S_IXUSR);
+    gchar* dir = g_build_filename(g_get_home_dir(), ".balsa", NULL);
+    g_mkdir_with_parents(dir, S_IRUSR|S_IWUSR|S_IXUSR);
     g_free(dir);
 }
 
diff --git a/libbalsa/send.c b/libbalsa/send.c
index d972814b..b4fbbc70 100644
--- a/libbalsa/send.c
+++ b/libbalsa/send.c
@@ -27,7 +27,7 @@
 #include "send.h"
 
 #include <math.h>
-
+#include <stdlib.h>
 #include <string.h>
 
 #include "libbalsa.h"
diff --git a/libbalsa/server.c b/libbalsa/server.c
index 32a75ecf..3bc5a3a0 100644
--- a/libbalsa/server.c
+++ b/libbalsa/server.c
@@ -30,12 +30,11 @@
 #include <libsecret/secret.h>
 #endif                          /* defined(HAVE_LIBSECRET) */
 
-#include <openssl/err.h>
-
 #include "libbalsa.h"
 #include "libbalsa_private.h"
 #include "libbalsa-marshal.h"
 #include "libbalsa-conf.h"
+#include "net-client-utils.h"
 #include <glib/gi18n.h>
 
 #if defined(HAVE_LIBSECRET)
@@ -55,9 +54,9 @@ static void libbalsa_server_finalize(GObject * object);
 
 static void libbalsa_server_real_set_username(LibBalsaServer * server,
                                              const gchar * username);
-static void libbalsa_server_real_set_host(LibBalsaServer * server,
-                                         const gchar * host,
-                                          gboolean use_ssl);
+static void libbalsa_server_real_set_host(LibBalsaServer     *server,
+                                                                                 const gchar        *host,
+                                                                                 NetClientCryptMode  
security);
 /* static gchar* libbalsa_server_real_get_password(LibBalsaServer *server); */
 
 enum {
@@ -82,8 +81,8 @@ typedef struct {
     /* We include SSL support in UI unconditionally to preserve config
      * between SSL and non-SSL builds. We just fail if SSL is requested
      * in non-SSL build. */
-    LibBalsaTlsMode tls_mode;
-    unsigned use_ssl:1;
+    /* LibBalsaTlsMode tls_mode; */
+    /* unsigned use_ssl:1; */
     unsigned remember_passwd:1;
     unsigned try_anonymous:1; /* user wants anonymous access */
 } LibBalsaServerPrivate;
@@ -131,14 +130,12 @@ libbalsa_server_init(LibBalsaServer * server)
 {
     LibBalsaServerPrivate *priv = libbalsa_server_get_instance_private(server);
 
-    priv->protocol        = g_strdup("pop3"); /* Is this a sane default value? */
-    priv->host            = NULL;
-    priv->user            = NULL;
-    priv->passwd          = NULL;
+    priv->protocol = g_strdup("pop3"); /* Is this a sane default value? */
+    priv->host = NULL;
+    priv->user = NULL;
+    priv->passwd = NULL;
     priv->remember_passwd = TRUE;
-    priv->use_ssl         = FALSE;
-    priv->tls_mode        = LIBBALSA_TLS_ENABLED;
-    priv->security        = NET_CLIENT_CRYPT_STARTTLS;
+    priv->security = NET_CLIENT_CRYPT_STARTTLS;
 }
 
 static void
@@ -155,13 +152,11 @@ libbalsa_server_finalize(GObject * object)
 
     if (priv->passwd != NULL) {
        memset(priv->passwd, 0, strlen(priv->passwd));
+        libbalsa_free_password(priv->passwd);
     }
-    libbalsa_free_password(priv->passwd);
 
-    if (priv->cert_passphrase != NULL) {
-       memset(priv->cert_passphrase, 0, strlen(priv->cert_passphrase));
-    }
-    g_free(priv->cert_passphrase);
+    g_clear_pointer(&priv->cert_file, g_free);
+    g_clear_pointer(&priv->cert_passphrase, net_client_free_authstr);
 
     G_OBJECT_CLASS(libbalsa_server_parent_class)->finalize(object);
 }
@@ -200,12 +195,12 @@ libbalsa_server_set_password(LibBalsaServer * server,
 
 void
 libbalsa_server_set_host(LibBalsaServer * server, const gchar * host,
-                         gboolean use_ssl)
+                         NetClientCryptMode security)
 {
     g_return_if_fail(server != NULL);
     g_return_if_fail(LIBBALSA_IS_SERVER(server));
 
-    LIBBALSA_SERVER_GET_CLASS(server)->set_host(server, host, use_ssl);
+    LIBBALSA_SERVER_GET_CLASS(server)->set_host(server, host, security);
 }
 
 void
@@ -246,15 +241,17 @@ libbalsa_server_real_set_username(LibBalsaServer * server,
 
 static void
 libbalsa_server_real_set_host(LibBalsaServer * server, const gchar * host,
-                              gboolean use_ssl)
+       NetClientCryptMode  security)
 {
     LibBalsaServerPrivate *priv = libbalsa_server_get_instance_private(server);
 
     g_return_if_fail(LIBBALSA_IS_SERVER(server));
 
+g_print("%s host was %s\n", G_STRFUNC, priv->host);
     g_free(priv->host);
     priv->host = g_strdup(host);
-    priv->use_ssl = use_ssl;
+    priv->security = security;
+g_print("%s host now %s\n", G_STRFUNC, priv->host);
 }
 
 
@@ -270,10 +267,48 @@ libbalsa_server_real_get_password(LibBalsaServer * server)
 }
 #endif
 
+void
+libbalsa_server_load_security_config(LibBalsaServer *server)
+{
+    LibBalsaServerPrivate *priv = libbalsa_server_get_instance_private(server);
+    gboolean not_found;
+
+    g_return_if_fail(LIBBALSA_IS_SERVER(server));
+
+    priv->security = libbalsa_conf_get_int_with_default("Security", &not_found);
+    if (not_found) {
+       gboolean want_ssl;
+
+       g_debug("server %s@%s: no security config, try to read old settings",
+                priv->protocol, priv->host);
+       want_ssl = libbalsa_conf_get_bool_with_default("SSL", &not_found);
+       if (want_ssl && !not_found) {
+               priv->security = NET_CLIENT_CRYPT_ENCRYPTED;
+       } else {
+               int want_tls;
+
+               want_tls = libbalsa_conf_get_int_with_default("TLSMode", &not_found);
+               if (not_found) {
+                       priv->security = NET_CLIENT_CRYPT_STARTTLS;
+               } else {
+                       switch (want_tls) {
+                       case 0:
+                               priv->security = NET_CLIENT_CRYPT_NONE;
+                               break;
+                       case 1:
+                               priv->security = NET_CLIENT_CRYPT_STARTTLS_OPT;
+                               break;
+                       default:
+                               priv->security = NET_CLIENT_CRYPT_STARTTLS;
+                       }
+               }
+       }
+    }
+}
 
 /* libbalsa_server_load_config:
    load the server configuration using gnome-config.
-   Try to use sensible defaults. 
+   Try to use sensible defaults.
    FIXME: Port field is kept here only for compatibility, drop after 1.4.x
    release.
 */
@@ -284,6 +319,7 @@ libbalsa_server_load_config(LibBalsaServer * server)
     gboolean d;
 
     priv->host = libbalsa_conf_get_string("Server");
+g_print("%s host %s\n", G_STRFUNC, priv->host);
     if(priv->host != NULL && strrchr(priv->host, ':') == NULL) {
         gint port;
         port = libbalsa_conf_get_int_with_default("Port", &d);
@@ -291,21 +327,13 @@ libbalsa_server_load_config(LibBalsaServer * server)
             gchar *newhost = g_strdup_printf("%s:%d", priv->host, port);
             g_free(priv->host);
             priv->host = newhost;
+g_print("%s host from newhost %s\n", G_STRFUNC, priv->host);
         }
     }
-
-    priv->use_ssl = libbalsa_conf_get_bool("SSL=false");
-
-    d = FALSE;
-    priv->tls_mode = libbalsa_conf_get_int_with_default("TLSMode", &d);
-    if (d)
-        priv->tls_mode = LIBBALSA_TLS_ENABLED;
-
-    d = FALSE;
-    priv->security = libbalsa_conf_get_int_with_default("Security", &d);
-    if (d) {
-       priv->security = NET_CLIENT_CRYPT_STARTTLS;
-    }
+    libbalsa_server_load_security_config(server);
+    priv->user = libbalsa_conf_private_get_string("Username");
+    if (priv->user == NULL)
+       priv->user = g_strdup(getenv("USER"));
 
     priv->user = libbalsa_conf_private_get_string("Username");
     if (priv->user == NULL)
@@ -318,6 +346,7 @@ libbalsa_server_load_config(LibBalsaServer * server)
 #if defined(HAVE_LIBSECRET)
         GError *err = NULL;
 
+g_print("%s host for passwd %s\n", G_STRFUNC, priv->host);
         priv->passwd =
             secret_password_lookup_sync(LIBBALSA_SERVER_SECRET_SCHEMA,
                                         NULL, &err,
@@ -433,89 +462,9 @@ libbalsa_server_save_config(LibBalsaServer * server)
         g_free(tmp);
     }
 
-    libbalsa_conf_set_bool("SSL", priv->use_ssl);
-    libbalsa_conf_set_int("TLSMode", priv->tls_mode);
     libbalsa_conf_set_int("Security", priv->security);
 }
 
-void
-libbalsa_server_user_cb(ImapUserEventType ue, void *arg, ...)
-{
-    va_list alist;
-    int *ok;
-    LibBalsaServer *is = LIBBALSA_SERVER(arg);
-    LibBalsaServerPrivate *priv = libbalsa_server_get_instance_private(is);
-
-    va_start(alist, arg);
-    switch(ue) {
-    case IME_GET_USER_PASS: {
-        gchar *method = va_arg(alist, gchar*);
-        gchar **user = va_arg(alist, gchar**);
-        gchar **pass = va_arg(alist, gchar**);
-        ok = va_arg(alist, int*);
-        if(!priv->passwd) {
-            priv->passwd = libbalsa_server_ask_password(is, NULL);
-        }
-        *ok = priv->passwd != NULL;
-        if(*ok) {
-            g_free(*user); *user = g_strdup(priv->user);
-            g_free(*pass); *pass = g_strdup(priv->passwd);
-            libbalsa_information(LIBBALSA_INFORMATION_DEBUG,
-                                 /* host, authentication method */
-                                 _("Logging in to %s using %s"), 
-                                   priv->host, method);
-        }
-        break;
-    }
-    case IME_GET_USER:  { /* for eg kerberos */
-        gchar **user;
-        va_arg(alist, gchar*); /* Ignore the method */
-        user = va_arg(alist, gchar**);
-        ok = va_arg(alist, int*);
-        *ok = 1; /* consider popping up a dialog window here */
-        g_free(*user); *user = g_strdup(priv->user);
-        break;
-    }
-    case IME_TLS_VERIFY_ERROR:  {
-        long vfy_result;
-        SSL *ssl;
-        X509 *cert;
-        ok = va_arg(alist, int*);
-        vfy_result = va_arg(alist, long);
-        X509_verify_cert_error_string(vfy_result);
-#if 0
-        printf("IMAP:TLS: failed cert verification: %ld : %s.\n",
-               vfy_result, reason);
-#endif
-        ssl = va_arg(alist, SSL*);
-        cert = SSL_get_peer_certificate(ssl);
-       if(cert) {
-           *ok = libbalsa_is_cert_known(cert, vfy_result);
-           X509_free(cert);
-       }
-        break;
-    }
-    case IME_TLS_NO_PEER_CERT: {
-        ok = va_arg(alist, int*); *ok = 0;
-        printf("IMAP:TLS: Server presented no cert!\n");
-        break;
-    }
-    case IME_TLS_WEAK_CIPHER: {
-        ok = va_arg(alist, int*); *ok = 1;
-        printf("IMAP:TLS: Weak cipher accepted.\n");
-        break;
-    }
-    case IME_TIMEOUT: {
-        ok = va_arg(alist, int*); *ok = 1;
-        /* *ok = libbalsa_abort_on_timeout(priv->host); */
-        /* For now, always timeout. The UI needs some work. */
-        break;
-    }
-    default: g_warning("unhandled imap event type! Fix the code."); break;
-    }
-    va_end(alist);
-}
-
 /* Connect the server's "get-password" signal to the callback; if the
  * ask-password callback is connected more than once, the dialog is
  * popped up the corresponding number of times, so we'll ignore the
@@ -542,7 +491,7 @@ libbalsa_server_get_auth(NetClient *client,
 
     g_debug("%s: %p %p: encrypted = %d", __func__, client, user_data,
             net_client_is_encrypted(client));
-    if (priv->try_anonymous == 0U) {
+    if ((priv->try_anonymous == 0U) || (strcmp(priv->protocol, "imap") == 0)) {
         result = g_new0(gchar *, 3U);
         result[0] = g_strdup(priv->user);
         if (need_passwd) {
@@ -563,50 +512,7 @@ libbalsa_server_check_cert(NetClient           *client,
                                                   GTlsCertificateFlags errors,
                                                   gpointer             user_data)
 {
-    GByteArray *cert_der = NULL;
-    gboolean result = FALSE;
-
-    /* FIXME - this a hack, simulating the (OpenSSL based) input for libbalsa_is_cert_known().
-        If we switch completely to
-     * (GnuTLS based) GTlsCertificate/GTlsClientConnection, we can omit this... */
-    g_debug("%s: %p %p %u %p", __func__, client, peer_cert, errors, user_data);
-
-    /* create a OpenSSL X509 object from the certificate's DER data */
-    g_object_get(G_OBJECT(peer_cert), "certificate", &cert_der, NULL);
-    if (cert_der != NULL) {
-        X509 *ossl_cert;
-        const unsigned char *der_p;
-
-        der_p = (const unsigned char *) cert_der->data;
-        ossl_cert = d2i_X509(NULL, &der_p, cert_der->len);
-        g_byte_array_unref(cert_der);
-
-        if (ossl_cert != NULL) {
-            long vfy_result;
-
-            /* convert the GIO error flags into OpenSSL error flags */
-            if ((errors & G_TLS_CERTIFICATE_UNKNOWN_CA) == G_TLS_CERTIFICATE_UNKNOWN_CA) {
-                vfy_result = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
-            } else if ((errors & G_TLS_CERTIFICATE_BAD_IDENTITY) ==
-                       G_TLS_CERTIFICATE_BAD_IDENTITY) {
-                vfy_result = X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
-            } else if ((errors & G_TLS_CERTIFICATE_NOT_ACTIVATED) ==
-                       G_TLS_CERTIFICATE_NOT_ACTIVATED) {
-                vfy_result = X509_V_ERR_CERT_NOT_YET_VALID;
-            } else if ((errors & G_TLS_CERTIFICATE_EXPIRED) == G_TLS_CERTIFICATE_EXPIRED) {
-                vfy_result = X509_V_ERR_CERT_HAS_EXPIRED;
-            } else if ((errors & G_TLS_CERTIFICATE_REVOKED) == G_TLS_CERTIFICATE_REVOKED) {
-                vfy_result = X509_V_ERR_CERT_REVOKED;
-            } else {
-                vfy_result = X509_V_ERR_APPLICATION_VERIFICATION;
-            }
-
-            result = libbalsa_is_cert_known(ossl_cert, vfy_result);
-            X509_free(ossl_cert);
-        }
-    }
-
-    return result;
+       return libbalsa_is_cert_known(peer_cert, errors);
 }
 
 
@@ -689,16 +595,6 @@ libbalsa_server_test_can_reach(LibBalsaServer           * server,
  * Getters
  */
 
-LibBalsaTlsMode
-libbalsa_server_get_tls_mode(LibBalsaServer * server)
-{
-    LibBalsaServerPrivate *priv = libbalsa_server_get_instance_private(server);
-
-    g_return_val_if_fail(LIBBALSA_IS_SERVER(server), (LibBalsaTlsMode) 0);
-
-    return priv->tls_mode;
-}
-
 NetClientCryptMode
 libbalsa_server_get_security(LibBalsaServer * server)
 {
@@ -709,16 +605,6 @@ libbalsa_server_get_security(LibBalsaServer * server)
     return priv->security;
 }
 
-gboolean
-libbalsa_server_get_use_ssl(LibBalsaServer * server)
-{
-    LibBalsaServerPrivate *priv = libbalsa_server_get_instance_private(server);
-
-    g_return_val_if_fail(LIBBALSA_IS_SERVER(server), FALSE);
-
-    return priv->use_ssl;
-}
-
 gboolean
 libbalsa_server_get_client_cert(LibBalsaServer * server)
 {
@@ -813,16 +699,6 @@ libbalsa_server_get_password(LibBalsaServer * server)
  * Setters
  */
 
-void
-libbalsa_server_set_tls_mode(LibBalsaServer * server, LibBalsaTlsMode tls_mode)
-{
-    LibBalsaServerPrivate *priv = libbalsa_server_get_instance_private(server);
-
-    g_return_if_fail(LIBBALSA_IS_SERVER(server));
-
-    priv->tls_mode = tls_mode;
-}
-
 void
 libbalsa_server_set_security(LibBalsaServer * server, NetClientCryptMode security)
 {
diff --git a/libbalsa/server.h b/libbalsa/server.h
index c8ad7818..7c9bb579 100644
--- a/libbalsa/server.h
+++ b/libbalsa/server.h
@@ -45,42 +45,39 @@ G_DECLARE_DERIVABLE_TYPE(LibBalsaServer,
                          SERVER,
                          GObject);
 
+#if 0
 typedef enum {
     LIBBALSA_TLS_DISABLED,
     LIBBALSA_TLS_ENABLED,
     LIBBALSA_TLS_REQUIRED
 } LibBalsaTlsMode;
+#endif
 
 struct _LibBalsaServerClass {
     GObjectClass parent_class;
 
-    void (*set_username) (LibBalsaServer *server,
-                          const gchar    *name);
-    void (*set_host) (LibBalsaServer *server,
-                      const gchar    *host,
-                      gboolean        use_ssl);
-    void (*config_changed) (LibBalsaServer *server);
-    gchar *(*get_password) (LibBalsaServer *server);
+    void (*set_username) (LibBalsaServer * server, const gchar * name);
+    void (*set_host) (LibBalsaServer * server,
+                     const gchar * host, NetClientCryptMode  security);
+    void (*config_changed) (LibBalsaServer * server);
+    gchar *(*get_password) (LibBalsaServer * server);
 };
 
 LibBalsaServer *libbalsa_server_new(void);
 
-void            libbalsa_server_set_username(LibBalsaServer *server,
-                                             const gchar    *username);
-void            libbalsa_server_set_password(LibBalsaServer *server,
-                                             const gchar    *passwd);
-void            libbalsa_server_set_host(LibBalsaServer *server,
-                                         const gchar    *host,
-                                         gboolean        use_ssl);
-
-void libbalsa_server_config_changed(LibBalsaServer *server);
-void libbalsa_server_load_config(LibBalsaServer *server);
-void libbalsa_server_save_config(LibBalsaServer *server);
+void libbalsa_server_set_username(LibBalsaServer * server,
+                                 const gchar * username);
+void libbalsa_server_set_password(LibBalsaServer * server,
+                                 const gchar * passwd);
+void libbalsa_server_set_host(LibBalsaServer     *server,
+                                                         const gchar        *host,
+                                                         NetClientCryptMode  security);
 
+void libbalsa_server_config_changed(LibBalsaServer * server);
+void libbalsa_server_load_config(LibBalsaServer * server);
+void libbalsa_server_load_security_config(LibBalsaServer * server);
+void libbalsa_server_save_config(LibBalsaServer * server);
 
-void libbalsa_server_user_cb(ImapUserEventType ue,
-                             void             *arg,
-                             ...);
 
 /* NetClient related signal handlers */
 gchar **libbalsa_server_get_auth(NetClient *client,
@@ -114,9 +111,7 @@ void libbalsa_server_test_can_reach_full(LibBalsaServer           *server,
  * Getters
  */
 
-LibBalsaTlsMode    libbalsa_server_get_tls_mode(LibBalsaServer *server);
 NetClientCryptMode libbalsa_server_get_security(LibBalsaServer *server);
-gboolean           libbalsa_server_get_use_ssl(LibBalsaServer *server);
 gboolean           libbalsa_server_get_client_cert(LibBalsaServer *server);
 gboolean           libbalsa_server_get_try_anonymous(LibBalsaServer *server);
 gboolean           libbalsa_server_get_remember_passwd(LibBalsaServer *server);
@@ -131,8 +126,6 @@ const gchar       *libbalsa_server_get_password(LibBalsaServer *server);
  * Setters
  */
 
-void libbalsa_server_set_tls_mode(LibBalsaServer *server,
-                                  LibBalsaTlsMode tls_mode);
 void libbalsa_server_set_security(LibBalsaServer    *server,
                                   NetClientCryptMode security);
 void libbalsa_server_set_try_anonymous(LibBalsaServer *server,
diff --git a/libbalsa/smtp-server.c b/libbalsa/smtp-server.c
index 5995e9b8..1ec22658 100644
--- a/libbalsa/smtp-server.c
+++ b/libbalsa/smtp-server.c
@@ -287,21 +287,21 @@ smtp_server_response(GtkDialog * dialog, gint response,
         libbalsa_smtp_server_set_name(sdi->smtp_server,
                                       gtk_entry_get_text(GTK_ENTRY
                                                          (sdi->name)));
-        libbalsa_server_set_host(server,
-                                 gtk_entry_get_text(GTK_ENTRY(sdi->host)),
-                                 FALSE);
+        libbalsa_server_set_security
+            (server,
+             (NetClientCryptMode) (gtk_combo_box_get_active(GTK_COMBO_BOX(sdi->tlsm)) + 1));
+        libbalsa_server_set_host
+            (server,
+             gtk_entry_get_text(GTK_ENTRY(sdi->host)), FALSE);
         libbalsa_server_set_try_anonymous
             (server,
              gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(sdi->auth_button)) ? 0U : 1U);
-        libbalsa_server_set_username(server,
-                                     gtk_entry_get_text(GTK_ENTRY
-                                                        (sdi->user)));
-        libbalsa_server_set_password(server,
-                                     gtk_entry_get_text(GTK_ENTRY
-                                                        (sdi->pass)));
-        libbalsa_server_set_security
+        libbalsa_server_set_username
             (server,
-             (NetClientCryptMode) (gtk_combo_box_get_active(GTK_COMBO_BOX(sdi->tlsm)) + 1));
+             gtk_entry_get_text(GTK_ENTRY(sdi->user)));
+        libbalsa_server_set_password
+            (server,
+             gtk_entry_get_text(GTK_ENTRY(sdi->pass)));
         libbalsa_server_set_client_cert
             (server,
              gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(sdi->cert_button)));
diff --git a/libinit_balsa/assistant_page_user.c b/libinit_balsa/assistant_page_user.c
index 40358c20..422036b2 100644
--- a/libinit_balsa/assistant_page_user.c
+++ b/libinit_balsa/assistant_page_user.c
@@ -204,7 +204,7 @@ create_pop3_mbx(const gchar *name, const gchar* host, gint security,
 
     libbalsa_server_set_username(server, login);
     libbalsa_server_set_password(server, passwd);
-    libbalsa_server_set_host(server, host, FALSE);
+    libbalsa_server_set_host(server, host, security);
     libbalsa_server_set_security(server, security);
     libbalsa_server_set_remember_passwd(server, remember);
     libbalsa_mailbox_set_name(mbx, name != NULL && name[0] != '\0' ? name : host);
@@ -218,7 +218,7 @@ create_pop3_mbx(const gchar *name, const gchar* host, gint security,
 }
 
 static void
-create_imap_mbx(const gchar *name, const gchar* host, gint security,
+create_imap_mbx(const gchar *name, const gchar* host, NetClientCryptMode security,
                 const gchar *login, const gchar *passwd,
                 gboolean remember)
 {
@@ -227,17 +227,7 @@ create_imap_mbx(const gchar *name, const gchar* host, gint security,
         LIBBALSA_SERVER(libbalsa_imap_server_new(login, host));
     libbalsa_server_set_username(server, login);
     libbalsa_server_set_password(server, passwd);
-    libbalsa_server_set_host(server, host, security == NET_CLIENT_CRYPT_ENCRYPTED);
-    switch (security) {
-    case NET_CLIENT_CRYPT_STARTTLS:
-     libbalsa_server_set_tls_mode(server, LIBBALSA_TLS_REQUIRED);
-       break;
-    case NET_CLIENT_CRYPT_STARTTLS_OPT:
-     libbalsa_server_set_tls_mode(server, LIBBALSA_TLS_ENABLED);
-       break;
-    default:
-     libbalsa_server_set_tls_mode(server, LIBBALSA_TLS_DISABLED);
-    }
+    libbalsa_server_set_host(server, host, security);
     libbalsa_server_set_remember_passwd(server, remember);
 
     mbnode = balsa_mailbox_node_new_imap_folder(server, NULL);
@@ -271,7 +261,7 @@ balsa_druid_page_user_next(GtkAssistant * druid, GtkWidget * page,
         LibBalsaMailbox *mbx = NULL;
         const gchar *login = gtk_entry_get_text(GTK_ENTRY(user->login));
         const gchar *passwd = gtk_entry_get_text(GTK_ENTRY(user->passwd));
-        gint security = balsa_option_get_active(user->security) + NET_CLIENT_CRYPT_ENCRYPTED;
+        NetClientCryptMode security = balsa_option_get_active(user->security) + NET_CLIENT_CRYPT_ENCRYPTED;
         gboolean remember = 
             balsa_option_get_active(user->remember_passwd) == 0;
         switch(balsa_option_get_active(user->incoming_type)) {
@@ -317,7 +307,7 @@ balsa_druid_page_user_next(GtkAssistant * druid, GtkWidget * page,
     }
     libbalsa_server_set_host(LIBBALSA_SERVER(smtp_server),
                              gtk_entry_get_text(GTK_ENTRY(user->smtp)),
-                             FALSE);
+                             FALSE);   // FIXME!!
 
