Re: IMAPS problems...

From: Brian Stafford <brian stafford uklinux net>
To: chbm chbm nu
Cc: Balsa List <balsa-list gnome org>
Subject: Re: IMAPS problems...
Date: Wed, 22 Aug 2001 15:10:26 +0100

On Wed, 22 August 14:58 Carlos Morgado wrote:
> 
> On 2001.08.22 14:41:20 +0100 Brian Stafford wrote:
> > On Wed, 22 August 14:35 Carlos Morgado wrote:
> > 
> > > > So enabling SSL in the config would mean using SSL _and_ TLS, which is
> > > > fairly meaningless, right?
> > > 
> > > right. TLS is SSL inside the IMAP protocol. that will eventually go away,
> > but
> > > i haven't figured out a proper aproach as some stupid servers only allow
> > TLS 
> > > logins even you're using SSL.
> > 
> > No not stupid servers, *sensible* servers use only TLSv1.
> > 
> even if you're already inside a ssl tunnel ? :)

Er.....

> > If you have TLS you really don't want SSL unless supporting legacy
> > clients/servers.
> > 
> yeah, but advertising LOGINDISABLED inside a SSL connection sounds prety 
> daft no ?

RFC 2595

3.2. IMAP LOGINDISABLED capability

   The current IMAP protocol specification (RFC 2060) requires the
   implementation of the LOGIN command which uses clear-text passwords.
   Many sites may choose to disable this command unless encryption is
   active for security reasons.  An IMAP server MAY advertise that the
   LOGIN command is disabled by including the LOGINDISABLED capability
   in the capability response.  Such a server will respond with a tagged
   "NO" response to any attempt to use the LOGIN command.

   An IMAP server which implements STARTTLS MUST implement support for
   the LOGINDISABLED capability on unencrypted connections.

   An IMAP client which complies with this specification MUST NOT issue
   the LOGIN command if this capability is present.

   This capability is useful to prevent clients compliant with this
   specification from sending an unencrypted password in an environment
   subject to passive attacks.  It has no impact on an environment
   subject to active attacks as a man-in-the-middle attacker can remove
   this capability.  Therefore this does not relieve clients of the need
   to follow the privacy mode recommendation in section 2.2.

   Servers advertising this capability will fail to interoperate with
   many existing compliant IMAP clients and will be unable to prevent
   those clients from disclosing the user's password.

Brian

Follow-Ups:
- Re: IMAPS problems...
  - From: Carlos Morgado

References:
- IMAPS problems...
  - From: Toralf Lund
- Re: IMAPS problems...
  - From: Carlos Morgado
- Re: IMAPS problems...
  - From: Toralf Lund
- Re: IMAPS problems...
  - From: Carlos Morgado
- Re: IMAPS problems...
  - From: Brian Stafford
- Re: IMAPS problems...
  - From: Carlos Morgado

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]