Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12232

Document how are SASL mechanisms handled when they support channel binding

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Won't Do
    • Icon: Minor Minor
    • None
    • 7.1.0.ER2
    • Documentation, Security
    • 8

      The handing of non-PLUS vs. PLUS Elytron SASL mechanisms has to be documented as there are some caveats in the usage. (Details are discussed on JIRAs JBEAP-11396 and its follow up JBEAP-12231)

      Some of the Elytron SASL mechanisms has variant with channel binding (then their name ends with "-PLUS"). E.g. for the SCRAM-SHA-1 mechanism there exists also SCRAM-SHA-1-PLUS mechanism.

      Example scenario of the problematic behavior (in 7.1.0.ER2) :

      • Server administrator configures support for SCRAM-SHA-1 SASL mechanism in Elytron
      • Elytron Client (e.g. management client) set supports for SCRAM-SHA-1 too

      This configuration works nicely when SSL context is not used for the remoting connection.
      This configuration doesn't work, when SSL context is used for the remoting connection

            amehenda@redhat.com Ashwin Mehendale
            josef.cacek@gmail.com Josef Cacek (Inactive)
            Ondrej Lukas Ondrej Lukas (Inactive)
            Ondrej Lukas Ondrej Lukas (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: