CAS protocol violation

Marvin Addison marvin.addison at
Tue Mar 13 10:06:03 EDT 2018

On Mon, Mar 12, 2018 at 5:55 PM Andrew Morgan <morgan at> wrote:

> At first, I thought this was a new restriction in v3 of the protocol too.
> However, take a look at section 3.7 of the v2 spec...  Same character
> class restriction.

Wow. I was so sure that the character set was an editorialization on top of
the original document [1], but I'm just wrong. That raises the priority in
my view to "something we probably should fix." Thinking on it more, it's
probably not too much work to simply use base 32 encoding and swap out the
"=" padding character with "-" in a post-encoding/pre-decoding step. I've
filed an issue to track it:

Given the character class restriction, I wonder if the patch will ever be
> accepted into mod_auth_cas.  :/

While your observation about character set requirements in the protocol
makes it less palatable perhaps, one could argue it's a reasonable
improvement nonetheless. In any case I'm fairly certain dhawes would
consider positive feedback on the patch as a sign that it should be

M <users-unsubscribe at>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list