Re: LDAP Channel Binding

Wed, 19 Feb 2020 15:02:29 -0800

Since we don't know what type of channel binding is used, how do you want to fix that?
Are we finally talking about TLS channel binding? But which tls-unique or tls-server-end-point? 


Can you provide a pcap from that comm as well as debug dump from JSSE 
and JNDI?


Michael

Am 2020-02-18 um 12:43 schrieb Bernd Eckenfels:

Hello Michael,

I am not sure why you say so, when the channel binding option is turned on as 
Microsoft recommends and plans to default to in March the Java LDAP directory 
implementation will no longer be able to connect when using GSSAPI or 
DIGEST-MD5 over LDAPs.

I think this should be possible. It will most likely require changes in JSSE, 
SASL, JNDI and JNDI-LDAP (both in implementations but also public APIs (in SASL 
maybe only properties?). It looks like JGSS might not need a  new API.

If there are also SPNEGO/NTLM external SASL mechanisms which are used with 
JNDI, that would be an additional check condition if the new APIs are enough to 
handle that.

Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
Von: Michael Osipov <1983-01...@gmx.net>
Gesendet: Sunday, February 16, 2020 11:02:16 AM
An: Weijun Wang <weijun.w...@oracle.com>
Cc: Bernd Eckenfels <e...@zusammenkunft.net>; security-dev@openjdk.java.net 
<security-dev@openjdk.java.net>
Betreff: Re: LDAP Channel Binding

Am 2020-02-14 um 15:53 schrieb Weijun Wang:




On Jan 22, 2020, at 6:31 AM, Michael Osipov <1983-01...@gmx.net> wrote:

Am 2020-01-21 um 17:57 schrieb Bernd Eckenfels:

Hello,

I have now repeated the tests with LdapEnforceChannelBinding=2 and I
could see the rejection with error code 80090346 for GSSAPI and
DIGEST-MD5 with TLS.

The simple bind with TLS and the GSSAPI or DIGEST-MD5 without TLS but
with auth-int/conf all work with signing and binding required (I.e
after Microsoft charged defaults in March)

(Which makes the TLS binding a bit useless, but we should still think
about supporting it.)

Jgss seems to already allow to set it, so only JSSE needs to provide
an api for sasl/jndi.


How? I am confused! The Kerberos SaslClient does not use/set GSS channel
bindings. I don't see any in com.sun.security.sasl.gsskerb.


Are you suggesting any change here? JGSS has channel binding method but the 
SASL mech has not called it.


None yet, because we do not know what channel binding is actually used.
We assume that MS uses TLS channel binding regardless of the underlying
authentication scheme.

M


























					Reply via email to