[PATCH] Mail: send starttls flag value to auth script
info at phpgangsta.de
Mon Mar 2 14:32:03 UTC 2015
On Mar 2, 2015, at 3:14 PM, Maxim Dounin wrote:
> On Mon, Mar 02, 2015 at 01:12:44PM +0100, Michael Kliewe wrote:
>> with your changes there is a problem:
>> nginx now just sends the header if the connection is encrypted.
>> If the connection is not encrypted, then there is no header sent
>> to the auth script.
>> In the auth script I cannot distinguish between "user did not
>> use encryption" and "nginx doesn't have the feature" (because of
>> mixed nginx versions).
>> With the original version of the patch this was possible.
> Try updating all your nginx instances before using the header for
> something limiting, it is expected to resolve your problem.
> Either way, the only safe thing to do if "nginx doesn't have the
> feature" is to assume there is no SSL if SSL matters. And that's
> what current behaviour encourages.
You are kind of right, but currently I'm distinguishing between "encrypted", "not-encrypted" and "unknown", because we have different versions of nginx in different setups. I cannot update all nginx versions in parallel in all setups. That's why your tip does not help me ;-/
I need to distinguish between "not-encrypted" and "unknown", because I want to warn all users still using not-encrypted connections. With your patch I cannot distinguish between them, and would send false warnings...
Would it be complicated to send "Auth-SSL: off" in case there was no encryption? It's just one "else" more, and solves all problems.
b->last = ngx_cpymem(b->last, "Auth-SSL: off" CRLF,
sizeof("Auth-SSL: off" CRLF) - 1);
That would really help me, and would replace the old patch from Filipe that I'm using since 6 months (which also sends the header in case there is no encryption)...
More information about the nginx-devel