You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apr.apache.org by Brad Nicholes <BN...@novell.com> on 2005/01/11 20:13:28 UTC

Start_tls failure detection

>This is the app's problem though - if starttls fails it will return an
>error, and it's normal on error to give up, which is the expected
>behaviour. If the app chooses to ignore the error and go on with the
>insecure connection, then it was the app's choice - it may have
wanted
>to do so. I think it should be pretty clearly documented that this is

>the case though.

If this is the apps problem then we need to do some work on
mod_authnz_ldap because it isn't pay attention to the failure and
allowing the authentication to happen anyway.

Brad

>>> Graham Leggett <mi...@sharp.fm> Tuesday, January 11, 2005
11:08:51 AM >>>
Brad Nicholes wrote:

> One thing that bothered me while I was testing this.  Even if the
> start_tls fails, authentication still succeeds and content is
returned. 
> Since we are assuming forced TLS, authentication should fail if the
TLS
> connection fails.  It probably shouldn't be allowed to fall back to
> unsecure.

This is the app's problem though - if starttls fails it will return an
error, and it's normal on error to give up, which is the expected
behaviour. If the app chooses to ignore the error and go on with the
insecure connection, then it was the app's choice - it may have wanted
to do so. I think it should be pretty clearly documented that this is 
the case though.

Regards,
Graham
--