     g_free(balsa_app.local_mail_directory);
     balsa_app.local_mail_directory =
diff --git a/libnetclient/Makefile.am b/libnetclient/Makefile.am
index 926f8162..52f7b998 100644
--- a/libnetclient/Makefile.am
+++ b/libnetclient/Makefile.am
@@ -6,6 +6,8 @@ libnetclient_a_SOURCES =        \
        net-client.h                    \
        net-client-pop.c                \
        net-client-pop.h                \
+       net-client-siobuf.c             \
+       net-client-siobuf.h             \
        net-client-smtp.c               \
        net-client-smtp.h               \
        net-client-utils.c              \
diff --git a/libnetclient/meson.build b/libnetclient/meson.build
index 59134812..1fd5011b 100644
--- a/libnetclient/meson.build
+++ b/libnetclient/meson.build
@@ -7,6 +7,8 @@ libnetclient_a_sources = [
   'net-client-pop.h',
   'net-client-smtp.c',
   'net-client-smtp.h',
+  'net-client-siobuf.c',
+  'net-client-siobuf.h',
   'net-client-utils.c',
   'net-client-utils.h'
   ]
diff --git a/libnetclient/net-client-pop.c b/libnetclient/net-client-pop.c
index 999656d5..7d81ec1c 100644
--- a/libnetclient/net-client-pop.c
+++ b/libnetclient/net-client-pop.c
@@ -186,12 +186,10 @@ net_client_pop_connect(NetClientPop *client, gchar **greeting, GError **error)
                g_signal_emit_by_name(client, "auth", need_pwd, &auth_data);
                if ((auth_data != NULL) && (auth_data[0] != NULL)) {
                        result = net_client_pop_auth(client, auth_data[0], auth_data[1], auth_supported, 
error);
-                       memset(auth_data[0], 0, strlen(auth_data[0]));
-                       if (auth_data[1] != NULL) {
-                               memset(auth_data[1], 0, strlen(auth_data[1]));
-                       }
+                       net_client_free_authstr(auth_data[0]);
+                       net_client_free_authstr(auth_data[1]);
                }
-               g_strfreev(auth_data);
+               g_free(auth_data);
        }
 
        return result;
@@ -554,8 +552,7 @@ net_client_pop_auth_plain(NetClientPop *client, const gchar *user, const gchar *
                if (result) {
                        result = net_client_pop_execute(client, "%s", NULL, error, base64_buf);
                }
-               memset(base64_buf, 0, strlen(base64_buf));
-               g_free(base64_buf);
+               net_client_free_authstr(base64_buf);
        } else {
                result = FALSE;
        }
@@ -575,13 +572,11 @@ net_client_pop_auth_login(NetClientPop *client, const gchar *user, const gchar *
 
                base64_buf = g_base64_encode((const guchar *) user, strlen(user));
                result = net_client_pop_execute_sasl(client, "%s", NULL, error, base64_buf);
-               memset(base64_buf, 0, strlen(base64_buf));
-               g_free(base64_buf);
+               net_client_free_authstr(base64_buf);
                if (result) {
                        base64_buf = g_base64_encode((const guchar *) passwd, strlen(passwd));
                        result = net_client_pop_execute(client, "%s", NULL, error, base64_buf);
-                       memset(base64_buf, 0, strlen(base64_buf));
-                       g_free(base64_buf);
+                       net_client_free_authstr(base64_buf);
                }
        }
 
@@ -613,11 +608,9 @@ net_client_pop_auth_apop(NetClientPop *client, const gchar *user, const gchar *p
 
        auth_buf = g_strconcat(priv->apop_banner, passwd, NULL);
        md5_buf = g_compute_checksum_for_string(G_CHECKSUM_MD5, auth_buf, -1);
-       memset(auth_buf, 0, strlen(auth_buf));
-       g_free(auth_buf);
+       net_client_free_authstr(auth_buf);
        result = net_client_pop_execute(client, "APOP %s %s", NULL, error, user, md5_buf);
-       memset(md5_buf, 0, strlen(md5_buf));
-       g_free(md5_buf);
+       net_client_free_authstr(md5_buf);
 
        return result;
 }
@@ -635,8 +628,7 @@ net_client_pop_auth_cram(NetClientPop *client, GChecksumType chksum_type, const
                auth_buf = net_client_cram_calc(challenge, chksum_type, user, passwd);
                if (auth_buf != NULL) {
                        result = net_client_pop_execute(client, "%s", NULL, error, auth_buf);
-                       memset(auth_buf, 0, strlen(auth_buf));
-                       g_free(auth_buf);
+                       net_client_free_authstr(auth_buf);
                } else {
                        result = FALSE;
                }
diff --git a/libnetclient/net-client-smtp.c b/libnetclient/net-client-smtp.c
index 488ea80c..fc74779d 100644
--- a/libnetclient/net-client-smtp.c
+++ b/libnetclient/net-client-smtp.c
@@ -174,12 +174,10 @@ net_client_smtp_connect(NetClientSmtp *client, gchar **greeting, GError **error)
                g_signal_emit_by_name(client, "auth", need_pwd, &auth_data);
                if ((auth_data != NULL) && (auth_data[0] != NULL)) {
                        result = net_client_smtp_auth(client, auth_data[0], auth_data[1], auth_supported, 
error);
-                       memset(auth_data[0], 0, strlen(auth_data[0]));
-                       if (auth_data[1] != NULL) {
-                               memset(auth_data[1], 0, strlen(auth_data[1]));
-                       }
+                       net_client_free_authstr(auth_data[0]);
+                       net_client_free_authstr(auth_data[1]);
                }
-               g_strfreev(auth_data);
+               g_free(auth_data);
        }
 
        return result;
@@ -461,8 +459,7 @@ net_client_smtp_auth_plain(NetClientSmtp *client, const gchar *user, const gchar
        base64_buf = net_client_auth_plain_calc(user, passwd);
        if (base64_buf != NULL) {
                result = net_client_smtp_execute(client, "AUTH PLAIN %s", NULL, error, base64_buf);
-               memset(base64_buf, 0, strlen(base64_buf));
-               g_free(base64_buf);
+               net_client_free_authstr(base64_buf);
        } else {
                result = FALSE;
        }
@@ -479,13 +476,11 @@ net_client_smtp_auth_login(NetClientSmtp *client, const gchar *user, const gchar
 
        base64_buf = g_base64_encode((const guchar *) user, strlen(user));
        result = net_client_smtp_execute(client, "AUTH LOGIN %s", NULL, error, base64_buf);
-       memset(base64_buf, 0, strlen(base64_buf));
-       g_free(base64_buf);
+       net_client_free_authstr(base64_buf);
        if (result) {
                base64_buf = g_base64_encode((const guchar *) passwd, strlen(passwd));
                result = net_client_smtp_execute(client, "%s", NULL, error, base64_buf);
-               memset(base64_buf, 0, strlen(base64_buf));
-               g_free(base64_buf);
+               net_client_free_authstr(base64_buf);
        }
 
        return result;
@@ -505,8 +500,7 @@ net_client_smtp_auth_cram(NetClientSmtp *client, GChecksumType chksum_type, cons
                auth_buf = net_client_cram_calc(challenge, chksum_type, user, passwd);
                if (auth_buf != NULL) {
                        result = net_client_smtp_execute(client, "%s", NULL, error, auth_buf);
-                       memset(auth_buf, 0, strlen(auth_buf));
-                       g_free(auth_buf);
+                       net_client_free_authstr(auth_buf);
                } else {
                        result = FALSE;
                }
diff --git a/libnetclient/net-client-utils.c b/libnetclient/net-client-utils.c
index bcc4e808..83c9641a 100644
--- a/libnetclient/net-client-utils.c
+++ b/libnetclient/net-client-utils.c
@@ -12,7 +12,6 @@
  * <http://www.gnu.org/licenses/>.
  */
 
-#include <string.h>
 #include <stdio.h>
 #include <glib/gi18n.h>
 #include "net-client.h"
@@ -56,16 +55,13 @@ net_client_cram_calc(const gchar *base64_challenge, GChecksumType chksum_type, c
 
        chal_plain = g_base64_decode(base64_challenge, &plain_len);
        digest = g_compute_hmac_for_data(chksum_type, (const guchar *) passwd, strlen(passwd), chal_plain, 
plain_len);
-       memset(chal_plain, 0, plain_len);
-       g_free(chal_plain);
+       net_client_free_authstr((gchar *) chal_plain);
 
        auth_buf = g_strdup_printf("%s %s", user, digest);
-       memset(digest, 0, strlen(digest));
-       g_free(digest);
+       net_client_free_authstr(digest);
 
        base64_buf = g_base64_encode((const guchar *) auth_buf, strlen(auth_buf));
-       memset(auth_buf, 0, strlen(auth_buf));
-       g_free(auth_buf);
+       net_client_free_authstr(auth_buf);
 
        return base64_buf;
 }
@@ -107,6 +103,7 @@ net_client_auth_plain_calc(const gchar *user, const gchar *passwd)
        strcpy(&plain_buf[user_len + 1U], user);
        strcpy(&plain_buf[(2U * user_len) + 2U], passwd);
        base64_buf = g_base64_encode((const guchar *) plain_buf, (2U * user_len) + passwd_len + 2U);
+       /* contains \0 chars, cannot use net_client_free_authstr */
        memset(plain_buf, 0, (2U * user_len) + passwd_len + 2U);
        g_free(plain_buf);
 
@@ -114,6 +111,20 @@ net_client_auth_plain_calc(const gchar *user, const gchar *passwd)
 }
 
 
+void
+net_client_free_authstr(gchar *str)
+{
+       if (str != NULL) {
+               guint n;
+
+               for (n = 0; str[n] != '\0'; n++) {
+                       str[n] = g_random_int_range(32, 128);
+               }
+               g_free(str);
+       }
+}
+
+
 #if defined(HAVE_GSSAPI)
 
 NetClientGssCtx *
diff --git a/libnetclient/net-client-utils.h b/libnetclient/net-client-utils.h
index f4c0a8fc..ab90dfea 100644
--- a/libnetclient/net-client-utils.h
+++ b/libnetclient/net-client-utils.h
@@ -71,6 +71,16 @@ gchar *net_client_auth_plain_calc(const gchar *user, const gchar *passwd)
        G_GNUC_MALLOC;
 
 
+/** @brief Safely free an authentication string
+ *
+ * @param str string
+ *
+ * This function can be used to safely free an authentication string.  It overwrites the passed string with 
random characters, and
+ * then frees it.
+ */
+void net_client_free_authstr(gchar *str);
+
+
 #if defined(HAVE_GSSAPI)
 
 /** @brief Create a GSSAPI authentication context
diff --git a/libnetclient/net-client.c b/libnetclient/net-client.c
index b9468fe2..45907094 100644
--- a/libnetclient/net-client.c
+++ b/libnetclient/net-client.c
@@ -16,9 +16,25 @@
 #include <stdio.h>
 #include <glib/gi18n.h>
 #include <gnutls/x509.h>
+#include "net-client-utils.h"
 #include "net-client.h"
 
 
+/*
+ * Stacking of the streams:
+ * Input channel:
+ *   GSocketClient *sock
+ *      GSocketConnection *plain_conn
+ *         GIOStream *tls_conn -- optional
+ *            GInputStream *comp_istream -- optional
+ *               GDataInputStream *istream
+ *
+ * Output channel:
+ *   GSocketClient *sock
+ *      GSocketConnection *plain_conn
+ *         GIOStream *tls_conn -- optional
+ *            GOutputStream *ostream -- optionally compressed
+ */
 struct _NetClientPrivate {
        gchar *host_and_port;
        guint16 default_port;
@@ -30,6 +46,10 @@ struct _NetClientPrivate {
        GDataInputStream *istream;
        GOutputStream *ostream;
        GTlsCertificate *certificate;
+
+       GZlibCompressor *comp;
+       GZlibDecompressor *decomp;
+       GInputStream *comp_istream;
 };
 
 enum {
@@ -143,7 +163,19 @@ net_client_shutdown(NetClient *client)
        NetClientPrivate *priv  = net_client_get_instance_private(client);
 
        if (NET_IS_CLIENT(client)) {
-               /* note: we must unref the GDataInputStream, but *not* the GOutputStream! */
+               /* Note: we must unref the GDataInputStream, but the GOutputStream only if compression is 
active! */
+               if (priv->comp != NULL) {
+                       /* Note: for some strange reason, GIO decides to send a 0x03 0x00 sequence when 
closing a compressed connection, before
+                        * sending the usual FIN, ACK TCP reply packet.  As the remote server does not expect 
the former (the connection has
+                        * already been closed on its side), it replies with with a RST TCP packet.  
Unref'ing priv->ostream and
+                        * priv->comp /after/ all other components of the connection fixes the issue for 
unencrypted connections, but
+                        * throws a critical error for TLS.  Observed with gio 2.48.2 and 2.50.3, no idea how 
it can be fixed.
+                        * See also https://bugzilla.gnome.org/show_bug.cgi?id=795985. */
+                        g_clear_object(&priv->ostream);
+                       g_clear_object(&priv->comp);
+               }
+                g_clear_object(&priv->decomp);
+                g_clear_object(&priv->comp_istream);
                 g_clear_object(&priv->istream);
                 g_clear_object(&priv->tls_conn);
                 g_clear_object(&priv->plain_conn);
@@ -378,8 +410,7 @@ net_client_set_cert_from_pem(NetClient *client, const gchar *pem_data, GError **
                                                g_byte_array_unref(cert_der);
                                                if (key_pass != NULL) {
                                                        res = gnutls_x509_privkey_import2(key, &data, 
GNUTLS_X509_FMT_PEM, key_pass, 0);
-                                                       memset(key_pass, 0, strlen(key_pass));
-                                                       g_free(key_pass);
+                                                       net_client_free_authstr(key_pass);
                                                }
                                        }
                                }
@@ -480,6 +511,46 @@ net_client_start_tls(NetClient *client, GError **error)
 }
 
