Authentication over SSL
Julien ÉLIE
julien at trigofacile.com
Tue Sep 9 06:08:55 UTC 2008
Hi Russ,
> The idea that I had in mind was that when the user connected:
>
> * Scan all auth blocks as we do now.
> * If any auth block doesn't have require_ssl and has an auth parameter,
> advertise AUTHINFO USER.
> * Otherwise, if there are auth blocks with require_ssl, don't advertise
> AUTHINFO but advertise STARTTLS.
> * After STARTTLS, scan the auth blocks again and if there is an auth block
> with an auth parameter, advertise AUTHINFO USER.
All right! That sounds very good.
Is it the same for AUTHINFO SASL? If there is no auth parameters, it should not
be advertised. In such cases, when there is no auth parameter, should
AUTHINFO USER/PASS/SASL commands return 502? Or do we let the user try
to authenticate (and it will fail at the end)?
And if there is require_ssl and an auth parameter in the same auth block,
I think AUTHINFO SASL should be advertised but SASL PLAIN and SASL EXTERNAL
should not. Is that right? Are there other mechanisms not to advertise?
--
Julien ÉLIE
« Nous avons mergitur, mon vieux, et je ne sais pas
quand nous allons fluctuat de nouveau ! » (banquier romain)
More information about the inn-workers
mailing list