[
https://issues.apache.org/jira/browse/QPIDJMS-294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16091515#comment-16091515
]
Keith Wall commented on QPIDJMS-294:
------------------------------------
Great. I did test the changes with the Java Broker, all was well.
Separately, I think to include a flag on the Java Broker's change for
QPID-7787 so that the old behaviour can be restored, if need be, and ensure
compatibility with AMQP 1.0 libraries that support {{SCRAM-SHA-SASL}} AND make
the assertion that the server-final is received AND don't know to utilise
{{SaslOutcome#additionalData}}. I suspect that the number of libraries in this
set may be zero :). Unfortunately AMQP 1.0 SASL security layer gives you no
way to know who your peer is (nothing analogous to {{Open#properties}} so peers
in the SASL server role can't adapt automatically, which is a shame.
> The SCRAM-SHA-* SASL mechanisms should verify the server final message if it
> is sent in the additional-data field of sasl-outcome
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: QPIDJMS-294
> URL: https://issues.apache.org/jira/browse/QPIDJMS-294
> Project: Qpid JMS
> Issue Type: Bug
> Affects Versions: 0.23.0
> Reporter: Rob Godfrey
> Fix For: 0.24.0
>
>
> Currently the client will only verify the server final message if it is sent
> as an extra challenge in the sasl exchange.
> The client should also verify if the server final message is sent as
> additional-data on the sasl outcome (which is really the way this should
> always be sent).
> In order to do this PROTON-1486 will need fixing
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
