Authentication over SSL
Julien ÉLIE
julien at trigofacile.com
Sun Sep 7 11:21:12 UTC 2008
Hi,
RFC 4643:
The AUTHINFO PASS command permits the client to use a clear-text
password to authenticate. A compliant implementation MUST NOT
implement this command without also implementing support for TLS
[NNTP-TLS]. Use of this command without an active strong encryption
layer is deprecated, as it exposes the user's password to all parties
on the network between the client and the server. Any implementation
of this command SHOULD be configurable to disable it whenever a
strong encryption layer (such as that provided by [NNTP-TLS]) is not
active, and this configuration SHOULD be the default. The server
will use the 483 response code to indicate that the datastream is
insufficiently secure for the command being attempted (see Section
3.2.1 of [NNTP]).
We already have require_ssl: in readers.conf for a SSL connection.
I suggest the following changes:
* the require_ssl: parameter should also match an encrypted connection after
STARTTLS, and not only an initial encrypted connection;
* add require_ssl_authinfo: for the use described before.
Does the name of the new parameter sound right?
Should we put its default value to *** TRUE ***?
--
Julien ÉLIE
« Les horizontales se rencontrent dans tous les milieux,
les parallèles jamais. » (Alphonse Allais)
More information about the inn-workers
mailing list