On 2011-10-21 9:24 AM, Thomas Eckardt wrote:
> I'll change the behavior of assp for SSL-failed privat IP's and
> 'acceptAllMail' IP's - by giving them one more chance to correct there
> mistake.
Thanks Thomas!!
--
Best regards,
Charles
> >(as happens when Thunderbird prompts the user to accept a
>>self-signed cert) is not best practice.
>
> This is done by Net::SSLeay (OpenSSL) - not by assp and it works perfect
> with other clients. ASSP simply detects that an unrecoverable (one more
> retry attempt for each connection) error o
and
'acceptAllMail' IP's - by giving them one more chance to correct there
mistake.
Thomas
Von:Charles Marcus
An: assp-test@lists.sourceforge.net
Datum: 21.10.2011 15:01
Betreff:Re: [Assp-test] Disabling SSLFailed cache
On 2011-10-21 8:53 AM, Thomas Eckar
On 2011-10-21 9:25 AM, Peter W Bowey wrote:
> The challenge is in the ASSP verification for 'self-signed certs'.
> It is a bummer for Thomas...:-)
+1
I'm not suggesting it is easy to do (I don't know as ianap)... and if
Thomas' answer is 'it is desirable, but hard to do', then that is a
perfec
> Wasn't suggesting it should be disabled, I was suggesting that maybe
> refusing to continue to offer STARTTLS/SSL because of one, temporary
> 'failure' (as happens when Thunderbird prompts the user to accept a
> self-signed cert) is not best practice.
>
> Postfix, Exchange Server, web server
On 2011-10-21 9:18 AM, Peter W Bowey wrote:
> I see that you have 'possibly' not aswered the orig. query?
>
> "Is it possible for ASSP to use "self-signed certs"?"
>
> I suspect the real answer is 'no'. [sorry Charles].
I hope that is not the (permanent) case... it would be sad for assp to
n
>>There is absolutely nothing wrong with a smaller company using
>>self-signed certs, so ASSP should allow for this to work... period...
>Using SSL in a bigger company is more than doing some clicks.
>- create CA and keys
>- cert server
>- key and or certificate deployment
>- centralized ce
On 2011-10-21 8:53 AM, Thomas Eckardt wrote:
> The SSLFailed cache in assp is a DoS prevention - there is no good reason
> to disable it - even not for privat IP's.
Wasn't suggesting it should be disabled, I was suggesting that maybe
refusing to continue to offer STARTTLS/SSL because of one, tem
>wrong with a smaller company using
>>with hundreds or
>> even thousands of clients...
Using SSL in a bigger company is more than doing some clicks.
- create CA and keys
- cert server
- key and or certificate deployment
- centralized cert verification
- centralized directoy servic
On 2011-10-21 5:29 AM, Thomas Eckardt wrote:
> Just import your self cert used by assp for SSL to all clients prior to
> connect them via SSL.
This is not a reasonable suggestion... think of someone with hundreds or
even thousands of clients...
--
Best regards,
Charles
-
Re: [Assp-test] Disabling SSLFailed cache
Thomas Eckardt wrote:
> No , because this does not make sense. If a client make mistakes in SSL
,
> this could lead into stucking workers.
Thanks for pointing out where to clear the cache. The below is what
usually triggers our issue.
The
Thomas Eckardt wrote:
> No , because this does not make sense. If a client make mistakes in SSL ,
> this could lead into stucking workers.
Thanks for pointing out where to clear the cache. The below is what
usually triggers our issue.
The scenario:
Setup Seamonkey/Thunderbird for TLS, send a
SIP'.
You can remove an IP from SSL failed hash in the GUI: Mainmenu-> left menu
scroll down -> select Internal Caches-> SSLfailed
Thomas
Von:Administrateur des Sytèmes
An: assp-test@lists.sourceforge.net
Datum: 20.10.2011 20:52
Betreff: [Assp-test] Disabling SSLFa
Administrateur des Sytèmes wrote:
> s there a way to simply disable the use of the failed ssl cache completely in
> version 2
I'd like to know as well, it's bitten me twice on our internal network.
The only way to get a desktop working again is either to change their IP
address or restart ASS
Hi all,
Is there a way to simply disable the use of the failed ssl cache completely in
version 2. I've gone through all options in the GUI
and found nothing about this.
Thank you.
Eric
--
The demand for IT networki
15 matches
Mail list logo