Am Donnerstag, den 16.07.2020, 10:33 +0000 schrieb Daniel Gultsch: > Am Do., 16. Juli 2020 um 10:13 Uhr schrieb Florian Schmaus < > [email protected]>: > > > If you send 'y', which implies that you, the client, did not select > > a > > -PLUS mechanism for authentication, while the server announces at > > least > > one SCRAM-*-PLUS mechanism, then the server may suspect a MitM > > attack > > and terminates the connection. > > Yes. But that's the desired behaviour, no? Desired by MitM, yes :) I'd rather suggest if no matching methods are found just ignore the the hint and do tls-unique (as you would do in absence of this method) or any other method you support instead in local preference order (eg tls- exporter, then tsl-server-end-point, etc.).
--rr _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
