crotwell
commented
1 year ago Currently it says:
“ERROR UNEXPECTED” if AUTH is supported, but connection is unencrypted.
The rest of the line is a description, so actual response might look like:
ERROR UNEXPECTED AUTH is not allowed over insecure connections.Perhaps adding this as an example error would be helpful?
Unfortunately, I think this is an area that may be out of the specifications control. It is good to encourage implementations to do the right thing, but I suspect there will be cases where the seedlink server relies on an external proxy to manage socket level security and so will not actually be aware if the external connection is secure. For example when operating over a web socket, it may be much easier and efficient to allow the web server to manage the certificate and https/wss level details, and then use a local socket to proxy the seedlink commands to a "dumb" implementation. AUTH should be allowed in that case even though the final piece of the socket is technically unsecured.
andres-h
As part of https://seedlink.readthedocs.io/en/latest/protocol.html
"Authentication over unencrypted connection MUST NOT be allowed."
That is great. Is it enforced? Meaning SeedLink rejects the AUTH command with the "ERROR UNSUPPORTED" it is over unencrypted connection?