>This is the app's problem though - if starttls fails it will return an >error, and it's normal on error to give up, which is the expected >behaviour. If the app chooses to ignore the error and go on with the >insecure connection, then it was the app's choice - it may have wanted >to do so. I think it should be pretty clearly documented that this is
>the case though. If this is the apps problem then we need to do some work on mod_authnz_ldap because it isn't pay attention to the failure and allowing the authentication to happen anyway. Brad >>> Graham Leggett <[EMAIL PROTECTED]> Tuesday, January 11, 2005 11:08:51 AM >>> Brad Nicholes wrote: > One thing that bothered me while I was testing this. Even if the > start_tls fails, authentication still succeeds and content is returned. > Since we are assuming forced TLS, authentication should fail if the TLS > connection fails. It probably shouldn't be allowed to fall back to > unsecure. This is the app's problem though - if starttls fails it will return an error, and it's normal on error to give up, which is the expected behaviour. If the app chooses to ignore the error and go on with the insecure connection, then it was the app's choice - it may have wanted to do so. I think it should be pretty clearly documented that this is the case though. Regards, Graham --
