Am Donnerstag, den 16.07.2020, 13:08 +0200 schrieb Ruslan N. Marchenko: > Am Donnerstag, den 16.07.2020, 10:33 +0000 schrieb Daniel Gultsch: > > Am Do., 16. Juli 2020 um 10:13 Uhr schrieb Florian Schmaus < > > f...@geekplace.eu>: > > > > > If you send 'y', which implies that you, the client, did not > > > select > > > a > > > -PLUS mechanism for authentication, while the server announces at > > > least > > > one SCRAM-*-PLUS mechanism, then the server may suspect a MitM > > > attack > > > and terminates the connection. > > > > Yes. But that's the desired behaviour, no? > Desired by MitM, yes :)
Sorry I misread (and misinterpreted) the comment as to say n is desired behaviour. Yes, y is would be kind of safest but sending y when both sides know -PLUS is there is as good as client just aborts the connection. Which could be an option actually. > I'd rather suggest if no matching methods are found just ignore the > the > hint and do tls-unique (as you would do in absence of this method) or > any other method you support instead in local preference order (eg > tls- > exporter, then tsl-server-end-point, etc.). > > --rr > > _______________________________________________ > Standards mailing list > Info: https://mail.jabber.org/mailman/listinfo/standards > Unsubscribe: standards-unsubscr...@xmpp.org > _______________________________________________ > _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
