Microsoft LDAP Channel Binding

[Michael Osipov]

Am 2020-01-22 um 10:14 schrieb Weijun Wang:
>
>
>> On Jan 22, 2020, at 4:21 PM, Michael Osipov <1983-01-06 at gmx.net> wrote:
>>
>> Am 2020-01-22 um 08:40 schrieb Weijun Wang:
>>>
>>>
>>>> On Dec 18, 2019, at 9:14 PM, Michael Osipov <1983-01-06 at gmx.net> wrote:
>>>>
>>>> ...
>>>
>>>> A few issues must be addressed first:
>>>> * Java's SASL GSSAPI mech has a bug which will make all default installations fail.
>>>>    I have reported this years ago and this must be immediately fixed [3].
>>>>
>>> ...
>>>> [3] https://bugs.openjdk.java.net/browse/JDK-8160818
>>>
>>> My current plan is to update the default value of SERVER_AUTH: "false" if only "auth" is requested, and "true" if one of "auth-int" or "auth-conf" is requested. I'll see what compatibility impact there would be for other actions.
>>
>> Max,
>>
>> when you are on it, please take recent changes in Cyrus SASL into
>> account. A compatiblity with Cyrus SASL is crucial here.
>>
>> The dicussion in question is:
>> https://github.com/cyrusimap/cyrus-sasl/issues/419
>
> What is the major point in this thread? In fact, I think the old code in https://github.com/cyrusimap/cyrus-sasl/commit/e41cfb986c1b1935770de554872247453fdbb079 looks correct. GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG should only be set when there is a security layer. Is the if check wrong?

While the old code is a verbatim implementation of the RFC by A.
Melnikov, recent changes by Ken Murchison interprete the RFC in context
of an external SSF. One need ony set auth-int of the external layer does
not guarantee auth-int and so on. See my discussion with Quanah
Gibson-Mount about this.

The fundamental difference is that the Java GSSAPI mech does not take
external SSF into account and cannot decide whether auth-int of
auth-conf should be applied or not.

Logically, it makes no sense to apply auth-inf/-conf if the external
layer (e.g., TLS) already provides this.

Michael