Authentication over SSL

Russ Allbery rra at stanford.edu
Tue Sep 23 17:28:08 UTC 2008


Julien ÉLIE <julien at trigofacile.com> writes:

>> We have to discard any authentication after STARTTLS anyway.  All state
>> must be reset after STARTTLS and no information from the connection
>> prior to STARTTLS can be trusted other than MODE READER.  (It may have
>> been the result of a man-in-the-middle attack.)
>
> Does it mean that auth groups can not be trusted either?
> Or only the NNTP protocol (commands sent)?
>
> With:
>
> auth users {
> ...
> require_ssl: false
> }
>
> auth users2 {
> ...
> require_ssl: true
> }
>
> should the connection directly go to users2 right after STARTTLS?
> (if of course it matches the user)

We're required to discard any authentication information that's derived
from previous commands sent in the session.  We're allowed to keep
authentication information derived from the network connection itself (IP
address, for example).

Since STARTTLS isn't allowed after AUTHINFO, I think we're okay; after a
successful STARTTLS, any user information that we have we know must have
been derived only from the connection properties, since we know the user
didn't send AUTHINFO.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list