[jboss-jira] [JBoss JIRA] (ELY-129) Choose SASL mechanisms based on better criteria
David Lloyd (JIRA)
issues at jboss.org
Fri Dec 19 12:21:29 EST 2014
David Lloyd created ELY-129:
-------------------------------
Summary: Choose SASL mechanisms based on better criteria
Key: ELY-129
URL: https://issues.jboss.org/browse/ELY-129
Project: WildFly Elytron
Issue Type: Enhancement
Reporter: David Lloyd
SASL mechanism selection is based on properties right now, that specify only a few very limited criteria.
We should provide a better selection mechanism that allows selection based on the following criteria:
* Specify requirements of the mechanism itself
** Algorithm usage
** Key length (where applicable)
** Parameters similar to existing Sasl ones, like:
*** QOP
*** Forward secrecy
*** Plaintext
*** Active attack susceptibility
*** etc.
* Specify requirements around the mechanism's circumstance
** Restrict by enclosing channel security
*** Require TLS cipher suite parameters (using existing database parameters)
*** Require channel binding
In the end the client or server user should be able specify SASL mechanism usage using expressions that can express things like:
* Use PLAIN only if TLS is in use with AES encryption
* Use EXTERNAL only if TLS is in use
* Use no SASL mechanisms employing weak hash algorithms (MD5 and worse)
* Use only SASL mechanisms employing SHA-256
* Use only SASL mechanisms that provide channel binding and require TLS
* Use only ANONYMOUS
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
More information about the jboss-jira
mailing list