Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12231

Handle properly non-PLUS Elytron SASL mechanisms when SSL context is used (i.e. channel binding is possible)

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 7.1.0.CR1
    • 7.1.0.ER2
    • Security
    • None

    Description

      This is a follow up JIRA for JBEAP-11396. Find the details and related discussion there.

      When a remoting connection has configured SSL context and non-PLUS SCRAM mechanism(s) to be used, then authentication fails. The problem is, Elytron client always sets channel-binding-supported during the SCRAM negotiation.

      There are 2 possible ways to resolve the problem:

      • report the missing channel binding support in the mechanism to clients in a user-friendly way (e.g. with suggestion to configure the -PLUS variant on both sides client-server); The clients then know what was the problem with authentication.
      • add Elytron client option to disable channel binding so non-PLUS (SCRAM) mechanisms can be used even if the SSL context is configured for the underlying remoting connection.

      These 2 options are independent, so both of them can be implemented. It would be the most general way. Once the issue is resolved by choosing one of the ways, we can create a new JIRA (e.g. Feature request) for the second way - to have it covered in the future.

      Attachments

        Issue Links

          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-12265 Upgrade WildFly Elytron to 1.1.0.CR3

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-12390 Upgrade WildFly Elytron to 1.1.0.CR5

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is related to

          Feature Request - Feature requests from customers and/or users JBEAP-12894 Add possibility to disable channel binding in Elytron clients

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-12689 Elytron GS2-KRB5 SASL mechanism (non-PLUS) is allowed even if the channel binding is possible

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11396 Elytron - *-PLUS SASL mechanisms don't work - part of channel binding integration seems to be missing

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. ELY-1297 Enable error messages from SCRAM server when checking binding data conditions

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) JBEAP-12232 Document how are SASL mechanisms handled when they support channel binding

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Activity

            People

              psilva@redhat.com Pedro Igor Craveiro
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: