Re: Using gsasl_encode/decode()

[Simon Josefsson]

"Kevin J. McCarthy" <kevin@8t8.us> writes:

> On Mon, Dec 13, 2021 at 04:12:34PM -0500, Phil Pennock wrote:
>> As long as you repeat the handshake steps as often as needed to
>> complete all the steps, you should be fine?  GSASL_QOP defaults to 
>> `qop-auth`, so if you're not changing that then the client side
>> should only be asking for authentication (not INTegrity or
>> CONFidentiality).
>
> Thank you Phil.  Your explanation helped a great deal.

+1 on everything Phil said.

The entire SASL session layer framework, and our APIs
gsasl_encode/gsasl_decode, was an attempted solution for the pre-TLS
world.  There may be some people that still need it, and maybe even some
that insist it is useful, but for any reasonable new modern application
just use TLS with PLAIN, CRAM-MD5 or (preferrably) SCRAM-SHA1 and you
will be better off.

Probably the manual should say something about this...

/Simon

signature.asc
Description: PGP signature