On 07/12/2013 05:03 PM, Dmitri Pal wrote: > On 07/12/2013 11:33 AM, Erinn Looney-Triggs wrote: >> GSSAPI inside of a TLS channel apparently isn't secure unless the >> channel is secure and verified. The irony being that GSSAPI auth outside >> of a TLS connection is just fine for postfix. > > Is this really the case? I am under the impression that Kerberos is > secure enough outside of the TLS tunnel and this is would be just a > precaution rather than a security measure. >
I'll be honest, I doubt I am smart enough/ have enough time to figure all this out. However, this is via a user on the Postfix mailing list: "GSSAPI inside TLS currently does not perform channel binding, and so your session can be hijacked, after the client authenticates with GSSAPI. You can use "fingerprint" security if your server certificate is not signed by a usable CA." I asked for some more details and got this back: https://tools.ietf.org/html/rfc5056 It sounds to me like this is Postfix specific. But again I don't know all of the nuances of this, and security on this level can be very nuanced. Now whether this fellow who gave this information to me is the designer of TLS in Postfix or just some other poor schlub like myself I can't say. But it certainly appears like it could be a problem. -Erinn
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
