Dennis Davis wrote:
> Use auth_advertise_hosts. From the spec:
>
> If you want to advertise the availability of AUTH only when the
> connection is encrypted using TLS, you can make use of the fact that
> the value of this option is expanded, with a setting like this:
>
> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
>
> If $tls_cipher is empty, the session is not encrypted, and the
> result of the expansion is empty, thus matching no hosts. Otherwise,
> the result of the expansion is *, which matches all hosts.
Stephen Gran wrote:
>
> It sounds like you want
>
> server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
>
> on your authenticators.
I use
server_advertise_condition = ${if def:tls_cipher}
on my plain text authenticators. If you use e.g. CRAM-MD5 as well, you
might not want to require TLS for that.
--
Magnus Holmgren
