Charlie Brady wrote:
One thing to keep in mind while talking about STARTTLS and AUTH together
is that it's important that we allow admins to choose whether AUTH is
available always or only after TLS is negotiated. We also want to
selectively offer such features depending on remote IP (or maybe local IP).
AUTH is only advertised if there is an AUTH provider registered, so if
the site wished to only permit AUTH (presumably plaintext) after a TLS
session was established, the same hook that turns on TLS could then
register an AUTH provider.
I'll have to think about if it is even possible to pull the AUTH support
out of the core. The big issue I see is that there needs to be an AUTH
hook, and we don't currently have a way to easily create new hooks from
within plugins (and I think we should be very careful about whether we
support that at all).
John
- Re: [Patch] STARTTLS support (forkserver only) John Peacock
-
