From: Arne S. <ar...@rf...> - 2017-05-23 21:52:47
|
Am 25.02.17 um 14:10 schrieb David Sommerseth: > On 25/02/17 10:19, Gert Doering wrote: >> Hi, >> >> On Sat, Feb 25, 2017 at 08:40:14AM +0800, Antonio Quartulli wrote: >>> When the auth-token option is pushed from the server to the client, >>> the latter has to ignore the auth-nocache directive (if specified). >>> >>> The password will now be substituted by the unique token, therefore >>> it can't be wiped out, otherwise the next renegotiation will fail. >> >> Without looking at the patch itself - is this suitable material for >> inclusion in 2.3? We do have quite a few "slow adopters" - and this >> is a very useful feature to mitigate SWEET32 in 2FA environments... > > The code paths involved shouldn't be very differ too much between v2.3 > and v2.4. So I would say this should go into v2.3 as well. > > Attached is a very preliminary (and only compile and 'make check' > tested) patch of a backport to v2.3. This needs to get a thorough test > as well before we'll send an official patch to this ML. > > Btw. since I have worked closely with Antonio on this patch, testing > and debugging and discussing it for some time, I think it would be good > if someone else than me does the final code review and ACK/NAK it. I'm > not able to be objective on this patch. > Code looks good. So ACK. We probably need another revision on this auth-token client support (for reconnects) but this is going in the right direction. Arne |