Re: IMAPS problems...
- From: Brian Stafford <brian stafford uklinux net>
- To: chbm chbm nu
- Cc: Balsa List <balsa-list gnome org>
- Subject: Re: IMAPS problems...
- Date: Wed, 22 Aug 2001 15:10:26 +0100
On Wed, 22 August 14:58 Carlos Morgado wrote:
>
> On 2001.08.22 14:41:20 +0100 Brian Stafford wrote:
> > On Wed, 22 August 14:35 Carlos Morgado wrote:
> >
> > > > So enabling SSL in the config would mean using SSL _and_ TLS, which is
> > > > fairly meaningless, right?
> > >
> > > right. TLS is SSL inside the IMAP protocol. that will eventually go away,
> > but
> > > i haven't figured out a proper aproach as some stupid servers only allow
> > TLS
> > > logins even you're using SSL.
> >
> > No not stupid servers, *sensible* servers use only TLSv1.
> >
> even if you're already inside a ssl tunnel ? :)
Er.....
> > If you have TLS you really don't want SSL unless supporting legacy
> > clients/servers.
> >
> yeah, but advertising LOGINDISABLED inside a SSL connection sounds prety
> daft no ?
RFC 2595
3.2. IMAP LOGINDISABLED capability
The current IMAP protocol specification (RFC 2060) requires the
implementation of the LOGIN command which uses clear-text passwords.
Many sites may choose to disable this command unless encryption is
active for security reasons. An IMAP server MAY advertise that the
LOGIN command is disabled by including the LOGINDISABLED capability
in the capability response. Such a server will respond with a tagged
"NO" response to any attempt to use the LOGIN command.
An IMAP server which implements STARTTLS MUST implement support for
the LOGINDISABLED capability on unencrypted connections.
An IMAP client which complies with this specification MUST NOT issue
the LOGIN command if this capability is present.
This capability is useful to prevent clients compliant with this
specification from sending an unencrypted password in an environment
subject to passive attacks. It has no impact on an environment
subject to active attacks as a man-in-the-middle attacker can remove
this capability. Therefore this does not relieve clients of the need
to follow the privacy mode recommendation in section 2.2.
Servers advertising this capability will fail to interoperate with
many existing compliant IMAP clients and will be unable to prevent
those clients from disclosing the user's password.
Brian
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]