 
+gboolean
+net_client_start_compression(NetClient *client, GError **error)
+{
+       NetClientPrivate *priv  = net_client_get_instance_private(client);
+       gboolean result = FALSE;
+
+       g_return_val_if_fail(NET_IS_CLIENT(client), FALSE);
+
+       if (priv->plain_conn == NULL) {
+               g_set_error(error, NET_CLIENT_ERROR_QUARK, (gint) NET_CLIENT_ERROR_NOT_CONNECTED, _("not 
connected"));
+       } else if (priv->comp != NULL) {
+               g_set_error(error, NET_CLIENT_ERROR_QUARK, (gint) NET_CLIENT_ERROR_COMP_ACTIVE, _("connection 
is already compressed"));
+       } else {
+               priv->comp = g_zlib_compressor_new(G_ZLIB_COMPRESSOR_FORMAT_RAW, -1);
+               priv->decomp = g_zlib_decompressor_new(G_ZLIB_COMPRESSOR_FORMAT_RAW);
+
+               g_filter_input_stream_set_close_base_stream(G_FILTER_INPUT_STREAM(priv->istream), FALSE);
+               g_object_unref(priv->istream);
+
+               if (priv->tls_conn != NULL) {
+                       priv->comp_istream =
+                               
g_converter_input_stream_new(g_io_stream_get_input_stream(G_IO_STREAM(priv->tls_conn)),
+                                       G_CONVERTER(priv->decomp));
+               } else {
+                       priv->comp_istream =
+                               
g_converter_input_stream_new(g_io_stream_get_input_stream(G_IO_STREAM(priv->plain_conn)),
+                                       G_CONVERTER(priv->decomp));
+               }
+               priv->istream = g_data_input_stream_new(priv->comp_istream);
+               g_data_input_stream_set_newline_type(priv->istream, G_DATA_STREAM_NEWLINE_TYPE_CR_LF);
+
+               priv->ostream = g_converter_output_stream_new(priv->ostream, G_CONVERTER(priv->comp));
+               result = TRUE;
+               g_debug("connection is compressed");
+       }
+
+       return result;
+}
+
+
 gboolean
 net_client_set_timeout(NetClient *client, guint timeout_secs)
 {
@@ -492,6 +563,29 @@ net_client_set_timeout(NetClient *client, guint timeout_secs)
 }
 
 
+GSocket *
+net_client_get_socket(NetClient *client)
+{
+       NetClientPrivate *priv  = net_client_get_instance_private(client);
+
+       g_return_val_if_fail(NET_IS_CLIENT(client) && (priv->plain_conn != NULL), NULL);
+
+       return g_socket_connection_get_socket(priv->plain_conn);
+}
+
+
+gboolean
+net_client_can_read(NetClient *client)
+{
+       NetClientPrivate *priv  = net_client_get_instance_private(client);
+
+       g_return_val_if_fail(NET_IS_CLIENT(client) && (priv->plain_conn != NULL) && (priv->istream != NULL), 
FALSE);
+
+       return (g_socket_condition_check(g_socket_connection_get_socket(priv->plain_conn), G_IO_IN) != 0) ||
+               (g_buffered_input_stream_get_available(G_BUFFERED_INPUT_STREAM(priv->istream)) > 0U);
+}
+
+
 /* == local functions 
=========================================================================================================== */
 
 static void
diff --git a/libnetclient/net-client.h b/libnetclient/net-client.h
index e966187a..6b38d9de 100644
--- a/libnetclient/net-client.h
+++ b/libnetclient/net-client.h
@@ -43,7 +43,6 @@ G_DECLARE_DERIVABLE_TYPE(NetClient,
 typedef enum _NetClientError NetClientError;
 typedef enum _NetClientCryptMode NetClientCryptMode;
 
-
 struct _NetClientClass {
     GObjectClass parent;
 };
@@ -65,21 +64,17 @@ enum _NetClientCryptMode {
 
 /** @brief Error codes */
 enum _NetClientError {
-    NET_CLIENT_ERROR_CONNECTED = 1,                     /**< The client is already connected. */
-    NET_CLIENT_ERROR_NOT_CONNECTED,                     /**< The client is not connected. */
-    NET_CLIENT_ERROR_CONNECTION_LOST,                   /**< The connection is lost. */
-    NET_CLIENT_ERROR_TLS_ACTIVE,                        /**< TLS is already active for the
-                                                           connection. */
-    NET_CLIENT_ERROR_LINE_TOO_LONG,                     /**< The line is too long. */
-    NET_CLIENT_ERROR_GNUTLS,                                    /**< A GnuTLS error occurred. */
-    NET_CLIENT_ERROR_GSSAPI                                     /**< A GSSAPI error occurred. */
+    NET_CLIENT_ERROR_CONNECTED = 1,                    /**< The client is already connected. */
+    NET_CLIENT_ERROR_NOT_CONNECTED,                    /**< The client is not connected. */
+    NET_CLIENT_ERROR_CONNECTION_LOST,                  /**< The connection is lost. */
+    NET_CLIENT_ERROR_TLS_ACTIVE,                       /**< TLS is already active for the connection. */
+    NET_CLIENT_ERROR_COMP_ACTIVE,                      /**< Compression is already active for the 
connection. */
+    NET_CLIENT_ERROR_LINE_TOO_LONG,                    /**< The line is too long. */
+    NET_CLIENT_ERROR_GNUTLS,                           /**< A GnuTLS error occurred. */
+    NET_CLIENT_ERROR_GSSAPI                            /**< A GSSAPI error occurred. */
 };
 
 
-GType net_client_get_type(void)
-G_GNUC_CONST;
-
-
 /** @brief Create a new network client
  *
  * @param host_and_port remote host and port or service, separated by a colon, which shall be
@@ -219,6 +214,17 @@ gboolean net_client_start_tls(NetClient *client,
                               GError   **error);
 
 
+/** @brief Start compression
+ *
+ * @param client network client
+ * @param error filled with error information on error
+ * @return TRUE if the connection is now compressed, FALSE on error
+ *
+ * Enable deflate compression of the connection, as defined by e. g. RFC 4978 <em>The IMAP COMPRESS 
Extension</em>.
+ */
+gboolean net_client_start_compression(NetClient *client, GError **error);
+
+
 /** @brief Read a CRLF-terminated line from a network client
  *
  * @param client network client
@@ -329,7 +335,27 @@ gboolean net_client_set_timeout(NetClient *client,
                                 guint      timeout_secs);
 
 
-/**
+/** @brief Get the socket
+ *
+ * @param client network client
+ * @return the network client's socket on success, or NULL on error
+ *
+ * Gets the underlying GSocket object of the network client connection, e. g. for monitoring it via a 
GSource.
+ */
+GSocket *net_client_get_socket(NetClient *client);
+
+
+/** @brief Check for pending input data
+ *
+ * @param client network client
+ * @return TRUE if data is available for reading
+ *
+ * Returns if data is ready for reading, because either the socket is ready, or there is still data in the 
buffering input stream.
+ */
+gboolean net_client_can_read(NetClient *client);
+
+
+/** 
  * @mainpage
  *
  * This library provides an implementation of CRLF-terminated line-based client protocols built
@@ -340,6 +366,8 @@ gboolean net_client_set_timeout(NetClient *client,
  * net-client-utils.h contains some
  * helper functions for authentication.
  *
+ * The module net-client-siobuf.h implements some functions for replacing the @em siobuf in Balsa's 
libbalsa/imap module.
+ *
  * \author Written by Albrecht Dreß mailto:albrecht dress arcor de
  * \copyright Copyright &copy; Albrecht Dreß 2017<br/>
  * This library is free software: you can redistribute it and/or modify it under the terms of
diff --git a/libnetclient/test/Makefile.am b/libnetclient/test/Makefile.am
index a04d45e0..b900c744 100644
--- a/libnetclient/test/Makefile.am
+++ b/libnetclient/test/Makefile.am
@@ -2,7 +2,8 @@
 
 # Note: the following hack is needed so lcov recognises the paths of the sources...
 libsrcdir = $(shell echo $(abs_srcdir) | sed -e 's;/test$$;;')
-test_src = $(libsrcdir)/net-client.c $(libsrcdir)/net-client-pop.c $(libsrcdir)/net-client-smtp.c 
$(libsrcdir)/net-client-utils.c
+test_src = $(libsrcdir)/net-client.c $(libsrcdir)/net-client-pop.c $(libsrcdir)/net-client-siobuf.c \
+       $(libsrcdir)/net-client-smtp.c $(libsrcdir)/net-client-utils.c
 
 EXTRA_DIST =           \
        tests.c                 \
@@ -25,7 +26,7 @@ clean-local:
        -rm -rf gcov
 
 tests: tests.c
-       $(CC) $(LIBNETCLIENT_CFLAGS) $(CPPFLAGS) $(TESTFLAGS) -I. -I.. -I../.. $< $(test_src) -o $@ 
$(LIBNETCLIENT_LIBS)
+       $(CC) $(LIBNETCLIENT_CFLAGS) $(CPPFLAGS) $(TESTFLAGS) -DG_LOG_DOMAIN=\"libnetclient\" -I. -I.. 
-I../.. $< $(test_src) -o $@ $(LIBNETCLIENT_LIBS)
        $(VALGRIND) $(VALGRFLAGS) ./$@
        $(LCOV) $(LCOVFLGS) -c -b $(libsrcdir) -d $(abs_srcdir) --no-external -o $@.covi
        $(LCOV) $(LCOVFLGS) -r $@.covi $< -o $@.covi
diff --git a/libnetclient/test/echoserver.py b/libnetclient/test/echoserver.py
index ab827304..2905f8b0 100644
--- a/libnetclient/test/echoserver.py
+++ b/libnetclient/test/echoserver.py
@@ -5,6 +5,8 @@
 # Echo server listening at port 65000, with the following non-standard
 # features:
 # - any 'x' in the received string is replaced by 'ThisIsLong'
+# - 'COMPRESS' in the received string causes the connection to be switched
+#   to deflate compression
 # - 'DISCONNECT' in the received string causes the connection to be closed
 # 
 # Copyright (C) Albrecht Dreß <mailto:albrecht dress arcor de> 2017
@@ -24,6 +26,7 @@
 
 import sys
 import socket
+import zlib
 
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 server_address = ('localhost', 65000)
@@ -34,9 +37,11 @@ while True:
     connection, client_address = sock.accept()
     try:
         comp = False
+        comp_ctx = zlib.compressobj(-1, zlib.DEFLATED, -15)
+        decomp_ctx = zlib.decompressobj(-15)
         while True:
             if comp:
-                data = zlib.decompress(connection.recv(2048))
+                data = decomp_ctx.decompress(connection.recv(2048))
             else:
                 data = connection.recv(2048)
             if data:
@@ -45,9 +50,12 @@ while True:
                     break
                 data = data.replace('x', 'ThisIsLong')
                 if comp:
-                    connection.sendall(zlib.compress(data))
+                    connection.sendall(comp_ctx.compress(data) + comp_ctx.flush(zlib.Z_FULL_FLUSH))
                 else:
                     connection.sendall(data)
+                if data.startswith('COMPRESS'):
+                    print "compression enabled"
+                    comp = True
             else:
                 break
     finally:
diff --git a/libnetclient/test/start-test-env.sh.in b/libnetclient/test/start-test-env.sh.in
index e1f10fd6..37e99211 100644
--- a/libnetclient/test/start-test-env.sh.in
+++ b/libnetclient/test/start-test-env.sh.in
@@ -23,5 +23,5 @@ EOF
 
 echo "shut down echo and GnuTLS servers..."
 @SCREEN@ -S e_echo -X quit
-@SCREEN@ -S s_server1 -X quit
-@SCREEN@ -S s_server2 -X quit
+@SCREEN@ -S s_server1 -X stuff $'\003'
+@SCREEN@ -S s_server2 -X stuff $'\003'
diff --git a/libnetclient/test/tests.c b/libnetclient/test/tests.c
index 12ecbb34..eb20401a 100644
--- a/libnetclient/test/tests.c
+++ b/libnetclient/test/tests.c
@@ -13,19 +13,25 @@
  */
 
 #include <sys/types.h>
+#include <poll.h>
 #include <signal.h>
 #include <string.h>
 #include <sput.h>
 #include "net-client.h"
 #include "net-client-smtp.h"
 #include "net-client-pop.h"
+#include "net-client-siobuf.h"
 #include "net-client-utils.h"
 
