ietf-nntp TLS response codes
Ken Murchison
ken at oceana.com
Mon Mar 17 20:42:01 PST 2003
"Jeffrey M. Vinocur" wrote:
>
> On Sun, 16 Mar 2003, Russ Allbery wrote:
>
> > I think 580 is the right error code for a failure in TLS negotiation,
>
> It's not clear to me when this would actually be needed. I don't see any
> parallel in the other protocols with TLS support.
>
> Ken, once the client and server agree to begin TLS negotiation, is it
> possible for there to be a failure that would not requiring closing the
> connection? (That is, where both parties would know on which octet the
> unencrypted connection resumes.)
Sure. They might not be able to agree on a cipher.
You're asking about the internals of TLS and OpenSSL, and I'm no
expert. But my guess is that because of the nature of the negotiation,
both the client and server always know exactly what is happening.
Just because STARTTLS might fail, doesn't mean that the session is
junk. The client might _prefer_ TLS, but could always fall back to
using a SASL mech that has its own security layer (DIGEST-MD5, KERBEROS,
etc).
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list