[ http://issues.apache.org/jira/browse/DERBY-962?page=all ]
Sunitha Kambhampati updated DERBY-962:
--------------------------------------
Attachment: Derby962.diff.txt
Derby962.stat.txt
This issue was blocked by derby-1080. Now that 1080 is committed, I have
regenerated the patch for 962 and am attaching Derby962.diff.txt and
Derby962.stat.txt.
The changes in this patch are the same as compared to the changes in
Derby962_forreview.txt that were specific to derby 962, except for the
following:
-- I have added the table that was in 962_table.txt into the test code per
Kathey's comments and also added some comments from the jira to the test code.
I ran derbynetclientmats and derbynetmats ok on linux/ibm142 with the known
failures in Surtest. I ran testSecMec on windows with JCC2.4, JCC2.6 and
derbyclient on ibm and sun jvms , versions 131,141,142,15 ok.
derbyall is still running. I will post results here as they finish.
Can someone please review this change. Thanks.
> Upgrade default security mechanism in client to use encrypted userid password
> if client can support it.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-962
> URL: http://issues.apache.org/jira/browse/DERBY-962
> Project: Derby
> Type: Improvement
> Components: Network Client
> Reporter: Sunitha Kambhampati
> Assignee: Sunitha Kambhampati
> Fix For: 10.2.0.0
> Attachments: 962_table.txt, Derby962.diff.txt, Derby962.stat.txt,
> Derby962_forreview.diff.txt, Derby962_forreview.stat.txt
>
> Currently in the client, if userid and password are set in the connection
> url, the default security mechanism is upgraded to USRIDPWD (which is clear
> text userid and password). This seems to be a security hole here.
> Current client driver supports encrypted userid/password (EUSRIDPWD) via the
> use of DH key-agreement protocol - however current Open Group DRDA
> specifications imposes small prime and base generator values (256 bits) that
> prevents other JCE's (apt from ibm jce) to be used as java cryptography
> providers.
> Some thoughts:
> -- client can make a check to see if it the jvm it is running in supports the
> encryption necessary for EUSRIDPWD. If it supports, then the client can
> upgrade to EUSRIDPWD.
> -- if the jvm the client is running is , doesnt support encryption
> requirements for EUSRIDPWD, then the security mechanism will be set to
> USRIDPWD.
> -- DERBY-528 will add support for strong userid and password which is another
> option to send encrypted passwords across the wire. When this gets added,
> maybe this can be considered as one of the upgrade options after EUSRIDPWD.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