 
+#define SUPPRESS_CRITICALS             1
+
+
 static void test_basic(void);
 static void test_basic_crypt(void);
 static void test_smtp(void);
 static void test_pop3(void);
+static void test_siobuf(void);
 static void test_utils(void);
 
 
@@ -35,10 +41,11 @@ log_dummy(const gchar G_GNUC_UNUSED *log_domain, GLogLevelFlags G_GNUC_UNUSED lo
 {
 }
 
+
 int
 main(G_GNUC_UNUSED int argc, G_GNUC_UNUSED char **argv)
 {
-       g_log_set_default_handler(log_dummy, NULL);
+       g_log_set_handler("libnetclient", G_LOG_LEVEL_MASK, log_dummy, NULL);
 
        sput_start_testing();
 
@@ -54,6 +61,9 @@ main(G_GNUC_UNUSED int argc, G_GNUC_UNUSED char **argv)
        sput_enter_suite("test POP3");
        sput_run_test(test_pop3);
 
+       sput_enter_suite("test SIOBUF (libbalsa/imap compatibility layer)");
+       sput_run_test(test_siobuf);
+
        sput_enter_suite("test utility functions");
        sput_run_test(test_utils);
 
@@ -70,13 +80,21 @@ test_basic(void)
        GError *error = NULL;
        gboolean op_res;
        gchar *read_res;
+       struct pollfd fds[1];
 
        sput_fail_unless(net_client_new(NULL, 65000, 42) == NULL, "missing host");
 
        sput_fail_unless((basic = net_client_new("localhost", 64999, 42)) != NULL, "localhost; port 64999");
        sput_fail_unless(net_client_get_host(NULL) == NULL, "get host w/o client");
+       sput_fail_unless(net_client_get_socket(NULL) == NULL, "get host w/o client");
        sput_fail_unless(strcmp(net_client_get_host(basic), "localhost") == 0, "read host ok");
+       sput_fail_unless(net_client_get_socket(basic) == NULL, "get socket w/o connection");
+       sput_fail_unless(net_client_can_read(NULL) == FALSE, "check can read w/o client");
+       sput_fail_unless(net_client_can_read(basic) == FALSE, "check can read w/o connection");
        sput_fail_unless(net_client_connect(basic, NULL) == FALSE, "connect failed");
+       op_res = net_client_start_compression(basic, &error);
+       sput_fail_unless((op_res == FALSE) && (error->code == NET_CLIENT_ERROR_NOT_CONNECTED), "start 
compression: not connected");
+       g_clear_error(&error);
        g_object_unref(basic);
 
        sput_fail_unless((basic = net_client_new("www.google.com", 80, 1)) != NULL, "www.google.com:80; port 
0");
@@ -101,6 +119,7 @@ test_basic(void)
        op_res = net_client_configure(basic, "localhost", 65000, 42, &error);
        sput_fail_unless((op_res == FALSE) && (error->code == NET_CLIENT_ERROR_CONNECTED), "cannot configure 
already connected");
        g_clear_error(&error);
+       sput_fail_unless(net_client_get_socket(basic) != NULL, "get socket ok");
 
        sput_fail_unless(net_client_write_buffer(NULL, "xxx", 3U, NULL) == FALSE, "write buffer w/o client");
        sput_fail_unless(net_client_write_buffer(basic, NULL, 3U, NULL) == FALSE, "write buffer w/o buffer");
@@ -137,8 +156,54 @@ test_basic(void)
        sput_fail_unless((op_res == FALSE) && (error->code == NET_CLIENT_ERROR_LINE_TOO_LONG), "read line too 
long");
        g_clear_error(&error);
 
-       sput_fail_unless(net_client_write_buffer(basic, "DISCONNECT\r\n", 12U, NULL) == TRUE, "disconnect");
+       sput_fail_unless(net_client_can_read(basic) == FALSE, "no data");
+       sput_fail_unless(net_client_write_buffer(basic, "line1\r\nline2\r\n", 14U, NULL) == TRUE, "write 
lines");
+       sput_fail_unless(net_client_can_read(basic) == TRUE, "data ready");
+       op_res = net_client_read_line(basic, &read_res, NULL);
+       sput_fail_unless((op_res == TRUE) && (strcmp("line1", read_res) == 0), "read line 1 ok");
+       g_free(read_res);
+       sput_fail_unless(net_client_can_read(basic) == TRUE, "data ready");
+       op_res = net_client_read_line(basic, &read_res, NULL);
+       sput_fail_unless((op_res == TRUE) && (strcmp("line2", read_res) == 0), "read line 2 ok");
+       g_free(read_res);
+       sput_fail_unless(net_client_can_read(basic) == FALSE, "no data");
+
+       sput_fail_unless(net_client_start_compression(NULL, NULL) == FALSE, "start compression w/o client");
+       op_res = net_client_execute(basic, &read_res, "COMPRESS", NULL);
+       sput_fail_unless((op_res == TRUE) && (strcmp("COMPRESS", read_res) == 0), "execute 'COMPRESS' ok");
+       g_free(read_res);
+       sput_fail_unless(net_client_start_compression(basic, NULL) == TRUE, "start compression");
+       op_res = net_client_start_compression(basic, &error);
+       sput_fail_unless((op_res == FALSE) && (error->code == NET_CLIENT_ERROR_COMP_ACTIVE), "compression 
already enabled");
+       g_clear_error(&error);
+
+       sput_fail_unless(net_client_can_read(basic) == FALSE, "no data");
+       sput_fail_unless(net_client_write_buffer(basic, "line1\r\nline2\r\n", 14U, NULL) == TRUE, "write 
lines");
+       sput_fail_unless(net_client_can_read(basic) == TRUE, "data ready");
+       op_res = net_client_read_line(basic, &read_res, NULL);
+       sput_fail_unless((op_res == TRUE) && (strcmp("line1", read_res) == 0), "read line 1 ok");
+       g_free(read_res);
+       sput_fail_unless(net_client_can_read(basic) == TRUE, "data ready");
+       op_res = net_client_read_line(basic, &read_res, NULL);
+       sput_fail_unless((op_res == TRUE) && (strcmp("line2", read_res) == 0), "read line 2 ok");
+       g_free(read_res);
+       sput_fail_unless(net_client_can_read(basic) == FALSE, "no data");
+
+       fds[0].fd = g_socket_get_fd(net_client_get_socket(basic));
+       fds[0].events = POLLIN;
+       poll(fds, 1, 0);
+       sput_fail_unless((fds[0].revents & POLLIN) == 0, "no data for reading");
+
+       sput_fail_unless(net_client_write_line(basic, "Hi There", NULL) == TRUE, "send data");
+
+       poll(fds, 1, 1000);
+       sput_fail_unless((fds[0].revents & POLLIN) == POLLIN, "data ready for reading");
 
+       op_res = net_client_read_line(basic, &read_res, NULL);
+       sput_fail_unless((op_res == TRUE) && (strcmp("Hi There", read_res) == 0), "receive data ok");
+       g_free(read_res);
+
+       sput_fail_unless(net_client_write_buffer(basic, "DISCONNECT\r\n", 12U, NULL) == TRUE, "disconnect");
        op_res = net_client_read_line(basic, NULL, &error);
        sput_fail_unless((op_res == FALSE) && (error->code = NET_CLIENT_ERROR_CONNECTION_LOST), "read line, 
client lost");
        g_clear_error(&error);
@@ -175,7 +240,9 @@ test_basic_crypt(void)
 {
        NetClient *basic;
        gboolean op_res;
+       gchar *read_res;
        GError *error = NULL;
+       struct pollfd fds[1];
 
        /* tests without client cert check */
        sput_fail_unless((basic = net_client_new("localhost", 65001, 42)) != NULL, "localhost; port 65001");
@@ -200,6 +267,36 @@ test_basic_crypt(void)
        op_res = net_client_start_tls(basic, &error);
        sput_fail_unless((op_res == FALSE) && (error->code == NET_CLIENT_ERROR_TLS_ACTIVE), "start tls: 
already started");
        g_clear_error(&error);
+
+       fds[0].fd = g_socket_get_fd(net_client_get_socket(basic));
+       fds[0].events = POLLIN;
+       poll(fds, 1, 0);
+       sput_fail_unless((fds[0].revents & POLLIN) == 0, "no data for reading");
+
+       sput_fail_unless(net_client_write_line(basic, "Hi There", NULL) == TRUE, "send data");
+
+       poll(fds, 1, 1000);
+       sput_fail_unless((fds[0].revents & POLLIN) == POLLIN, "data ready for reading");
+
+       op_res = net_client_read_line(basic, &read_res, NULL);
+       sput_fail_unless((op_res == TRUE) && (strcmp("Hi There", read_res) == 0), "read data ok");
+       g_free(read_res);
+
+       sput_fail_unless(net_client_can_read(basic) == FALSE, "no data");
+       sput_fail_unless(net_client_write_buffer(basic, "line1\r\nline2\r\n", 14U, NULL) == TRUE, "write 
lines");
+       sput_fail_unless(net_client_can_read(basic) == TRUE, "data ready");
+       op_res = net_client_read_line(basic, &read_res, NULL);
+       sput_fail_unless((op_res == TRUE) && (strcmp("line1", read_res) == 0), "read line 1 ok");
+       g_free(read_res);
+       sput_fail_unless(net_client_can_read(basic) == TRUE, "data ready");
+       op_res = net_client_read_line(basic, &read_res, NULL);
+       sput_fail_unless((op_res == TRUE) && (strcmp("line2", read_res) == 0), "read line 2 ok");
+       g_free(read_res);
+       sput_fail_unless(net_client_can_read(basic) == FALSE, "no data");
+
+       /* compression on top of tls */
+       sput_fail_unless(net_client_start_compression(basic, NULL) == TRUE, "start compression");
+       // TODO - how can we check exchanging compressed data over tls?
        g_object_unref(basic);
 
