Authentication over SSL
Julien ÉLIE
julien at trigofacile.com
Mon Sep 22 19:59:03 UTC 2008
Hi Russ,
>> The main problem is that we then need to force a re-authentication after
>> a successful TLS negotiation (because we need to change the current auth
>> block). I do not know if it is wise to do that.
>
> We have to discard any authentication after STARTTLS anyway. All state
> must be reset after STARTTLS and no information from the connection prior
> to STARTTLS can be trusted other than MODE READER. (It may have been the
> result of a man-in-the-middle attack.)
Does it mean that auth groups can not be trusted either?
Or only the NNTP protocol (commands sent)?
With:
auth users {
...
require_ssl: false
}
auth users2 {
...
require_ssl: true
}
should the connection directly go to users2 right after STARTTLS?
(if of course it matches the user)
--
Julien ÉLIE
« Medicus dedit qui temporis morbo curam,
Is plus remedii quam cutis sector dedit. »
More information about the inn-workers
mailing list