[jboss-jira] [JBoss JIRA] (ELY-129) Choose SASL mechanisms based on better criteria
David Lloyd (JIRA)
issues at jboss.org
Tue Dec 8 11:39:00 EST 2015
[ https://issues.jboss.org/browse/ELY-129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Lloyd resolved ELY-129.
-----------------------------
Fix Version/s: 1.1.0.Beta3
(was: 1.1.0.CR1)
Assignee: David Lloyd
Resolution: Done
This is resolved as a result of mechanism configuration.
> Choose SASL mechanisms based on better criteria
> -----------------------------------------------
>
> Key: ELY-129
> URL: https://issues.jboss.org/browse/ELY-129
> Project: WildFly Elytron
> Issue Type: Enhancement
> Reporter: David Lloyd
> Assignee: David Lloyd
> Fix For: 1.1.0.Beta3
>
>
> SASL mechanism selection is based on properties right now, that specify only a few very limited criteria.
> We should provide a better selection mechanism that allows selection based on the following criteria:
> * Specify requirements of the mechanism itself
> ** Algorithm usage
> ** Key length (where applicable)
> ** Parameters similar to existing Sasl ones, like:
> *** QOP
> *** Forward secrecy
> *** Plaintext
> *** Active attack susceptibility
> *** etc.
> * Specify requirements around the mechanism's circumstance
> ** Restrict by enclosing channel security
> *** Require TLS cipher suite parameters (using existing database parameters)
> *** Require channel binding
> In the end the client or server user should be able specify SASL mechanism usage using expressions that can express things like:
> * Use PLAIN only if TLS is in use with AES encryption
> * Use EXTERNAL only if TLS is in use
> * Use no SASL mechanisms employing weak hash algorithms (MD5 and worse)
> * Use only SASL mechanisms employing SHA-256
> * Use only SASL mechanisms that provide channel binding and require TLS
> * Use only ANONYMOUS
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list