apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Start_tls failure detection
Date Tue, 11 Jan 2005 19:13:28 GMT
>This is the app's problem though - if starttls fails it will return an
>error, and it's normal on error to give up, which is the expected
>behaviour. If the app chooses to ignore the error and go on with the
>insecure connection, then it was the app's choice - it may have
wanted
>to do so. I think it should be pretty clearly documented that this is

>the case though.

If this is the apps problem then we need to do some work on
mod_authnz_ldap because it isn't pay attention to the failure and
allowing the authentication to happen anyway.

Brad

>>> Graham Leggett <minfrin@sharp.fm> Tuesday, January 11, 2005
11:08:51 AM >>>
Brad Nicholes wrote:

> One thing that bothered me while I was testing this.  Even if the
> start_tls fails, authentication still succeeds and content is
returned. 
> Since we are assuming forced TLS, authentication should fail if the
TLS
> connection fails.  It probably shouldn't be allowed to fall back to
> unsecure.

This is the app's problem though - if starttls fails it will return an
error, and it's normal on error to give up, which is the expected
behaviour. If the app chooses to ignore the error and go on with the
insecure connection, then it was the app's choice - it may have wanted
to do so. I think it should be pretty clearly documented that this is 
the case though.

Regards,
Graham
--


Mime
View raw message