Authentication over SSL

Russ Allbery rra at stanford.edu
Tue Sep 9 01:30:45 UTC 2008


Julien ÉLIE <julien at trigofacile.com> writes:

> The problem is that require_ssl: is seen *before* an auth block is
> assigned so the behaviour of the current connection (that is to say
> whether AUTHINFO USER is available) cannot be changed by it.  If a
> client is in such an auth block, then necessarily he is using SSL.
>
> auth "users" {
>    hosts: "*"
>    require_ssl: true
> }
>
> access "users" {
>    users: "<all>"
>    read: "*"
> }
>
> % telnet localhost 119
> 502 You have no permission to talk.  Goodbye!
> Connection closed by foreign host.
>
> No auth was assigned!  While I only wanted here not to be able to use
> AUTHINFO USER if SSL was not used.

Oh, sorry, I wasn't clear.  I was assuming the modification to require_ssl
to support STARTTLS was done as well.

The idea that I had in mind was that when the user connected:

* Scan all auth blocks as we do now.
* If any auth block doesn't have require_ssl and has an auth parameter,
  advertise AUTHINFO USER.
* Otherwise, if there are auth blocks with require_ssl, don't advertise
  AUTHINFO but advertise STARTTLS.
* After STARTTLS, scan the auth blocks again and if there is an auth block
  with an auth parameter, advertise AUTHINFO USER.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list