[
https://issues.jboss.org/browse/ELY-1283?page=com.atlassian.jira.plugin.s...
]
Farah Juma commented on ELY-1283:
---------------------------------
In [RFC-5802 Section
6|https://tools.ietf.org/html/rfc5802#section-6], it says that both
the PLUS and non-PLUS mechanisms should be offered when channel binding is supported.
We're currently offering the mechanisms in the following order, which is what's
causing the non-PLUS mechanisms to get attempted first:
{code}
SCRAM_SHA_1
SCRAM_SHA_1_PLUS
SCRAM_SHA_256
SCRAM_SHA_256_PLUS
SCRAM_SHA_384
SCRAM_SHA_384_PLUS
SCRAM_SHA_512
SCRAM_SHA_512_PLUS
{code}
I think we should change this order so that the PLUS mechanisms are offered first, as
shown below. WDYT?
{code}
SCRAM_SHA_1_PLUS
SCRAM_SHA_256_PLUS
SCRAM_SHA_384_PLUS
SCRAM_SHA_512_PLUS
SCRAM_SHA_1
SCRAM_SHA_256
SCRAM_SHA_384
SCRAM_SHA_512
{code}
Channel binding SASL mechanisms should be preferred by Elytron
clients
----------------------------------------------------------------------
Key: ELY-1283
URL:
https://issues.jboss.org/browse/ELY-1283
Project: WildFly Elytron
Issue Type: Bug
Reporter: Josef Cacek
Assignee: Farah Juma
Priority: Critical
The *\*-PLUS* SASL mechanisms (i.e. variants with channel binding) should be preferred by
Elytron over the non-plus ones.
The channel binding [
RFC-5056|https://tools.ietf.org/html/rfc5056#section-2.1] in section
2.1 states:
{noformat}
* If the authentication protocol used by the application supports
channel binding, the application SHOULD use it.
{noformat}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)