Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12232

Document how are SASL mechanisms handled when they support channel binding

    XMLWordPrintable

Details

    • Enhancement
    • Resolution: Won't Do
    • Minor
    • None
    • 7.1.0.ER2
    • Documentation, Security

    Description

      The handing of non-PLUS vs. PLUS Elytron SASL mechanisms has to be documented as there are some caveats in the usage. (Details are discussed on JIRAs JBEAP-11396 and its follow up JBEAP-12231)

      Some of the Elytron SASL mechanisms has variant with channel binding (then their name ends with "-PLUS"). E.g. for the SCRAM-SHA-1 mechanism there exists also SCRAM-SHA-1-PLUS mechanism.

      Example scenario of the problematic behavior (in 7.1.0.ER2) :

      • Server administrator configures support for SCRAM-SHA-1 SASL mechanism in Elytron
      • Elytron Client (e.g. management client) set supports for SCRAM-SHA-1 too

      This configuration works nicely when SSL context is not used for the remoting connection.
      This configuration doesn't work, when SSL context is used for the remoting connection

      Attachments

        Issue Links

          blocks

          Requirement - Used for conducting internal reviews of our products and process with 3rd party auditors JBEAP-7694 [DOC RFE] Provide a set of SASL authentication mechanisms

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11396 Elytron - *-PLUS SASL mechanisms don't work - part of channel binding integration seems to be missing

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-12231 Handle properly non-PLUS Elytron SASL mechanisms when SSL context is used (i.e. channel binding is possible)

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              amehenda@redhat.com Ashwin Mehendale
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Ondrej Lukas Ondrej Lukas (Inactive)
              Ondrej Lukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: