Authentication over SSL

Julien ÉLIE julien at trigofacile.com
Mon Sep 8 16:46:56 UTC 2008


Hi Russ,

>> * the require_ssl: parameter should also match an encrypted connection
>>   after STARTTLS, and not only an initial encrypted connection;
>
> Yup, that sounds like a good fix.

Ok, I will do that.


>> * add require_ssl_authinfo: for the use described before.
>
> I'm not completely sure on why we'd need another parameter.  Couldn't you
> achieve the same ends by setting all relevent authenticator blocks
> require_ssl?

We would then have to change the meaning of require_ssl.  This parameter
currently tells whether an auth block can be used (it can match a client
if he uses an encrypted connection).
Here, we want a parameter to tell whether AUTHINFO USER is allowed on
an unencrypted connections so the auth block will never match if the client
is not using SSL.  Thus, we will never now if he can use AUTHINFO USER.


>> Does the name of the new parameter sound right?
>> Should we put its default value to *** TRUE ***?
>
> We probably shouldn't comply with that SHOULD until more clients implement
> SASL.

All right, then I will not be adding another parameter for that.

-- 
Julien ÉLIE

« Mais, Allemand que vous êtes, un Anglais à votre place
  se serait fait tuer pour nous, et je lui aurais donné
  la main de ma fille. » (Edemond About)



More information about the inn-workers mailing list