ietf-nntp LIST EXTENSIONS non-pipelined and non-cacheable?

Clive D.W. Feather clive at demon.net
Wed Sep 10 02:01:15 PDT 2003


> S: 200 eagle.oceana.com Cyrus NNTP v2.2.1-BETA server ready, posting allowed
> C: LIST EXTENSIONS
> S: 202 Extension list follows:
> S: AUTHINFO USER
> S: SASL CRAM-MD5 NTLM DIGEST-MD5
> S: STARTTLS
> S: STREAMING
> S: .
> C: STARTTLS
> S: 382 Begin TLS negotiation now
> verify error:num=19:self signed certificate in certificate chain
> TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
> C: LIST EXTENSIONS
> S: 202 Extension list follows:
> S: AUTHINFO USER
> S: SASL CRAM-MD5 NTLM DIGEST-MD5 PLAIN
> S: STREAMING
> S: .
> C: AUTHINFO SASL PLAIN a2VuAGtlbgBiYW5hbmEx
> S: 281 Success (tls protection)
> Authenticated.
> Security strength factor: 168
> 
> 
> If the client caches the last LIST EXTENSIONS response, then the next 
> time that it goes to authenticate (w/o checking LIST EXTENSIONS), it 
> will try to do so in the clear, which is "not a good thing":

This has made me think of something. Would it help if LIST EXTENSIONS had a
way of saying "I also provide this extension, but not in the current
state"? Suppose this were done using a leading dash, then the above
conversation would become:

  S: 200 eagle.oceana.com Cyrus NNTP v2.2.1-BETA server ready, posting allowed
  C: LIST EXTENSIONS
  S: 202 Extension list follows:
  S: AUTHINFO USER
  S: SASL CRAM-MD5 NTLM DIGEST-MD5
  S: - SASL CRAM-MD5 NTLM DIGEST-MD5 PLAIN
  S: STARTTLS
  S: STREAMING
  S: .
  C: STARTTLS
  S: 382 Begin TLS negotiation now
  verify error:num=19:self signed certificate in certificate chain
  TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
  C: LIST EXTENSIONS
  S: 202 Extension list follows:
  S: AUTHINFO USER
  S: SASL CRAM-MD5 NTLM DIGEST-MD5 PLAIN
  S: - SASL CRAM-MD5 NTLM DIGEST-MD5
  S: STREAMING
  S: - STARTTLS
  S: .
  C: AUTHINFO SASL PLAIN a2VuAGtlbgBiYW5hbmEx
  S: 281 Success (tls protection)
  Authenticated.
  Security strength factor: 168

The client could cache the response and still not fall into your trap,
since the cached results would say "STARTTLS sometimes available".

Actually, to maintain compatibility I'd do it as:

  C: LIST EXTENSIONS STATEINFO
  S: 202 Extension list with state info:
  S: + AUTHINFO USER
  S: ! SASL CRAM-MD5 NTLM DIGEST-MD5 PLAIN
  S: - SASL CRAM-MD5 NTLM DIGEST-MD5
  S: + STREAMING
  S: - STARTTLS
  S: .

where + means "always available", - means "not available in this state",
and ! means "available in this state but not all others".

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | *** NOTE CHANGE ***
Demon Internet      | WWW: http://www.davros.org | Fax:    +44 870 051 9937
Thus plc            |                            | Mobile: +44 7973 377646



More information about the ietf-nntp mailing list