Authentication over SSL

Todd Olson tco2 at cornell.edu
Tue Sep 9 18:27:27 UTC 2008


At 10:17 -0700 2008-09-09, Russ Allbery wrote:
>Julien ÉLIE <julien at trigofacile.com> writes:
> > In such cases, when there is no auth parameter, should AUTHINFO
>> USER/PASS/SASL commands return 502?  Or do we let the user try to
>> authenticate (and it will fail at the end)?
>
>You definitely want AUTHINFO USER to fail if you don't want the user to
>authenticate, since that prevents sending the password over an unencrypted
>connection.  502 is the correct error code.

I would like a way to provide a custom error message back to the client.
This would permit me to offer clients to have read only access to news
over a non-ssl connection, but when they try to post I could tell
them to look at a web page that will explain how to enable SSL
in their client.

Regards,
Todd Olson
Cornell University


More information about the inn-workers mailing list