Sunil Shetye <shetye(_at_)bombay(_dot_)retortsoft(_dot_)com>:
Attached is a patch which changes the auth method to password if STLS
fails.
Good implementation, bad strategy. If the user requested end-to-end
security, the correct behavior is *not* to fall back to sending a
password in clear; this might leak privileged information.
The correct behavior in this case is to fail noisily. I'll take a patch
to do that.
--
<a href="http://www.tuxedo.org/~esr/">Eric S. Raymond</a>