        /* tests with client cert check */
@@ -690,6 +787,98 @@ test_pop3(void)
 }
 
 
+static void
+test_siobuf(void)
+{
+       NetClientSioBuf *siobuf;
+       gchar buffer[64];
+       GError *error = NULL;
+       gint read_res;
+       gboolean op_res;
+       gchar *recv_data;
+
+       sput_fail_unless(net_client_siobuf_new(NULL, 65000) == NULL, "missing host");
+       sput_fail_unless((siobuf = net_client_siobuf_new("localhost", 65000)) != NULL, "localhost; port 
65000");
+
+       sput_fail_unless(net_client_siobuf_getc(NULL, NULL)  == -1, "getc w/o client");
+       sput_fail_unless(net_client_siobuf_getc(siobuf, NULL) == -1, "getc fails, not connected");
+
+       sput_fail_unless(net_client_siobuf_gets(NULL, buffer, 1024U, NULL) == NULL, "gets w/o client");
+       sput_fail_unless(net_client_siobuf_gets(siobuf, NULL, 1024U, NULL) == NULL, "gets w/o buffer");
+       sput_fail_unless(net_client_siobuf_gets(siobuf, buffer, 0U, NULL) == NULL, "gets w/o buffer size");
+       sput_fail_unless(net_client_siobuf_gets(siobuf, buffer, 32U, NULL) == NULL, "gets fails, not 
connected");
+
+       sput_fail_unless(net_client_siobuf_read(NULL, buffer, 1024U, NULL) == -1, "read w/o client");
+       sput_fail_unless(net_client_siobuf_read(siobuf, NULL, 1024U, NULL) == -1, "read w/o buffer");
+       sput_fail_unless(net_client_siobuf_read(siobuf, buffer, 0U, NULL) == -1, "read w/o buffer size");
+       sput_fail_unless(net_client_siobuf_read(siobuf, buffer, 32U, NULL) == -1, "read fails, not 
connected");
+
+       sput_fail_unless(net_client_siobuf_ungetc(NULL) == -1, "ungetc w/o client");
+       sput_fail_unless(net_client_siobuf_ungetc(siobuf) == -1, "ungetc at beginning of buffer");
+
+       sput_fail_unless(net_client_set_timeout(NET_CLIENT(siobuf), 10) == TRUE, "set timeout");
+       sput_fail_unless(net_client_connect(NET_CLIENT(siobuf), NULL) == TRUE, "connect");
+       sput_fail_unless(net_client_write_buffer(NET_CLIENT(siobuf), "line1\r\nLINE2\r\nABCD3\r\n", 21U, 
NULL) == TRUE, "write data");
+
+       sput_fail_unless(net_client_siobuf_getc(siobuf, NULL) == 'l', "getc ok");
+       sput_fail_unless(net_client_siobuf_getc(siobuf, NULL) == 'i', "getc ok");
+       sput_fail_unless(net_client_siobuf_ungetc(siobuf) == 0, "ungetc ok");
+       sput_fail_unless(net_client_siobuf_ungetc(siobuf) == 0, "ungetc ok");
+       sput_fail_unless(net_client_siobuf_ungetc(siobuf) == -1, "ungetc at beginning of buffer");
+
+       sput_fail_unless((net_client_siobuf_gets(siobuf, buffer, 3U, NULL) == buffer) && (strcmp(buffer, 
"li") == 0), "gets ok");
+       sput_fail_unless((net_client_siobuf_gets(siobuf, buffer, 32U, NULL) == buffer) && (strcmp(buffer, 
"ne1\r\n") == 0), "gets ok");
+
+       memset(buffer, 0, sizeof(buffer));
+       sput_fail_unless((net_client_siobuf_read(siobuf, buffer, 10U, NULL) == 10) && (strcmp(buffer, 
"LINE2\r\nABC") == 0), "read ok");
+       memset(buffer, 0, sizeof(buffer));
+       read_res = net_client_siobuf_read(siobuf, buffer, 10U, &error);
+       sput_fail_unless((read_res == 4) && (strcmp(buffer, "D3\r\n") == 0) && (error->code == 
G_IO_ERROR_TIMED_OUT), "short read ok");
+       g_clear_error(&error);
+
+       net_client_siobuf_write(NULL, "abcd", 4U);
+       net_client_siobuf_write(siobuf, NULL, 4U);
+       net_client_siobuf_write(siobuf, "abcd", 0U);
+       net_client_siobuf_write(siobuf, "abcd", 4U);
+
+       net_client_siobuf_printf(NULL, "%d", 4711);
+       net_client_siobuf_printf(siobuf, NULL);
+       net_client_siobuf_printf(siobuf, "%d", 4711);
+
+       sput_fail_unless(net_client_siobuf_flush(NULL, NULL) == FALSE, "flush write w/o client");
+       sput_fail_unless(net_client_siobuf_flush(siobuf, NULL) == TRUE, "flush successful");
+       sput_fail_unless(net_client_siobuf_flush(siobuf, NULL) == FALSE, "flush write w/o data");
+
+       op_res = net_client_read_line(NET_CLIENT(siobuf), &recv_data, &error);
+       sput_fail_unless(op_res && (strcmp(recv_data, "abcd4711") == 0), "buffered write: read back ok");
+       g_free(recv_data);
+       sput_fail_unless(net_client_can_read(NET_CLIENT(siobuf)) == FALSE, "no data left");
+
+       net_client_siobuf_write(siobuf, "abcd\r\n1234\r\nqrst\r\n9876", 22U);
+       sput_fail_unless(net_client_siobuf_flush(siobuf, NULL) == TRUE, "flush successful");
+
+       sput_fail_unless(net_client_siobuf_get_line(NULL, NULL) == NULL, "get line w/o client");
+       sput_fail_unless(net_client_siobuf_getc(siobuf, NULL) == 'a', "getc ok");
+       recv_data = net_client_siobuf_get_line(siobuf, NULL);
+       sput_fail_unless(strcmp(recv_data, "bcd") == 0, "get line #1 ok");
+       g_free(recv_data);
+       recv_data = net_client_siobuf_get_line(siobuf, NULL);
+       sput_fail_unless(strcmp(recv_data, "1234") == 0, "get line #2 ok");
+       g_free(recv_data);
+       sput_fail_unless((net_client_siobuf_gets(siobuf, buffer, 5U, NULL) == buffer) && (strcmp(buffer, 
"qrst") == 0), "gets ok");
+       recv_data = net_client_siobuf_get_line(siobuf, NULL);
+       sput_fail_unless(strcmp(recv_data, "") == 0, "get line #3 ok");
+       g_free(recv_data);
+
+       sput_fail_unless(net_client_siobuf_getc(siobuf, NULL) == '9', "getc ok");
+       sput_fail_unless(net_client_siobuf_discard_line(NULL, NULL) == -1, "discard line w/o client");
+       sput_fail_unless(net_client_siobuf_discard_line(siobuf, NULL) == '\n', "discard line ok");
+       sput_fail_unless(net_client_siobuf_discard_line(siobuf, NULL) == -1, "discard line w/o data");
+       sput_fail_unless(net_client_siobuf_get_line(siobuf, NULL) == NULL, "get line w/o data");
+
+       g_object_unref(siobuf);
+}
+
 static void
 test_utils(void)
 {
diff --git a/meson.build b/meson.build
index 9e3b41c6..2811aff1 100644
--- a/meson.build
+++ b/meson.build
@@ -337,39 +337,6 @@ if osmo
     description : 'If defined, enable Osmo address book support.')
 endif # osmo
 
-# OpenSSL configuration.
-#
-ssl_dep = dependency('openssl')
-if not ssl_dep.found()
-  if not compiler.has_header('openssl/ssl.h')
-    error('OpenSSL headers not found')
-  endif
-
-  # Look for SSL_library_init
-  code = '''
-  /* Override any GCC internal prototype to avoid an error.
-     Use char because int might match the return type of a GCC
-     builtin and then its argument prototype would still apply.  */
-  char SSL_library_init ();
-  int
-  main ()
-  {
-    return SSL_library_init ();
-  }
-  '''
-  ssl_link_args = ['-lssl', '-lcrypto']
-  result = compiler.links(code,
-                          args : ssl_link_args,
-                          name : 'OpenSSL test')
-  if result
-    ssl_dep = declare_dependency(linkargs : ssl_link_args)
-  else
-    error('libssl not found')
-  endif
-endif # not ssl_dep.found()
-balsa_deps += ssl_dep
-balsa_ab_deps += ssl_dep
-
 # KRB5/GSSAPI configuration.
 #
 if gss
@@ -544,10 +511,6 @@ if compiler.has_function('ctime_r')
     description : 'Define to 1 if you have the ‘ctime_r’ function.')
 endif
 
-if not compiler.has_header('zlib.h')
-  error('zlib library required')
-endif
-
 if compiler.has_header('locale.h')
   conf.set('HAVE_LOCALE_H', 1,
     description : 'Define to 1 if you have the <locale.h> header')
diff --git a/src/ab-window.c b/src/ab-window.c
index 7abfbbed..c2d0ccc9 100644
--- a/src/ab-window.c
+++ b/src/ab-window.c
@@ -23,6 +23,7 @@
 #include "ab-window.h"
 
 #include <string.h>
+#include <stdlib.h>
 #include <glib/gi18n.h>
 #include "address-view.h"
 #include "balsa-app.h"
diff --git a/src/folder-conf.c b/src/folder-conf.c
index 4a2d9a1b..799c6bed 100644
--- a/src/folder-conf.c
+++ b/src/folder-conf.c
@@ -58,7 +58,6 @@ struct _FolderDialogData {
     BalsaServerConf bsc;
     GtkWidget *folder_name, *port, *username, *anonymous, *remember,
         *password, *subscribed, *list_inbox, *prefix;
-    GtkWidget *use_ssl, *tls_mode;
     GtkWidget *connection_limit, *enable_persistent,
         *use_idle, *has_bugs, *use_status;
 };
@@ -145,10 +144,25 @@ static void
 validate_folder(GtkWidget *w, FolderDialogData * fcw)
 {
     gboolean sensitive = TRUE;
-    if (!*gtk_entry_get_text(GTK_ENTRY(fcw->folder_name)))
-       sensitive = FALSE;
-    else if (!*gtk_entry_get_text(GTK_ENTRY(fcw->bsc.server)))
-       sensitive = FALSE;
+
+    if (!*gtk_entry_get_text(GTK_ENTRY(fcw->folder_name))) {
+       sensitive = FALSE;
+    } else if (!*gtk_entry_get_text(GTK_ENTRY(fcw->bsc.server))) {
+       sensitive = FALSE;
+    }
+
+    /* encryption w/ client cert requires cert file */
+    if (sensitive &&
+       ((gtk_combo_box_get_active(GTK_COMBO_BOX(fcw->bsc.security)) + 1) != NET_CLIENT_CRYPT_NONE) &&
+               gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(fcw->bsc.need_client_cert))) {
+       gchar *cert_file;
+
+       cert_file = gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(fcw->bsc.client_cert_file));
+       if ((cert_file == NULL) || (cert_file[0] == '\0')) {
+               sensitive = FALSE;
+       }
+       g_free(cert_file);
+    }
 
     gtk_dialog_set_response_sensitive(fcw->dialog, GTK_RESPONSE_OK, sensitive);
 }
@@ -167,6 +181,19 @@ remember_cb(GtkToggleButton * button, FolderDialogData * fcw)
                              gtk_toggle_button_get_active(button));
 }
 
+static void
+security_cb(GtkComboBox *combo, FolderDialogData *fcw)
+{
+       gboolean sensitive;
+
+       sensitive = (gtk_combo_box_get_active(combo) + 1) != NET_CLIENT_CRYPT_NONE;
+       gtk_widget_set_sensitive(fcw->bsc.need_client_cert, sensitive);
+       sensitive = sensitive & gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(fcw->bsc.need_client_cert));
+       gtk_widget_set_sensitive(fcw->bsc.client_cert_file, sensitive);
+       gtk_widget_set_sensitive(fcw->bsc.client_cert_passwd, sensitive);
+       validate_folder(GTK_WIDGET(combo), fcw);
+}
+
 static gboolean
 folder_conf_clicked_ok(FolderDialogData * fcw)
 {
@@ -187,7 +214,7 @@ folder_conf_clicked_ok(FolderDialogData * fcw)
         libbalsa_server_connect_get_password(s, G_CALLBACK(ask_password), NULL);
     }
 
-    libbalsa_server_set_tls_mode(s, balsa_server_conf_get_tls_mode(&fcw->bsc));
+    libbalsa_server_set_security(s, balsa_server_conf_get_security(&fcw->bsc));
     libbalsa_imap_server_set_max_connections
         (LIBBALSA_IMAP_SERVER(s),
          gtk_spin_button_get_value_as_int(GTK_SPIN_BUTTON
@@ -232,8 +259,7 @@ folder_conf_clicked_ok(FolderDialogData * fcw)
     balsa_mailbox_node_set_list_inbox(fcw->mbnode,
             gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(fcw->list_inbox)));
 
-    libbalsa_server_set_host(s, host, 
-                             balsa_server_conf_get_use_ssl(&fcw->bsc));
+    libbalsa_server_set_host(s, host, libbalsa_server_get_security(s));
     libbalsa_server_config_changed(s); /* trigger config save */
 
     if (insert) {
@@ -320,7 +346,7 @@ folder_conf_imap_node(BalsaMailboxNode *mn)
     g_object_set(G_OBJECT(grid), "margin", 12, NULL);
     gtk_notebook_append_page(GTK_NOTEBOOK(notebook), grid,
                              gtk_label_new_with_mnemonic(_("_Basic")));
-    advanced = balsa_server_conf_get_advanced_widget(&fcw->bsc, s, 3);
+    advanced = balsa_server_conf_get_advanced_widget(&fcw->bsc);
     /* Limit number of connections */
     fcw->connection_limit = 
         balsa_server_conf_add_spinner
@@ -372,9 +398,21 @@ folder_conf_imap_node(BalsaMailboxNode *mn)
         libbalsa_create_grid_entry(grid, G_CALLBACK(validate_folder),
                                    fcw, r++, s ? libbalsa_server_get_host(s) : default_server,
                                    label);
-    fcw->bsc.default_ports = IMAP_DEFAULT_PORTS;
     g_free(default_server);
 
+    label = libbalsa_create_grid_label(_("Se_curity:"), grid, r);
+    fcw->bsc.security = gtk_combo_box_text_new();
+    gtk_widget_set_hexpand(fcw->bsc.security, TRUE);
+    gtk_combo_box_text_append_text(GTK_COMBO_BOX_TEXT(fcw->bsc.security), _("IMAP over SSL (IMAPS)"));
+    gtk_combo_box_text_append_text(GTK_COMBO_BOX_TEXT(fcw->bsc.security), _("TLS required"));
+    gtk_combo_box_text_append_text(GTK_COMBO_BOX_TEXT(fcw->bsc.security), _("TLS if possible (not 
recommended)"));
+    gtk_combo_box_text_append_text(GTK_COMBO_BOX_TEXT(fcw->bsc.security), _("None (not recommended)"));
+    gtk_grid_attach(GTK_GRID(grid), fcw->bsc.security, 1, r++, 1, 1);
+    gtk_combo_box_set_active(GTK_COMBO_BOX(fcw->bsc.security),
+                             s != NULL ? libbalsa_server_get_security(s) - 1 : NET_CLIENT_CRYPT_STARTTLS - 
1);
+    g_signal_connect(fcw->bsc.security, "changed", G_CALLBACK(security_cb), fcw);
+    gtk_label_set_mnemonic_widget(GTK_LABEL(label), fcw->bsc.security);
+
     label= libbalsa_create_grid_label(_("Use_r name:"), grid, r);
     fcw->username =
         libbalsa_create_grid_entry(grid, G_CALLBACK(validate_folder),
diff --git a/src/mailbox-conf.c b/src/mailbox-conf.c
index 45023994..43465eea 100644
--- a/src/mailbox-conf.c
+++ b/src/mailbox-conf.c
@@ -99,7 +99,6 @@ struct _MailboxConfWindow {
 
        /* for pop3 mailboxes */
        struct {
-               GtkWidget *security;
            GtkWidget *username;
            GtkWidget *password;
            GtkWidget *check;
@@ -179,74 +178,8 @@ mailbox_conf_combo_box_make(GtkComboBoxText * combo_box, unsigned cnt,
 }
 
