At 7:05 PM -0400 5/24/02, Michael Caplan wrote: > set clear-text-password = always > > Can someone clarify how authentication work with this setup? Specifically, > is a secure connection first negotiated, and then password authentication > takes place? Or is password authentication happening over a plain connection > before SSL creates its layer? > > I don't want to be sending clear text passwords over the net if I can avoid > it. With the above config, clear-text-password = always does not look to > re-assuring even though tsl support is on.
That's right. You want clear-text-password to be tls, although, since you have tls set to alternate-port, all connections must negotiate tls, so the clear-text-password setting doesn't matter and you're OK as is.
