On Fri, 2013-07-12 at 17:46 -0400, Dmitri Pal wrote:
> On 07/12/2013 05:36 PM, Erinn Looney-Triggs wrote:
> > On 07/12/2013 05:03 PM, Dmitri Pal wrote:
> > > On 07/12/2013 11:33 AM, Erinn Looney-Triggs wrote:
> > > > GSSAPI inside of a TLS channel apparently isn't secure unless the
> > > > channel is secure and verified. The irony being that GSSAPI auth outside
> > > > of a TLS connection is just fine for postfix.
> > > Is this really the case? I am under the impression that Kerberos is
> > > secure enough outside of the TLS tunnel and this is would be just a
> > > precaution rather than a security measure.
> > >
> > I'll be honest, I doubt I am smart enough/ have enough time to figure
> > all this out. However, this is via a user on the Postfix mailing list:
> > "GSSAPI inside TLS currently does not perform channel binding, and
> > so your session can be hijacked, after the client authenticates
> > with GSSAPI. You can use "fingerprint" security if your server
> > certificate is not signed by a usable CA."
> > I asked for some more details and got this back:
> > https://tools.ietf.org/html/rfc5056
> > It sounds to me like this is Postfix specific. But again I don't know
> > all of the nuances of this, and security on this level can be very nuanced.
> > Now whether this fellow who gave this information to me is the designer
> > of TLS in Postfix or just some other poor schlub like myself I can't
> > say. But it certainly appears like it could be a problem.
> > -Erinn
> OK, makes sense. Thanks for clarifying.
Just to make it more clear, what is happening here, is that when Postifx
uses GSSAPI within a TLS channel it does not ask for integrity and
confidentiality services from GSSAPI, it uses it exclusively as an
authentication method. This is why, without Channel Bindings
authentication is not cryptographically tied to the outer encryption
layer. So a MITM *could* be operated by establishing 2 valid TLS
channels and simply forwarding communications from one channel to the
It is not that simple if both enpoints use certificates to validate to
each other and full SSL verification is on. But Clients usually do not
have X509 certificates, so there is no mutual authentication at the SSL
level in that case and MITM becomes much easier.
Now the question would be: why postfix doesn't do channel bindings? I
guess it maybe because GSSAPI is behind the SASL layer, but I haven't
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list