Authentication over SSL

Julien ÉLIE julien at trigofacile.com
Mon Sep 22 19:59:03 UTC 2008


Hi Russ,

>> The main problem is that we then need to force a re-authentication after
>> a successful TLS negotiation (because we need to change the current auth
>> block).  I do not know if it is wise to do that.
>
> We have to discard any authentication after STARTTLS anyway.  All state
> must be reset after STARTTLS and no information from the connection prior
> to STARTTLS can be trusted other than MODE READER.  (It may have been the
> result of a man-in-the-middle attack.)

Does it mean that auth groups can not be trusted either?
Or only the NNTP protocol (commands sent)?

With:

auth users {
...
require_ssl: false
}

auth users2 {
...
require_ssl: true
}

should the connection directly go to users2 right after STARTTLS?
(if of course it matches the user)

-- 
Julien ÉLIE

« Medicus dedit qui temporis morbo curam,
  Is plus remedii quam cutis sector dedit. » 



More information about the inn-workers mailing list