LDAP Channel Binding

Bernd Eckenfels ecki at zusammenkunft.net
Wed Feb 19 23:09:38 UTC 2020


Just a small addition, cause I found some more details (but still not enough).

there seems to be some precedence for tls-server-endpoint instead, which would be I guess a bit easier to produce:

https://blogs.msdn.microsoft.com/openspecification/2013/03/26/ntlm-and-channel-binding-hash-aka-extended-protection-for-authentication/

https://docs.microsoft.com/en-us/windows/win32/secauthn/acceptsecuritycontext--kerberos

The mentione QueryContextAttributes can provide both, endpoint or uniqueness attributes (but in some places like the HttpRequest I read that it only accepts endpoint type)

It was also mentioned that the SPN is used in addition for binding, however I think this is already sent with GSSAPI and seems not to help (even when that would be fine in addition to proper cert checks)

Somehow this thing seems like not have any additional protection property and is largely underdocumented.

Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
Von: security-dev <security-dev-bounces at openjdk.java.net> im Auftrag von Michael Osipov <1983-01-06 at gmx.net>
Gesendet: Wednesday, February 19, 2020 10:54:49 PM
Cc: security-dev at openjdk.java.net <security-dev at openjdk.java.net>
Betreff: Re: LDAP Channel Binding

After another research reading RFC 5929 as well as PostgreSQL support of
CB with SASL SCRAM authentication mech, I believe we first need
JDK-6491070 solved for tls-unique. That byte array has to be passed to
org.ietf.jgss.ChannelBinding(byte[]). Addresses are not necessary
because the outer context (TLS) has that data already.

If so, the SASL layer needs to be changed to be aware of outside TLS
context is present.


Am 2020-02-18 um 15:18 schrieb Weijun Wang:
> While JGSS has channel binding, the SASL/GSSAPI mech has not called it. I can add a SASL property which takes a byte[] value so when it's not null the implementation can set a ChannelBinding object using it as appData (with no addresses).

This doesn't make any sense because the client does not have access to
the SSLContext on the connection. LdapCtx needs to pass that data to
SaslClient. We'd need a property to enable/disable channel binding.

> But who will be setting the property? Whoever calls the SASL methods will need to provide the appData. Is it the TLS channel binding defined in RFC 5929? Then the TLS layer needs to provide a method to get the bytes.

Correct.

> I've also read about the SASL/GS2 mech (RFC 5801) which claims to support channel binding. Do you know if Microsoft ever support it?

No, GS2 family, where auth-int and auth-conf have been dropped is *not*
supported by AD.
I believe that MS has simply modified SASL GS1 to support CB, to what
extend that is unclear, e.g., gs2-cb-flag.

Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20200219/2bfedf51/attachment.htm>


More information about the security-dev mailing list