 
-static void
-bsc_ssl_toggled_cb(GtkWidget * widget, BalsaServerConf * bsc)
-{
-    const gchar *host, *colon;
-    gboolean newstate =
-        !gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(widget));
-
-    gtk_widget_set_sensitive(bsc->tls_option, newstate);
-
-    host = gtk_entry_get_text(GTK_ENTRY(bsc->server));
-    if ((colon = strchr(host, ':')) != NULL) {
-       /* A port was specified... */
-       gchar *port = g_ascii_strdown(colon + 1, -1);
-        if (strstr(bsc->default_ports, port) != NULL)
-           /* and it is one of the default ports, so strip it. */
-           gtk_editable_delete_text(GTK_EDITABLE(bsc->server),
-                                     colon - host, -1);
-       g_free(port);
-    }
-}
-
 GtkWidget*
-balsa_server_conf_get_advanced_widget(BalsaServerConf *bsc, LibBalsaServer *s,
-                                      int extra_rows)
-{
-    static const struct menu_data tls_menu[] = {
-        { N_("Never"),       LIBBALSA_TLS_DISABLED },
-        { N_("If Possible"), LIBBALSA_TLS_ENABLED  },
-        { N_("Required"),    LIBBALSA_TLS_REQUIRED }
-    };
-    GtkWidget *label;
-    GtkWidget *box;
-    gboolean use_ssl = s && libbalsa_server_get_use_ssl(s);
-
-    box = gtk_box_new(GTK_ORIENTATION_VERTICAL, 0);
-
-    bsc->grid = GTK_GRID(libbalsa_create_grid());
-    g_object_set(G_OBJECT(bsc->grid), "margin", 12, NULL);
-    gtk_box_pack_start(GTK_BOX(box), GTK_WIDGET(bsc->grid));
-
-    bsc->used_rows = 0;
-
-    bsc->use_ssl = balsa_server_conf_add_checkbox(bsc, _("Use _SSL"));
-    if(use_ssl)
-       gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(bsc->use_ssl), TRUE);
-
-    label =
-        libbalsa_create_grid_label(_("Use _TLS:"), GTK_WIDGET(bsc->grid), 1);
-
-    bsc->tls_option = gtk_combo_box_text_new();
-    gtk_widget_set_hexpand(bsc->tls_option, TRUE);
-    mailbox_conf_combo_box_make(GTK_COMBO_BOX_TEXT(bsc->tls_option),
-                                G_N_ELEMENTS(tls_menu), tls_menu);
-    gtk_combo_box_set_active(GTK_COMBO_BOX(bsc->tls_option),
-                             s ? libbalsa_server_get_tls_mode(s) : LIBBALSA_TLS_ENABLED);
-    gtk_grid_attach(bsc->grid, bsc->tls_option, 1, 1, 1, 1);
-    gtk_label_set_mnemonic_widget(GTK_LABEL(label), bsc->tls_option);
-
-    g_signal_connect(G_OBJECT (bsc->use_ssl), "toggled",
-                     G_CALLBACK (bsc_ssl_toggled_cb), bsc);
-    bsc->used_rows = 2;
-    gtk_widget_set_sensitive(bsc->tls_option, !use_ssl);
-
-    return box;
-}
-
-static GtkWidget*
-balsa_server_conf_get_advanced_widget_new(BalsaServerConf *bsc)
+balsa_server_conf_get_advanced_widget(BalsaServerConf *bsc)
 {
     GtkWidget *box;
     GtkWidget *label;
@@ -303,35 +236,10 @@ balsa_server_conf_add_spinner(BalsaServerConf *bsc,
     return spin_button;
 }
 
-void
-balsa_server_conf_set_values(BalsaServerConf *bsc, LibBalsaServer *server)
-{
-    g_return_if_fail(server);
-
-    gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(bsc->use_ssl), 
-                                 libbalsa_server_get_use_ssl(server));
-    gtk_combo_box_set_active(GTK_COMBO_BOX(bsc->tls_option),
-                             libbalsa_server_get_tls_mode(server));
-    gtk_widget_set_sensitive(bsc->tls_option, !libbalsa_server_get_use_ssl(server));
-}
-
-
-gboolean
-balsa_server_conf_get_use_ssl(BalsaServerConf *bsc)
-{
-    return gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(bsc->use_ssl));
-}
-
-LibBalsaTlsMode
-balsa_server_conf_get_tls_mode(BalsaServerConf *bsc)
+NetClientCryptMode
+balsa_server_conf_get_security(BalsaServerConf *bsc)
 {
-    struct mailbox_conf_combo_box_info *info =
-        g_object_get_data(G_OBJECT(bsc->tls_option),
-                          BALSA_MC_COMBO_BOX_INFO);
-    gint active = gtk_combo_box_get_active(GTK_COMBO_BOX(bsc->tls_option));
-
-    return (LibBalsaTlsMode)
-        GPOINTER_TO_INT(g_slist_nth_data(info->tags, active));
+       return gtk_combo_box_get_active(GTK_COMBO_BOX(bsc->security)) + 1;
 }
 
 /* END BalsaServerConf ===================================== */
@@ -350,10 +258,16 @@ static void
 client_cert_changed(GtkToggleButton *button, MailboxConfWindow *mcw)
 {
        gboolean sensitive;
+       BalsaServerConf *bsc;
 
+       if (g_type_is_a(mcw->mailbox_type, LIBBALSA_TYPE_MAILBOX_POP3)) {
+               bsc = &mcw->mb_data.pop3.bsc;
+       } else {
+               bsc = &mcw->mb_data.imap.bsc;
+       }
        sensitive = gtk_toggle_button_get_active(button);
-       gtk_widget_set_sensitive(mcw->mb_data.pop3.bsc.client_cert_file, sensitive);
-       gtk_widget_set_sensitive(mcw->mb_data.pop3.bsc.client_cert_passwd, sensitive);
+       gtk_widget_set_sensitive(bsc->client_cert_file, sensitive);
+       gtk_widget_set_sensitive(bsc->client_cert_passwd, sensitive);
     check_for_blank_fields(NULL, mcw);
 }
 
@@ -361,12 +275,18 @@ static void
 security_changed(GtkComboBox *combo, MailboxConfWindow *mcw)
 {
        gboolean sensitive;
+       BalsaServerConf *bsc;
 
+       if (g_type_is_a(mcw->mailbox_type, LIBBALSA_TYPE_MAILBOX_POP3)) {
+               bsc = &mcw->mb_data.pop3.bsc;
+       } else {
+               bsc = &mcw->mb_data.imap.bsc;
+       }
        sensitive = (gtk_combo_box_get_active(combo) + 1) != NET_CLIENT_CRYPT_NONE;
-       gtk_widget_set_sensitive(mcw->mb_data.pop3.bsc.need_client_cert, sensitive);
-       sensitive = sensitive & 
gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(mcw->mb_data.pop3.bsc.need_client_cert));
-       gtk_widget_set_sensitive(mcw->mb_data.pop3.bsc.client_cert_file, sensitive);
-       gtk_widget_set_sensitive(mcw->mb_data.pop3.bsc.client_cert_passwd, sensitive);
+       gtk_widget_set_sensitive(bsc->need_client_cert, sensitive);
+       sensitive = sensitive & gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(bsc->need_client_cert));
+       gtk_widget_set_sensitive(bsc->client_cert_file, sensitive);
+       gtk_widget_set_sensitive(bsc->client_cert_passwd, sensitive);
     check_for_blank_fields(NULL, mcw);
 }
 
@@ -690,7 +610,7 @@ mailbox_conf_set_values_pop3(LibBalsaMailbox * mailbox,
         gtk_entry_set_text(GTK_ENTRY(mcw->mb_data.pop3.bsc.server),
                            libbalsa_server_get_host(server));
     }
-    gtk_combo_box_set_active(GTK_COMBO_BOX(mcw->mb_data.pop3.security),
+    gtk_combo_box_set_active(GTK_COMBO_BOX(mcw->mb_data.pop3.bsc.security),
                              libbalsa_server_get_security(server) - 1);
 
     if (libbalsa_server_get_username(server) != NULL) {
@@ -810,7 +730,6 @@ mailbox_conf_set_values(MailboxConfWindow *mcw)
                if (path)
                        gtk_entry_set_text(GTK_ENTRY(mcw->mb_data.imap.folderpath),
                                path);
-               balsa_server_conf_set_values(&mcw->mb_data.imap.bsc, server);
                if(libbalsa_imap_server_has_persistent_cache
                        (LIBBALSA_IMAP_SERVER(server)))
                        gtk_toggle_button_set_active
@@ -841,50 +760,56 @@ static void
 check_for_blank_fields(GtkWidget G_GNUC_UNUSED *widget, MailboxConfWindow *mcw)
 {
     gboolean sensitive;
+    BalsaServerConf *bsc = NULL;
 
     if (mcw == NULL || mcw->window == NULL)
         return;
 
     sensitive = TRUE;
 
-    if (mcw->mailbox_name &&!*gtk_entry_get_text(GTK_ENTRY(mcw->mailbox_name)))
-       sensitive = FALSE;
-    else if (g_type_is_a(mcw->mailbox_type, LIBBALSA_TYPE_MAILBOX_LOCAL) ) {
-        gchar *filename =
-            gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(mcw->window));
-       if (filename)
-           g_free(filename);
-       else
-           sensitive = FALSE;
+    if (mcw->mailbox_name &&!*gtk_entry_get_text(GTK_ENTRY(mcw->mailbox_name))) {
+       sensitive = FALSE;
+    } else if (g_type_is_a(mcw->mailbox_type, LIBBALSA_TYPE_MAILBOX_LOCAL) ) {
+       gchar *filename =
+               gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(mcw->window));
+       if (filename) {
+               g_free(filename);
+       } else {
+               sensitive = FALSE;
+       }
     } else if (g_type_is_a(mcw->mailbox_type, LIBBALSA_TYPE_MAILBOX_IMAP ) ) {
-       if (!*gtk_entry_get_text(GTK_ENTRY(mcw->mb_data.imap.folderpath))
-            || !*gtk_entry_get_text(GTK_ENTRY(mcw->mb_data.imap.bsc.server))
-            || !*gtk_entry_get_text(GTK_ENTRY(mcw->mb_data.imap.username)))
-           sensitive = FALSE;
+       bsc = &mcw->mb_data.imap.bsc;
+       if (!*gtk_entry_get_text(GTK_ENTRY(mcw->mb_data.imap.folderpath))
+               || !*gtk_entry_get_text(GTK_ENTRY(bsc->server))
+                       || !*gtk_entry_get_text(GTK_ENTRY(mcw->mb_data.imap.username))) {
+               sensitive = FALSE;
+       }
     } else if (g_type_is_a(mcw->mailbox_type, LIBBALSA_TYPE_MAILBOX_POP3) ) {
        /* POP3: require user name and server */
+       bsc = &mcw->mb_data.pop3.bsc;
        if ((gtk_entry_get_text(GTK_ENTRY(mcw->mb_data.pop3.username))[0] == '\0') ||
-            (gtk_entry_get_text(GTK_ENTRY(mcw->mb_data.pop3.bsc.server))[0] == '\0')) {
+               (gtk_entry_get_text(GTK_ENTRY(bsc->server))[0] == '\0')) {
                sensitive = FALSE;
        }
        /* procmail filtering requires command */
        if (sensitive &&
                gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(mcw->mb_data.pop3.filter)) &&
-               (gtk_entry_get_text(GTK_ENTRY(mcw->mb_data.pop3.filter_cmd))[0] == '\0')) {
+                       (gtk_entry_get_text(GTK_ENTRY(mcw->mb_data.pop3.filter_cmd))[0] == '\0')) {
                sensitive = FALSE;
        }
-       /* encryption w/ client cert requires cert file */
-       if (sensitive &&
-               ((gtk_combo_box_get_active(GTK_COMBO_BOX(mcw->mb_data.pop3.security)) + 1) != 
NET_CLIENT_CRYPT_NONE) &&
-               gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(mcw->mb_data.pop3.bsc.need_client_cert))) {
-               gchar *cert_file;
-
-               cert_file = 
gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(mcw->mb_data.pop3.bsc.client_cert_file));
-               if ((cert_file == NULL) || (cert_file[0] == '\0')) {
-                       sensitive = FALSE;
-               }
-               g_free(cert_file);
+    }
+
+    /* encryption w/ client cert requires cert file */
+    if (sensitive && (bsc != NULL) &&
+       ((gtk_combo_box_get_active(GTK_COMBO_BOX(bsc->security)) + 1) != NET_CLIENT_CRYPT_NONE) &&
+               gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(bsc->need_client_cert))) {
+       gchar *cert_file;
+
+       cert_file = gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(bsc->client_cert_file));
+       if ((cert_file == NULL) || (cert_file[0] == '\0')) {
+               sensitive = FALSE;
        }
+       g_free(cert_file);
     }
 
     gtk_dialog_set_response_sensitive(mcw->window, MCW_RESPONSE, sensitive);
@@ -923,6 +848,7 @@ update_pop_mailbox(MailboxConfWindow * mcw)
     LibBalsaServer *server;
     BalsaServerConf *bsc;
     gchar *filename;
+    NetClientCryptMode security;
 
