Microsoft LDAP Channel Binding
Weijun Wang
weijun.wang at oracle.com
Wed Jan 22 09:14:28 UTC 2020
> On Jan 22, 2020, at 4:21 PM, Michael Osipov <1983-01-06 at gmx.net> wrote:
>
> Am 2020-01-22 um 08:40 schrieb Weijun Wang:
>>
>>
>>> On Dec 18, 2019, at 9:14 PM, Michael Osipov <1983-01-06 at gmx.net> wrote:
>>>
>>> ...
>>
>>> A few issues must be addressed first:
>>> * Java's SASL GSSAPI mech has a bug which will make all default installations fail.
>>> I have reported this years ago and this must be immediately fixed [3].
>>>
>> ...
>>> [3] https://bugs.openjdk.java.net/browse/JDK-8160818
>>
>> My current plan is to update the default value of SERVER_AUTH: "false" if only "auth" is requested, and "true" if one of "auth-int" or "auth-conf" is requested. I'll see what compatibility impact there would be for other actions.
>
> Max,
>
> when you are on it, please take recent changes in Cyrus SASL into
> account. A compatiblity with Cyrus SASL is crucial here.
>
> The dicussion in question is:
> https://github.com/cyrusimap/cyrus-sasl/issues/419
What is the major point in this thread? In fact, I think the old code in https://github.com/cyrusimap/cyrus-sasl/commit/e41cfb986c1b1935770de554872247453fdbb079 looks correct. GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG should only be set when there is a security layer. Is the if check wrong?
--Max
>
> Especially this block:
> https://github.com/cyrusimap/cyrus-sasl/blob/master/plugins/gssapi.c#L1762-L1778
> Java should match here.
>
> Michael
More information about the security-dev
mailing list