[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forcing TLS encryption

To: Wiebe Cazemier <wiebe@halfgaar.net>
Subject: Re: Forcing TLS encryption
From: Philip Guenther <guenther+ldaptech@sendmail.com>
Date: Fri, 28 Dec 2012 12:36:50 -0800
Cc: Dieter Klünter <dieter@dkluenter.de>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=tls.dkim; t=1356727025; bh=91srytO+XW2ivgV6/xXaU037YnjxhcNthpAY0nwOCBA=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=l2RZ0E5JWXsix0k4mbzczQvR8ftvLy09vb7dcC+twyrIFlAIEf9GHFG2Huq5x+wjo fau89Rz1EpnNNRaGcCZDGr9qaRAy4/hldL+XIwCe/WkzAsKkHWn0cboQDzQSBulLSe kabsFj3lbqJ0x1Dl6/bF/a6UqazaPTpbF32+Lgvw=
In-reply-to: <1438144113.14442.1356682491834.JavaMail.root@halfgaar.net>
References: <985577790.9606.1356102006319.JavaMail.root@halfgaar.net> <634F18FA-7BB5-4D83-9C02-EE46CFE6298C@oracle.com> <288778360.11025.1356340479288.JavaMail.root@halfgaar.net> <20121227155321.045a9e29@violet.avci.de> <1438144113.14442.1356682491834.JavaMail.root@halfgaar.net>
User-agent: Alpine 2.00 (BSO 1167 2008-08-23)

On Fri, 28 Dec 2012, Wiebe Cazemier wrote:
> I understand that, but this way, even when you're forcing TLS, users can 
> still expose their passwords if their computers are mal-configured. 
> SMTP, IMAP, FTP, etc don't allow this, because they reject the 
> connection if LOGINNAME is given before STARTTLS.

That is not true of SMTP's AUTH PLAIN, IMAP's AUTHENTICATE PLAIN, or 
IMAP's LOGIN.  The PLAIN SASL mechanism and IMAP's LOGIN command both send 
the username and password without waiting for a response from the 
server**.


> It's kind of a security issue. Is it because in LDAP, username and 
> password are given as one command, and the server doesn't have the 
> chance to abort at that point? If so, then I guess it's unavoidable.

Correct.


Philip Guenther

** Well, to be completely accurate, IMAP AUTHENTICATE requires a server 
response if the server doesn't support the SASL-IR capability

Follow-Ups:
- Re: Forcing TLS encryption
  - From: Wiebe Cazemier <wiebe@halfgaar.net>

References:
- Forcing TLS encryption
  - From: Wiebe Cazemier <wiebe@halfgaar.net>
- Re: Forcing TLS encryption
  - From: Chuck Lever <chuck.lever@oracle.com>
- Re: Forcing TLS encryption
  - From: Wiebe Cazemier <wiebe@halfgaar.net>
- Re: Forcing TLS encryption
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: Forcing TLS encryption
  - From: Wiebe Cazemier <wiebe@halfgaar.net>

Prev by Date: Re: Forcing TLS encryption
Next by Date: Re: Forcing TLS encryption
Index(es):
- Chronological
- Thread