[
https://issues.apache.org/jira/browse/QPID-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex Rudyy updated QPID-7282:
-----------------------------
Description:
On Scram Sha SASL negotiation Broker does not send server-final challenge
(ServerSignature) with the following authentication providers:
* Simple (SimpleAuthenticationManager)
* PlainPasswordFile (PlainPasswordDatabaseAuthenticationManager)
The sasl negotiation for Scram Sha SASL mechanisms should always include
sending of server-final message in order to give a chance to verify server
signature on a client as per [RFC
5802|https://tools.ietf.org/html/rfc5802#page-7]
{quote}
The client then authenticates the server by computing the
ServerSignature and comparing it to the value sent by the server. If
the two are different, the client MUST consider the authentication
exchange to be unsuccessful, and it might have to drop the
connection.
{quote}
We need to change all existing Authentication Provider to support sending of
final message
was:
On Scram Sha SASL negotiation Broker does not send server-final challenge
(ServerSignature) with the following authentication providers:
* Simple (SimpleAuthenticationManager)
* Base64MD5PasswordFile (Base64MD5PasswordDatabaseAuthenticationManager)
* PlainPasswordFile (PlainPasswordDatabaseAuthenticationManager)
The sasl negotiation for Scram Sha SASL mechanisms should always include
sending of server-final message in order to give a chance to verify server
signature on a client as per [RFC
5802|https://tools.ietf.org/html/rfc5802#page-7]
{quote}
The client then authenticates the server by computing the
ServerSignature and comparing it to the value sent by the server. If
the two are different, the client MUST consider the authentication
exchange to be unsuccessful, and it might have to drop the
connection.
{quote}
We need to change all existing Authentication Provider to support sending of
final message
> Java Broker should always send server-final message (if required) to the
> client on succesful SASL negotiation
> -------------------------------------------------------------------------------------------------------------
>
> Key: QPID-7282
> URL: https://issues.apache.org/jira/browse/QPID-7282
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: 0.30, 0.32, qpid-java-6.0, qpid-java-6.0.1,
> qpid-java-6.0.2, qpid-java-6.0.3, qpid-java-6.1
> Reporter: Alex Rudyy
> Fix For: qpid-java-6.1, qpid-java-6.0.4
>
>
> On Scram Sha SASL negotiation Broker does not send server-final challenge
> (ServerSignature) with the following authentication providers:
> * Simple (SimpleAuthenticationManager)
> * PlainPasswordFile (PlainPasswordDatabaseAuthenticationManager)
> The sasl negotiation for Scram Sha SASL mechanisms should always include
> sending of server-final message in order to give a chance to verify server
> signature on a client as per [RFC
> 5802|https://tools.ietf.org/html/rfc5802#page-7]
> {quote}
> The client then authenticates the server by computing the
> ServerSignature and comparing it to the value sent by the server. If
> the two are different, the client MUST consider the authentication
> exchange to be unsuccessful, and it might have to drop the
> connection.
> {quote}
> We need to change all existing Authentication Provider to support sending of
> final message
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
