
<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div style="font-family: Verdana;font-size: 12.0px;">

<div>

<div>This is a very important information and will affect a LOT of people.<br/>

My entire authorization code uses Active Directory all the way.</div>


<div>As far as I understand [1] and [2] you must either use TLS or SASL bind with GSSAPI mechanism.<br/>

The SASL GSSAPI mech RFC 4752 strictly requires auth-int or auth-conf as QOP, why Microsoft allows auth only is weird.</div>


<div>A few issues must be addressed first:<br/>

* Java's SASL GSSAPI mech has a bug which will make all default installations fail.<br/>

  I have reported this years ago and this must be immediately fixed [1].<br/>

* Microsoft Active Directory violates the RFC when GSSAPI mech is peformed via TLS.<br/>

  It requires QOP to be auth only. See [4] and my launchpad comment [5].</div>


<div>> $ ldapsearch -H ldaps://ad001.siemens.net -d 1<br/>

> ldap_url_parse_ext(ldaps://ad001.siemens.net)<br/>

> ldap_create<br/>

> ldap_url_parse_ext(ldaps://ad001.siemens.net:636/??base)<br/>

> ...<br/>

> attempting to connect:<br/>

> connect success<br/>

> TLS trace: SSL_connect:before SSL initialization<br/>

> TLS trace: SSL_connect:SSLv3/TLS write client hello<br/>

> TLS trace: SSL_connect:SSLv3/TLS write client hello<br/>

> TLS trace: SSL_connect:SSLv3/TLS read server hello<br/>

> TLS certificate verification: depth: 1, err: 20, subject: /DC=net/DC=siemens/DC=ad001/CN=Siemens Issuing CA Class OneAD 01, issuer: /CN=Siemens OneAD Root CA<br/>

> TLS certificate verification: Error, unable to get local issuer certificate<br/>

> TLS trace: SSL_connect:SSLv3/TLS read server certificate<br/>

> TLS trace: SSL_connect:SSLv3/TLS read server key exchange<br/>

> TLS trace: SSL_connect:SSLv3/TLS read server certificate request<br/>

> TLS trace: SSL_connect:SSLv3/TLS read server done<br/>

> TLS trace: SSL_connect:SSLv3/TLS write client certificate<br/>

> TLS trace: SSL_connect:SSLv3/TLS write client key exchange<br/>

> TLS trace: SSL_connect:SSLv3/TLS write change cipher spec<br/>

> TLS trace: SSL_connect:SSLv3/TLS write finished<br/>

> TLS trace: SSL_connect:SSLv3/TLS write finished<br/>

> TLS trace: SSL_connect:SSLv3/TLS read change cipher spec<br/>

> TLS trace: SSL_connect:SSLv3/TLS read finished<br/>

> ldap_open_defconn: successful<br/>

> ldap_send_server_request<br/>

> ...<br/>

> SASL username: osipovmi@AD001.SIEMENS.NET<br/>

> SASL SSF: 256<br/>

> ldap_pvt_sasl_generic_install<br/>

> SASL data security layer installed.<br/>

> ldap_msgfree<br/>

> # extended LDIF<br/>

> #<br/>

> # LDAPv3<br/>

> # base <> (default) with scope subtree<br/>

> # filter: (objectclass=*)<br/>

> # requesting: ALL<br/>

> #<br/>

><br/>

> ...<br/>

> ber_get_next<br/>

> sb_sasl_generic_pkt_length: received illegal packet length of 813957120 bytes<br/>

> sb_sasl_cyrus_decode: failed to decode packet: generic failure<br/>

> sb_sasl_generic_read: failed to decode packet<br/>

> ldap_msgfree<br/>

><br/>

> # numResponses: 0<br/>

> ldap_err2string<br/>

> ldap_result: Can't contact LDAP server (-1)<br/>

> ldap_free_request (origid 5, msgid 5)<br/>

> ldap_free_connection 1 1<br/>

> TLS trace: SSL3 alert write:warning:close notify<br/>

> ldap_free_connection: actually freed</div>


<div><br/>

It seems like Cyrus SASL code has been broken recently to support this, now it violates this RFC. [6]</div>


<div>[1] <a href="https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows" target="_blank">https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows</a><br/>

[2] <a href="https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008" target="_blank">https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008</a><br/>

[3] <a href="https://bugs.openjdk.java.net/browse/JDK-8160818" target="_blank">https://bugs.openjdk.java.net/browse/JDK-8160818</a><br/>

[4] <a href="https://msdn.microsoft.com/en-us/library/cc223500.aspx" target="_blank">https://msdn.microsoft.com/en-us/library/cc223500.aspx</a><br/>

[5] <a href="https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1015819" target="_blank">https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1015819</a><br/>

[6] <a href="https://github.com/cyrusimap/cyrus-sasl/issues/419#issuecomment-566981689" target="_blank">https://github.com/cyrusimap/cyrus-sasl/issues/419#issuecomment-566981689</a></div>


<div> 

<div style="margin: 10.0px 5.0px 5.0px 10.0px;padding: 10.0px 0 10.0px 10.0px;border-left: 2.0px solid rgb(195,217,229);">

<div style="margin: 0 0 10.0px 0;"><b>Gesendet:</b> Mittwoch, 18. Dezember 2019 um 04:29 Uhr<br/>

<b>Von:</b> "Bernd Eckenfels" <ecki@zusammenkunft.net><br/>

<b>An:</b> "security-dev@openjdk.java.net" <security-dev@openjdk.java.net><br/>

<b>Betreff:</b> Microsoft LDAP Channel Binding</div>


<div>

<div>

<div style="color: rgb(0,0,0);background-color: rgb(255,255,255);text-align: left;">Hello,</div>


<div style="color: rgb(0,0,0);background-color: rgb(255,255,255);text-align: left;"> </div>


<div style="color: rgb(0,0,0);background-color: rgb(255,255,255);text-align: left;"><span>Microsoft just released an Security Advisory, announcing that upcoming Windows Server Versions will turn on mandatory TLS Channel Binding (and turn off simple binds with mandatory SASL signing) on LDAP Servers.</span></div>


<div style="color: rgb(0,0,0);background-color: rgb(255,255,255);text-align: left;"> </div>


<div style="color: rgb(0,0,0);background-color: rgb(255,255,255);text-align: left;"><span>They also reminded Administrators to install the KB patch and turn the hardened Settings on.</span></div>


<div style="color: rgb(0,0,0);background-color: rgb(255,255,255);text-align: left;"> </div>


<div style="color: rgb(0,0,0);background-color: rgb(255,255,255);text-align: left;">Do you have experiences with this, will Java (8) work with the setting of "mandatory is supported" (1) and/or "mandatory" (2) for this key, and if not what is the plan here?</div>


<div style="color: rgb(0,0,0);background-color: rgb(255,255,255);text-align: left;"> </div>


<div style="color: rgb(0,0,0);background-color: rgb(255,255,255);text-align: left;"><a href="https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023" target="_blank">https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023</a></div>


<div style="color: rgb(0,0,0);background-color: rgb(255,255,255);text-align: left;"> </div>


<div style="color: rgb(0,0,0);background-color: rgb(255,255,255);text-align: left;"><a href="https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry" target="_blank">https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry</a></div>


<div style="color: rgb(0,0,0);background-color: rgb(255,255,255);text-align: left;"> </div>


<div style="color: rgb(0,0,0);background-color: rgb(255,255,255);text-align: left;">Gruss</div>


<div style="color: rgb(0,0,0);background-color: rgb(255,255,255);text-align: left;">Bernd</div>


<div id="ms-outlook-mobile-signature">

<div style="direction: ltr;">--</div>


<div style="direction: ltr;"><a href="http://bernd.eckenfels.net" target="_blank">http://bernd.eckenfels.net</a></div>

</div>

</div>

</div>

</div>

</div>

</div>

</div></div></body></html>