[PATCH] Mail: send starttls flag value to auth script

Michael Kliewe info at phpgangsta.de
Mon Mar 2 14:32:03 UTC 2015

Hi Maxim,

On Mar 2, 2015, at 3:14 PM, Maxim Dounin wrote:

> Hello!
> On Mon, Mar 02, 2015 at 01:12:44PM +0100, Michael Kliewe wrote:
>> with your changes there is a problem:
>> nginx now just sends the header if the connection is encrypted. 
>> If the connection is not encrypted, then there is no header sent 
>> to the auth script.
>> In the auth script I cannot distinguish between "user did not 
>> use encryption" and "nginx doesn't have the feature" (because of 
>> mixed nginx versions).
>> With the original version of the patch this was possible.
> Try updating all your nginx instances before using the header for 
> something limiting, it is expected to resolve your problem.
> Either way, the only safe thing to do if "nginx doesn't have the 
> feature" is to assume there is no SSL if SSL matters.  And that's 
> what current behaviour encourages.

You are kind of right, but currently I'm distinguishing between "encrypted", "not-encrypted" and "unknown", because we have different versions of nginx in different setups. I cannot update all nginx versions in parallel in all setups. That's why your tip does not help me ;-/
I need to distinguish between "not-encrypted" and "unknown", because I want to warn all users still using not-encrypted connections. With your patch I cannot distinguish between them, and would send false warnings...

Would it be complicated to send "Auth-SSL: off" in case there was no encryption? It's just one "else" more, and solves all problems.

     b->last = ngx_cpymem(b->last, "Auth-SSL: off" CRLF,
                          sizeof("Auth-SSL: off" CRLF) - 1);

That would really help me, and would replace the old patch from Filipe that I'm using since 6 months (which also sends the header in case there is no encryption)...


More information about the nginx-devel mailing list