Am 2020-01-22 um 10:14 schrieb Weijun Wang:
On Jan 22, 2020, at 4:21 PM, Michael Osipov <1983-01...@gmx.net> wrote:
Am 2020-01-22 um 08:40 schrieb Weijun Wang:
On Dec 18, 2019, at 9:14 PM, Michael Osipov <1983-01...@gmx.net> wrote:
...
A few issues must be addressed first:
* Java's SASL GSSAPI mech has a bug which will make all default installations
fail.
I have reported this years ago and this must be immediately fixed [3].
...
[3] https://bugs.openjdk.java.net/browse/JDK-8160818
My current plan is to update the default value of SERVER_AUTH: "false" if only "auth" is requested, and
"true" if one of "auth-int" or "auth-conf" is requested. I'll see what compatibility impact there
would be for other actions.
Max,
when you are on it, please take recent changes in Cyrus SASL into
account. A compatiblity with Cyrus SASL is crucial here.
The dicussion in question is:
https://github.com/cyrusimap/cyrus-sasl/issues/419
What is the major point in this thread? In fact, I think the old code in
https://github.com/cyrusimap/cyrus-sasl/commit/e41cfb986c1b1935770de554872247453fdbb079
looks correct. GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG should only be set when
there is a security layer. Is the if check wrong?
While the old code is a verbatim implementation of the RFC by A.
Melnikov, recent changes by Ken Murchison interprete the RFC in context
of an external SSF. One need ony set auth-int of the external layer does
not guarantee auth-int and so on. See my discussion with Quanah
Gibson-Mount about this.
The fundamental difference is that the Java GSSAPI mech does not take
external SSF into account and cannot decide whether auth-int of
auth-conf should be applied or not.
Logically, it makes no sense to apply auth-inf/-conf if the external
layer (e.g., TLS) already provides this.
Michael
