Improving require_ssl
Julien ÉLIE
julien at trigofacile.com
Tue Oct 13 19:54:56 UTC 2015
Hi all,
In INN 2.6.0, the require_ssl parameter in readers.conf applies to:
- users whose connection is encrypted from the beginning (nnrpd runs
with the -S flag);
- users who authenticate with AUTHINFO USER/SASL after the use of STARTTLS.
The require_ssl parameter is available only when INN is built with TLS
support.
Here is a suggestion of improvement.
In INN 2.6.1, the require_ssl parameter in readers.conf will apply to:
- users whose connection is encrypted from the beginning (nnrpd runs
with the -S flag);
- users who have used STARTTLS (without necessarily authenticating
themselves afterwards, contrary to INN 2.6.0);
- users who authenticate with AUTHINFO SASL and negotiate an encrypted
layer at the same time (a few SASL mechanisms permit that).
The require_ssl parameter will be available when INN is built with
either TLS support or SASL support.
Does it sound good to you? Other use cases to add?
I also wonder whether we should not rename require_ssl to another name
(like require_encryption). Any suggestion? or is require_ssl generic
enough?
We could do such a change through innupgrade either for INN 2.6.1 or 2.7.0.
--
Julien ÉLIE
« Les femmes seront les égales des hommes le jour où elles
accepteront d'être chauves et de trouver que cela distingue. »
(Coluche)
More information about the inn-workers
mailing list