On Fri, 28 Jan 2022 16:58:55 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
On Fri, 28 Jan 2022 16:58:55 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a CBT with authentication requests over Kerberos. The
On Thu, 27 Jan 2022 18:05:25 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
On Thu, 27 Jan 2022 16:47:52 GMT, Daniel Fuchs wrote:
>> It's `java.net.SocketException: Unexpected end of file from server`. Does
>> not include any CBT words so don't know if it's worth parsing.
>
> Thanks. Then it would be better to catch only `SocketException` here rather
> than
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a CBT with authentication requests over Kerberos. The
On Wed, 26 Jan 2022 19:00:14 GMT, Weijun Wang wrote:
>> test/jdk/sun/security/krb5/auto/HttpsCB.java line 201:
>>
>>> 199: return reader.readLine().equals(CONTENT);
>>> 200: } catch (Exception e) {
>>> 201: return false;
>>
>> Should we log that we have received
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a CBT with authentication requests over Kerberos. The
On Wed, 26 Jan 2022 16:25:24 GMT, Daniel Fuchs wrote:
>> Michael McMahon has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> removed ^M from test
>
> test/jdk/sun/security/krb5/auto/HttpsCB.java line 120:
>
>> 118:
>> 119: boolean
On Wed, 26 Jan 2022 16:27:29 GMT, Daniel Fuchs wrote:
>> Michael McMahon has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> removed ^M from test
>
> test/jdk/sun/security/krb5/auto/HttpsCB.java line 201:
>
>> 199: return
On Wed, 26 Jan 2022 16:02:09 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a CBT with authentication requests over Kerberos. The
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a CBT with authentication requests over Kerberos. The
On Tue, 25 Jan 2022 12:47:26 GMT, Michael McMahon wrote:
>> src/java.base/share/classes/sun/net/www/http/HttpClient.java line 150:
>>
>>> 148: * "domain:a,c.d,*.e.f" (sent to host a, or c.d or to the domain
>>> e.f and any of its subdomains). This is
>>> 149: * a comma separated list
On Tue, 25 Jan 2022 11:34:57 GMT, Michael Osipov wrote:
>> Michael McMahon has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> final review update (pre CSR)
>
> src/java.base/share/classes/sun/net/www/http/HttpClient.java line 150:
>
>>
On Tue, 25 Jan 2022 10:30:20 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
On Tue, 25 Jan 2022 10:30:20 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a CBT with authentication requests over Kerberos. The
On Mon, 24 Jan 2022 22:11:51 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a CBT with authentication requests over Kerberos. The
On Mon, 24 Jan 2022 15:54:01 GMT, Michael McMahon wrote:
>> src/java.base/share/classes/sun/security/util/TlsChannelBinding.java line
>> 100:
>>
>>> (failed to retrieve contents of file, check the PR for context)
>> I think this method should stay here. Suppose one day the CBT type is
>>
On Mon, 24 Jan 2022 15:23:44 GMT, Weijun Wang wrote:
>> Michael McMahon has updated the pull request with a new target base due to a
>> merge or a rebase. The incremental webrev excludes the unrelated changes
>> brought in by the merge/rebase. The pull request contains eight additional
>>
On Mon, 24 Jan 2022 13:54:12 GMT, Daniel Fuchs wrote:
>> Michael McMahon has updated the pull request with a new target base due to a
>> merge or a rebase. The incremental webrev excludes the unrelated changes
>> brought in by the merge/rebase. The pull request contains eight additional
>>
On Mon, 24 Jan 2022 13:36:47 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
On Fri, 21 Jan 2022 15:40:16 GMT, Daniel Fuchs wrote:
>> Michael McMahon has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> more tidy-up
>
> src/java.naming/share/classes/com/sun/jndi/ldap/sasl/LdapSasl.java line 144:
>
>> 142:
On Mon, 24 Jan 2022 13:36:47 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
On Fri, 21 Jan 2022 19:48:02 GMT, Weijun Wang wrote:
>> Michael McMahon has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> added root cause to NamingException
>
> src/java.base/share/classes/java/net/doc-files/net-properties.html line 220:
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a CBT with authentication requests over Kerberos. The
On Fri, 21 Jan 2022 16:02:29 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
On Fri, 21 Jan 2022 16:02:29 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
On Fri, 21 Jan 2022 16:02:29 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
On Fri, 21 Jan 2022 15:51:10 GMT, Michael McMahon wrote:
>> `NamingException` has `setRootCause()`. Why not use that? I use that one too
>> and full stack is retained.
>
> Yes, I can do that. Though it will cause the existing LDAP channel binding
> test to fail which is checking for an empty
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a CBT with authentication requests over Kerberos. The
On Fri, 21 Jan 2022 13:39:06 GMT, Michael Osipov wrote:
>> Actually, it turns out I should be throwing `NamingException` here. That is
>> what was being thrown by `TlsChannelBinding.parseType` before and an
>> existing test was expecting that. NamingException only takes a String
>> message.
On Fri, 21 Jan 2022 15:26:33 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
On Fri, 21 Jan 2022 15:26:33 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
On Fri, 21 Jan 2022 15:08:58 GMT, Michael McMahon wrote:
>> It was being handled elsewhere as "never". But, I agree it would be clearer
>> to normalise it to "never" here.
>
> Sorry, I should have checked back to the source rather than the snippet
> quoted. The problem is that the logError
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a CBT with authentication requests over Kerberos. The
On Fri, 21 Jan 2022 13:38:08 GMT, Michael McMahon wrote:
>> src/java.base/share/classes/sun/net/www/http/HttpClient.java line 189:
>>
>>> 187: } else {
>>> 188: logError("Unexpected value for \"jdk.https.negotiate.cbt\"
>>> system property");
>>> 189: return s;
On Fri, 21 Jan 2022 13:35:53 GMT, Michael McMahon wrote:
>> src/java.naming/share/classes/com/sun/jndi/ldap/sasl/LdapSasl.java line 133:
>>
>>> 131:
>>> (String)env.get(TlsChannelBinding.CHANNEL_BINDING_TYPE));
>>> 132: } catch
On Thu, 20 Jan 2022 11:16:16 GMT, Daniel Fuchs wrote:
>> Michael McMahon has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> removed sasl module dependency and added SaslException cause
>
>
On Thu, 20 Jan 2022 11:14:40 GMT, Michael Osipov wrote:
>> Michael McMahon has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> removed sasl module dependency and added SaslException cause
>
>
On Thu, 20 Jan 2022 11:04:18 GMT, Daniel Fuchs wrote:
>> Michael McMahon has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> removed sasl module dependency and added SaslException cause
>
>
On Thu, 20 Jan 2022 10:58:27 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
On Thu, 20 Jan 2022 10:58:27 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
On Wed, 19 Jan 2022 22:25:43 GMT, Weijun Wang wrote:
>> Michael McMahon has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> changes after first review round
>
> src/java.naming/share/classes/com/sun/jndi/ldap/sasl/LdapSasl.java line 133:
>
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a CBT with authentication requests over Kerberos. The
On Wed, 19 Jan 2022 22:20:47 GMT, Michael McMahon wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a CBT with authentication requests over Kerberos. The
On Fri, 14 Jan 2022 15:06:12 GMT, Daniel Fuchs wrote:
> Have you been able to test this on a specific setup? Would be good to hear
> from @msheppar too.
I have tested it with the server setup by Prajwal. Security SQE are looking
into configuring a server with a similar setup which can be
On Wed, 19 Jan 2022 15:36:16 GMT, Michael McMahon wrote:
>>> It's actually a purely system property rather than a Net property at the
>>> moment (same as the other spnego ones). Maybe, I should convert them all to
>>> net properties, so they can be documented/set in that file?
>>
>> AFAICS
On Sat, 15 Jan 2022 14:02:15 GMT, Michael Osipov wrote:
>> I suggest moving the `TlsChannelBinding` class into
>> `java.base/sun.security.util` since it's not only used by LDAP anymore. It's
>> even not restricted to GSS-API. According to
>> https://www.rfc-editor.org/rfc/rfc5056, "Although
On Mon, 17 Jan 2022 13:44:06 GMT, Daniel Fuchs wrote:
>> Shall we log a message if the value is not one of the 3 forms?
>
> Usually malformed values are just ignored - and the property takes its
> default value. But yes - s.n.w.h.HttpClient has a logger so it wouldn't be
> much effort to log
On Mon, 17 Jan 2022 13:49:35 GMT, Daniel Fuchs wrote:
>> I vote for "jdk.https.tls.cbt"
>
>> It's actually a purely system property rather than a Net property at the
>> moment (same as the other spnego ones). Maybe, I should convert them all to
>> net properties, so they can be documented/set
On Mon, 17 Jan 2022 06:32:13 GMT, Prasadrao Koppula
wrote:
>> This system property should only be used for TLS, and the CBT can be used in
>> both the SPNEGO mechanism and the Kerberos 5 mechanism. Therefore I suggest
>> the name should probably contain "tls" (or maybe "https") and
On Sat, 15 Jan 2022 00:49:05 GMT, Weijun Wang wrote:
>> Argh - you're right I missed the fact that the 3 expressions where included
>> in parenthesis. I read it as
>>
>> ! (s.equals("always")) || ...
>
> Shall we log a message if the value is not one of the 3 forms?
Usually malformed values
On Thu, 13 Jan 2022 12:10:11 GMT, Michael McMahon wrote:
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a
On Sat, 15 Jan 2022 00:44:08 GMT, Weijun Wang wrote:
>> It's actually a purely system property rather than a Net property at the
>> moment (same as the other spnego ones). Maybe, I should convert them all to
>> net properties, so they can be documented/set in that file?
>
> This system
On Sat, 15 Jan 2022 00:44:08 GMT, Weijun Wang wrote:
>> It's actually a purely system property rather than a Net property at the
>> moment (same as the other spnego ones). Maybe, I should convert them all to
>> net properties, so they can be documented/set in that file?
>
> This system
On Sat, 15 Jan 2022 00:23:31 GMT, Weijun Wang wrote:
>> Yes. I would like the security team to validate this.
>
> I suggest moving the `TlsChannelBinding` class into
> `java.base/sun.security.util` since it's not only used by LDAP anymore. It's
> even not restricted to GSS-API. According to
>
On Fri, 14 Jan 2022 10:18:50 GMT, Daniel Fuchs wrote:
>> This is what was intended (equivalent)
>>
>> `if (s ==null || (s!="always" && s!="never" && !s.startsWith("domain")))`
>
> Argh - you're right I missed the fact that the 3 expressions where included
> in parenthesis. I read it as
>
> !
On Fri, 14 Jan 2022 18:40:41 GMT, Michael McMahon wrote:
>> src/java.base/share/classes/sun/net/www/http/HttpClient.java line 152:
>>
>>> 150: * If enabled (for a particular destination) then SPNEGO
>>> authentication requests will include
>>> 151: * a channel binding token for the
On Fri, 14 Jan 2022 18:42:08 GMT, Michael McMahon wrote:
>> src/java.security.jgss/share/classes/module-info.java line 36:
>>
>>> 34: module java.security.jgss {
>>> 35: requires java.naming;
>>> 36: requires java.security.sasl;
>>
>> Someone from security-dev should probably review
On Fri, 14 Jan 2022 14:52:13 GMT, Daniel Fuchs wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
On Thu, 13 Jan 2022 12:10:11 GMT, Michael McMahon wrote:
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a
On Thu, 13 Jan 2022 18:18:24 GMT, Daniel Fuchs wrote:
>> Hi,
>>
>> This change adds Channel Binding Token (CBT) support to HTTPS
>> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO,
>> Kerberos) authentication scheme. When enabled, the implementation
>> preemptively
On Fri, 14 Jan 2022 10:03:37 GMT, Michael McMahon wrote:
>> src/java.base/share/classes/sun/net/www/http/HttpClient.java line 180:
>>
>>> 178: static String normalizeCBT(String s) {
>>> 179: if (s == null || ! (s.equals("always") ||
>>> 180: s.equals("never") ||
On Thu, 13 Jan 2022 12:10:11 GMT, Michael McMahon wrote:
> Hi,
>
> This change adds Channel Binding Token (CBT) support to HTTPS
> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
> authentication scheme. When enabled, the implementation preemptively includes
> a
Hi,
This change adds Channel Binding Token (CBT) support to HTTPS
(java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos)
authentication scheme. When enabled, the implementation preemptively includes a
CBT with authentication requests over Kerberos. The feature is enabled
69 matches
Mail list logo
