[JBoss JIRA] (ELY-1547) SPNEGO: missing negstat field in the first reply for expired token
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/ELY-1547?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated ELY-1547:
----------------------------------
Fix Version/s: 1.1.12.CR1
> SPNEGO: missing negstat field in the first reply for expired token
> ------------------------------------------------------------------
>
> Key: ELY-1547
> URL: https://issues.jboss.org/browse/ELY-1547
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Authentication Mechanisms, HTTP
> Affects Versions: 1.2.4.Final
> Reporter: Jan Kalina
> Assignee: Jan Kalina
> Priority: Major
> Fix For: 1.1.12.CR1, 1.3.1.Final, 1.4.0.Final
>
>
> When the client sends an initial SPNEGO token with Kerberos as preferred mechanism and includes an invalid kerberos token, then client expects to see the {{WWW-Authenticate}} HTTP header with SPNEGO response {{negTokenResp[ negState = reject ]}}.
> As stated in [SPNEGO specification|https://tools.ietf.org/html/rfc4178#section-4.2.2] negstat is required in first reply:
> {code:borderStyle=dashed}
> negState
> ...
> This field is REQUIRED in the first reply from the target, and is
> OPTIONAL thereafter. When negState is absent, the actual state
> should be inferred from the state of the negotiated mechanism
> context.
> {code}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
7 years, 8 months
[JBoss JIRA] (ELY-386) Unable to create HTTPS connection when some opnessl cipher suite with DHE are used
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/ELY-386?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse updated ELY-386:
---------------------------------
Fix Version/s: 1.1.12.CR1
> Unable to create HTTPS connection when some opnessl cipher suite with DHE are used
> ----------------------------------------------------------------------------------
>
> Key: ELY-386
> URL: https://issues.jboss.org/browse/ELY-386
> Project: WildFly Elytron
> Issue Type: Bug
> Components: SSL
> Affects Versions: 1.0.2.Final
> Environment: Oracle java 1.8.0_66
> Reporter: Martin Choma
> Assignee: Jan Kalina
> Priority: Major
> Fix For: 1.1.12.CR1, 1.2.0.Beta3
>
>
> Can't configure OpenSSL cipher suites EXP-DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC3-SHA, EXP-DHE-DSS-DES-CBC-SHA, DHE-DSS-CBC-SHA, DHE-DSS-DES-CBC3-SHA [1] for HTTPS connection. Seems like everlasting problem DHE vs. EDH [2] - these cipher suites don't work neither in EAP6. IMHO problem is in MechanismDatabase.properties, where these DHE cipher suite are mapped to openssl EDH cipher suite what contradict openssl documentation [1]:
> {code}
> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = alias:TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
> SSL_DHE_RSA_WITH_DES_CBC_SHA = alias:TLS_DHE_RSA_WITH_DES_CBC_SHA
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA = alias:TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = EXP-EDH-RSA-DES-CBC-SHA,DHE,RSA,DES,SHA1,SSLv3,true,EXP40,false,40,56
> TLS_DHE_RSA_WITH_DES_CBC_SHA = EDH-RSA-DES-CBC-SHA,DHE,RSA,DES,SHA1,SSLv3,false,LOW,false,56,56
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = EDH-RSA-DES-CBC3-SHA,DHE,RSA,3DES,SHA1,SSLv3,false,HIGH,true,168,168
> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = EXP-EDH-DSS-DES-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,true,EXP40,false,40,56
> SSL_DHE_DSS_WITH_DES_CBC_SHA = EDH-DSS-DES-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,false,LOW,false,56,56
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA = EDH-DSS-DES-CBC3-SHA,DHE,DSS,3DES,SHA1,SSLv3,false,HIGH,true,168,168
> {code}
> Note that MechanismDatabase.properties is inconsistent in mapping DHE cipher suites to openssl cipher suites, as there also exist couple of them which map DHE to DHE, for example
> {code}
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = DHE-RSA-AES128-SHA256,DHE,RSA,AES128,SHA256,TLSv1.2,false,HIGH,true,128,128
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = DHE-RSA-AES256-SHA256,DHE,RSA,AES256,SHA256,TLSv1.2,false,HIGH,true,256,256
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = DHE-RSA-AES128-GCM-SHA256,DHE,RSA,AES128GCM,AEAD,TLSv1.2,false,HIGH,true,128,128
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = DHE-RSA-AES256-GCM-SHA384,DHE,RSA,AES256GCM,AEAD,TLSv1.2,false,HIGH,true,256,256
> {code}
> In MechanismDatabase.properties is also said that
> ??Note that all EDH ciphers automatically get a DHE OpenSSL-style alias (and vice-versa)??
> I think this JIRA contradict this comment.
> Last thing, based on [1] shouldn't be SSL_DHE_DSS_WITH_DES_CBC_SHA defined as
> SSL_DHE_DSS_WITH_DES_CBC_SHA = DHE-DSS-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,false,LOW,false,56,56
> ?
> [1] https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER-SUITE-NAMES
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1123304
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
7 years, 8 months
[JBoss JIRA] (ELY-1549) IBM JDK, SPNEGO + FORM; with invalid ticket 401 status code is returned
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/ELY-1549?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated ELY-1549:
----------------------------------
Fix Version/s: 1.1.12.CR1
> IBM JDK, SPNEGO + FORM; with invalid ticket 401 status code is returned
> -----------------------------------------------------------------------
>
> Key: ELY-1549
> URL: https://issues.jboss.org/browse/ELY-1549
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Authentication Mechanisms, HTTP
> Affects Versions: 1.2.4.Final
> Reporter: Jan Kalina
> Assignee: Jan Kalina
> Priority: Major
> Labels: ibm-java
> Fix For: 1.1.12.CR1, 1.3.1.Final, 1.4.0.Final
>
>
> Given SPNEGO + FORM authentication configuration. AND SPNEGO is SESSION,CONNECTION or default (SESSIN) scoped. And running on IBM java.
> When invalid kerberos ticket is send
> Then status code 401 is returned with http form.
> There is agreement in such case SPNEGO+FORM 200 should return with form.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
7 years, 8 months
[JBoss JIRA] (ELY-1373) IBM JDK, SPNEGO + FORM; with invalid ticket 200 status code is returned
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/ELY-1373?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated ELY-1373:
----------------------------------
Fix Version/s: 1.1.12.CR1
> IBM JDK, SPNEGO + FORM; with invalid ticket 200 status code is returned
> -----------------------------------------------------------------------
>
> Key: ELY-1373
> URL: https://issues.jboss.org/browse/ELY-1373
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Authentication Mechanisms
> Affects Versions: 1.2.0.Beta3
> Reporter: Jan Kalina
> Assignee: Jan Kalina
> Priority: Major
> Fix For: 1.1.12.CR1, 1.2.0.Beta9
>
>
> Given SPNEGO + FORM authentication configuration. And running on IBM java.
> When invalid kerberos ticket is send
> Then status code 200 is returned with http form.
> While on Oracle JDK {{gssContext.isEstablished()}} returns true for invalid client ticket (negotiate with wrong domain JBOSS.COM), so SPNEGO mechanism sends bare challenge after failed authorization, on IBM JDK it returns false immediately, so mechanism fail without sending challenge - to be consistent should be send in both cases.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
7 years, 8 months