Improving require_ssl

Julien ÉLIE julien at trigofacile.com
Tue Oct 13 19:54:56 UTC 2015


Hi all,

In INN 2.6.0, the require_ssl parameter in readers.conf applies to:
- users whose connection is encrypted from the beginning (nnrpd runs 
with the -S flag);
- users who authenticate with AUTHINFO USER/SASL after the use of STARTTLS.

The require_ssl parameter is available only when INN is built with TLS 
support.



Here is a suggestion of improvement.

In INN 2.6.1, the require_ssl parameter in readers.conf will apply to:
- users whose connection is encrypted from the beginning (nnrpd runs 
with the -S flag);
- users who have used STARTTLS (without necessarily authenticating 
themselves afterwards, contrary to INN 2.6.0);
- users who authenticate with AUTHINFO SASL and negotiate an encrypted 
layer at the same time (a few SASL mechanisms permit that).

The require_ssl parameter will be available when INN is built with 
either TLS support or SASL support.



Does it sound good to you?  Other use cases to add?


I also wonder whether we should not rename require_ssl to another name 
(like require_encryption).  Any suggestion?  or is require_ssl generic 
enough?
We could do such a change through innupgrade either for INN 2.6.1 or 2.7.0.

-- 
Julien ÉLIE

« Les femmes seront les égales des hommes le jour où elles
   accepteront d'être chauves et de trouver que cela distingue. »
   (Coluche)


More information about the inn-workers mailing list