]
David Lloyd resolved ELY-129.
-----------------------------
Fix Version/s: 1.1.0.Beta3
(was: 1.1.0.CR1)
Assignee: David Lloyd
Resolution: Done
This is resolved as a result of mechanism configuration.
Choose SASL mechanisms based on better criteria
-----------------------------------------------
Key: ELY-129
URL:
https://issues.jboss.org/browse/ELY-129
Project: WildFly Elytron
Issue Type: Enhancement
Reporter: David Lloyd
Assignee: David Lloyd
Fix For: 1.1.0.Beta3
SASL mechanism selection is based on properties right now, that specify only a few very
limited criteria.
We should provide a better selection mechanism that allows selection based on the
following criteria:
* Specify requirements of the mechanism itself
** Algorithm usage
** Key length (where applicable)
** Parameters similar to existing Sasl ones, like:
*** QOP
*** Forward secrecy
*** Plaintext
*** Active attack susceptibility
*** etc.
* Specify requirements around the mechanism's circumstance
** Restrict by enclosing channel security
*** Require TLS cipher suite parameters (using existing database parameters)
*** Require channel binding
In the end the client or server user should be able specify SASL mechanism usage using
expressions that can express things like:
* Use PLAIN only if TLS is in use with AES encryption
* Use EXTERNAL only if TLS is in use
* Use no SASL mechanisms employing weak hash algorithms (MD5 and worse)
* Use only SASL mechanisms employing SHA-256
* Use only SASL mechanisms that provide channel binding and require TLS
* Use only ANONYMOUS