Details
-
Enhancement
-
Resolution: Done
-
Major
-
None
-
None
-
None
-
High
Description
SASL mechanism selection is based on properties right now, that specify only a few very limited criteria.
We should provide a better selection mechanism that allows selection based on the following criteria:
- Specify requirements of the mechanism itself
- Algorithm usage
- Key length (where applicable)
- Parameters similar to existing Sasl ones, like:
- QOP
- Forward secrecy
- Plaintext
- Active attack susceptibility
- etc.
- Specify requirements around the mechanism's circumstance
- Restrict by enclosing channel security
- Require TLS cipher suite parameters (using existing database parameters)
- Require channel binding
- Restrict by enclosing channel security
In the end the client or server user should be able specify SASL mechanism usage using expressions that can express things like:
- Use PLAIN only if TLS is in use with AES encryption
- Use EXTERNAL only if TLS is in use
- Use no SASL mechanisms employing weak hash algorithms (MD5 and worse)
- Use only SASL mechanisms employing SHA-256
- Use only SASL mechanisms that provide channel binding and require TLS
- Use only ANONYMOUS
Attachments
Issue Links
- is related to
-
-
- Resolved
-