     mailbox = LIBBALSA_MAILBOX_POP3(mcw->mailbox);
     server = LIBBALSA_MAILBOX_REMOTE_GET_SERVER(mailbox);
@@ -932,15 +858,10 @@ update_pop_mailbox(MailboxConfWindow * mcw)
     libbalsa_mailbox_set_name((LibBalsaMailbox *) mailbox,
                               gtk_entry_get_text(GTK_ENTRY
                                                  (mcw->mailbox_name)));
-    libbalsa_server_set_host(server,
-                             gtk_entry_get_text(GTK_ENTRY
-                                                (mcw->mb_data.pop3.bsc.
-                                                 server)), FALSE);
-    libbalsa_server_set_security(server,
-                                 gtk_combo_box_get_active(GTK_COMBO_BOX
-                                                          (mcw->mb_data.
-                                                           pop3.
-                                                           security)) + 1);
+
+    security = balsa_server_conf_get_security(&mcw->mb_data.pop3.bsc);
+    libbalsa_server_set_security(server, security);
+    libbalsa_server_set_host(server, gtk_entry_get_text(GTK_ENTRY(mcw->mb_data.pop3.bsc.server)), security);
 
     libbalsa_server_set_username(server,
                                  gtk_entry_get_text(GTK_ENTRY
@@ -1009,6 +930,7 @@ update_imap_mailbox(MailboxConfWindow *mcw)
     gchar *name = NULL;
     LibBalsaMailboxImap *mailbox;
     LibBalsaServer* server;
+    NetClientCryptMode security;
 
     mailbox = LIBBALSA_MAILBOX_IMAP(mcw->mailbox);
     server  = LIBBALSA_MAILBOX_REMOTE_GET_SERVER(mailbox);
@@ -1032,7 +954,8 @@ update_imap_mailbox(MailboxConfWindow *mcw)
     libbalsa_server_set_remember_passwd(server,
         gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(mcw->
                                                        mb_data.imap.remember)));
-    libbalsa_server_set_tls_mode(server, balsa_server_conf_get_tls_mode(&mcw->mb_data.imap.bsc));
+    security = balsa_server_conf_get_security(&mcw->mb_data.imap.bsc);
+    libbalsa_server_set_security(server, security);
     libbalsa_server_set_password(server,
                                 gtk_entry_get_text(GTK_ENTRY
                                                    (mcw->mb_data.imap.password)));
@@ -1049,8 +972,7 @@ update_imap_mailbox(MailboxConfWindow *mcw)
     libbalsa_server_set_host(server,
                             gtk_entry_get_text(GTK_ENTRY
                                                (mcw->mb_data.imap.bsc.server)),
-                             balsa_server_conf_get_use_ssl
-                             (&mcw->mb_data.imap.bsc));
+                                               security);
     libbalsa_server_config_changed(server);
     libbalsa_server_connect_get_password(server, G_CALLBACK(ask_password), mailbox);
 
@@ -1343,6 +1265,29 @@ create_generic_dialog(MailboxConfWindow * mcw)
     return dialog;
 }
 
+static GtkWidget *
+create_security_entry(GtkWidget *grid, gint *row, MailboxConfWindow *mcw)
+{
+    GtkWidget *label;
+    GtkWidget *security;
+
+    label = libbalsa_create_grid_label(_("Se_curity:"), grid, *row);
+    security = gtk_combo_box_text_new();
+    gtk_widget_set_hexpand(security, TRUE);
+    if (g_type_is_a(mcw->mailbox_type, LIBBALSA_TYPE_MAILBOX_POP3)) {
+       gtk_combo_box_text_append_text(GTK_COMBO_BOX_TEXT(security), _("POP3 over SSL (POP3S)"));
+    } else {
+       gtk_combo_box_text_append_text(GTK_COMBO_BOX_TEXT(security), _("IMAP over SSL (IMAPS)"));
+    }
+    gtk_combo_box_text_append_text(GTK_COMBO_BOX_TEXT(security), _("TLS required"));
+    gtk_combo_box_text_append_text(GTK_COMBO_BOX_TEXT(security), _("TLS if possible (not recommended)"));
+    gtk_combo_box_text_append_text(GTK_COMBO_BOX_TEXT(security), _("None (not recommended)"));
+    gtk_grid_attach(GTK_GRID(grid), security, 1, (*row)++, 1, 1);
+    g_signal_connect(security, "changed", G_CALLBACK(security_changed), mcw);
+    gtk_label_set_mnemonic_widget(GTK_LABEL(label), security);
+    return security;
+}
+
 static GtkWidget *
 create_pop_mailbox_dialog(MailboxConfWindow *mcw)
 {
@@ -1366,17 +1311,7 @@ create_pop_mailbox_dialog(MailboxConfWindow *mcw)
        libbalsa_create_grid_entry(grid, G_CALLBACK(check_for_blank_fields), mcw, row++, "localhost", label);
 
     /* security */
-    label = libbalsa_create_grid_label(_("Se_curity:"), grid, row);
-    mcw->mb_data.pop3.security = gtk_combo_box_text_new();
-    gtk_widget_set_hexpand(mcw->mb_data.pop3.security, TRUE);
-    mcw->mb_data.pop3.security = gtk_combo_box_text_new();
-    gtk_combo_box_text_append_text(GTK_COMBO_BOX_TEXT(mcw->mb_data.pop3.security), _("POP3 over SSL 
(POP3S)"));
-    gtk_combo_box_text_append_text(GTK_COMBO_BOX_TEXT(mcw->mb_data.pop3.security), _("TLS required"));
-    gtk_combo_box_text_append_text(GTK_COMBO_BOX_TEXT(mcw->mb_data.pop3.security), _("TLS if possible (not 
recommended)"));
-    gtk_combo_box_text_append_text(GTK_COMBO_BOX_TEXT(mcw->mb_data.pop3.security), _("None (not 
recommended)"));
-    gtk_grid_attach(GTK_GRID(grid), mcw->mb_data.pop3.security, 1, row++, 1, 1);
-    g_signal_connect(mcw->mb_data.pop3.security, "changed", G_CALLBACK(security_changed), mcw);
-    gtk_label_set_mnemonic_widget(GTK_LABEL(label), mcw->mb_data.pop3.security);
+    mcw->mb_data.pop3.bsc.security = create_security_entry(grid, &row, mcw);
 
     /* username  */
     label= libbalsa_create_grid_label(_("Use_r name:"), grid, row);
@@ -1404,7 +1339,7 @@ create_pop_mailbox_dialog(MailboxConfWindow *mcw)
     mcw->mb_data.pop3.filter_cmd =
        libbalsa_create_grid_entry(grid, G_CALLBACK(check_for_blank_fields), mcw, row++, "procmail -f -", 
label);
 
-    advanced = balsa_server_conf_get_advanced_widget_new(&mcw->mb_data.pop3.bsc);
+    advanced = balsa_server_conf_get_advanced_widget(&mcw->mb_data.pop3.bsc);
     gtk_notebook_append_page(GTK_NOTEBOOK(notebook), advanced, gtk_label_new_with_mnemonic(_("_Advanced")));
        g_signal_connect(mcw->mb_data.pop3.bsc.need_client_cert, "toggled", G_CALLBACK(client_cert_changed), 
mcw);
        g_signal_connect(mcw->mb_data.pop3.bsc.client_cert_file, "file-set", 
G_CALLBACK(check_for_blank_fields), mcw);
@@ -1476,8 +1411,10 @@ create_imap_mailbox_dialog(MailboxConfWindow *mcw)
     label = libbalsa_create_grid_label(_("_Server:"), grid, ++row);
     mcw->mb_data.imap.bsc.server =
        libbalsa_create_grid_entry(grid, G_CALLBACK(check_for_blank_fields),
-                                   mcw, row, "localhost", label);
-    mcw->mb_data.imap.bsc.default_ports = IMAP_DEFAULT_PORTS;
+                                   mcw, row++, "localhost", label);
+
+    /* security */
+    mcw->mb_data.imap.bsc.security = create_security_entry(grid, &row, mcw);
 
     /* username  */
     label = libbalsa_create_grid_label(_("_Username:"), grid, ++row);
@@ -1520,8 +1457,7 @@ create_imap_mailbox_dialog(MailboxConfWindow *mcw)
     gtk_grid_attach(GTK_GRID(grid), entry, 1, row, 1, 1);
 
     advanced =
-        balsa_server_conf_get_advanced_widget(&mcw->mb_data.imap.bsc,
-                                              NULL, 1);
+        balsa_server_conf_get_advanced_widget(&mcw->mb_data.imap.bsc);
     mcw->mb_data.imap.enable_persistent = 
         balsa_server_conf_add_checkbox(&mcw->mb_data.imap.bsc,
                                        _("Enable _persistent cache"));
diff --git a/src/mailbox-conf.h b/src/mailbox-conf.h
index 8a32d1f6..a548c4b6 100644
--- a/src/mailbox-conf.h
+++ b/src/mailbox-conf.h
@@ -48,22 +48,17 @@ void mailbox_conf_view_check(BalsaMailboxConfView * mcc,
 
 
 typedef struct {
-    GtkWidget *use_ssl;
-    GtkWidget *tls_mode;
+    GtkWidget *security;
     GtkGrid   *grid;       /* internal */
-    GtkWidget *tls_option; /* internal */
     GtkWidget *server;     /* internal */
     GtkWidget *need_client_cert;
     GtkWidget *client_cert_file;
     GtkWidget *client_cert_passwd;
-    const gchar *default_ports;
     unsigned   used_rows;  /* internal */
 } BalsaServerConf;
-#define IMAP_DEFAULT_PORTS "143 993 imap imaps"
 
-GtkWidget* balsa_server_conf_get_advanced_widget(BalsaServerConf *bsc,
-                                                 LibBalsaServer *s,
-                                                 int extra_rows);
+
+GtkWidget*      balsa_server_conf_get_advanced_widget(BalsaServerConf *bsc);
 GtkWidget*      balsa_server_conf_add_checkbox(BalsaServerConf *bsc,
                                                const char *label);
 GtkWidget*      balsa_server_conf_add_spinner(BalsaServerConf *bsc,
@@ -72,7 +67,6 @@ GtkWidget*      balsa_server_conf_add_spinner(BalsaServerConf *bsc,
                                               gint initial_value);
 void            balsa_server_conf_set_values(BalsaServerConf *bsc,
                                              LibBalsaServer *server);
-gboolean        balsa_server_conf_get_use_ssl(BalsaServerConf *bsc);
-LibBalsaTlsMode balsa_server_conf_get_tls_mode(BalsaServerConf *bsc);
+NetClientCryptMode balsa_server_conf_get_security(BalsaServerConf *bsc);
 
 #endif                         /* __MAILBOX_CONF_H__ */
diff --git a/src/mailbox-node.c b/src/mailbox-node.c
index d0bd3477..65e8ad8c 100644
--- a/src/mailbox-node.c
+++ b/src/mailbox-node.c
@@ -634,11 +634,9 @@ balsa_mailbox_node_new_from_config(const gchar *group)
 
     folder->server = LIBBALSA_SERVER(libbalsa_imap_server_new_from_config());
 
-    if (balsa_app.debug) {
-        printf("Server loaded, host: %s, %s.\n",
-               libbalsa_server_get_host(folder->server),
-               libbalsa_server_get_use_ssl(folder->server) ? "SSL" : "no SSL");
-    }
+    g_debug("Server loaded, host: %s, security %d.",
+            libbalsa_server_get_host(folder->server),
+            libbalsa_server_get_security(folder->server));
     g_signal_connect_swapped(G_OBJECT(folder->server), "config-changed",
                              G_CALLBACK(config_folder_update), folder);
     g_signal_connect(G_OBJECT(folder), "show-prop-dialog",
diff --git a/src/main.c b/src/main.c
index c7eb3e9e..e75c3aaa 100644
--- a/src/main.c
+++ b/src/main.c
@@ -619,8 +619,6 @@ parse_options(int                       argc,
         {"get-stats", 's', 0, G_OPTION_ARG_NONE,
          &(cmd_get_stats),
          N_("Prints number unread and unsent messages"), NULL},
-        {"debug-imap", 'D', 0, G_OPTION_ARG_NONE, &ImapDebug,
-         N_("Debug IMAP connection"), NULL},
         {"help", 'h', 0, G_OPTION_ARG_NONE, &help, N_("Show help options"), NULL},
         {"version", 'v', 0, G_OPTION_ARG_NONE, &version, N_("Show version"), NULL},
         /* last but not least a special option that collects filenames */
diff --git a/src/save-restore.c b/src/save-restore.c
index 35354590..4d348d01 100644
--- a/src/save-restore.c
+++ b/src/save-restore.c
@@ -956,9 +956,6 @@ config_global_load(void)
            g_free(passphrase_rot);
         }
 
-        /* default set to "Use TLS if possible" */
-        libbalsa_server_set_tls_mode(server, libbalsa_conf_get_int("ESMTPTLSMode=1"));
-
        passphrase =
            libbalsa_conf_private_get_string("ESMTPCertificatePassphrase");
        if (passphrase) {


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]