[jboss-jira] [JBoss JIRA] (ELY-1283) Channel binding SASL mechanisms should be preferred by Elytron clients
Farah Juma (JIRA)
issues at jboss.org
Thu Jul 13 13:14:00 EDT 2017
[ https://issues.jboss.org/browse/ELY-1283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13435514#comment-13435514 ]
Farah Juma commented on ELY-1283:
---------------------------------
In [RFC-5802 Section 6|https://tools.ietf.org/html/rfc5802#section-6], it says that both the PLUS and non-PLUS mechanisms should be offered when channel binding is supported. We're currently offering the mechanisms in the following order, which is what's causing the non-PLUS mechanisms to get attempted first:
{code}
SCRAM_SHA_1
SCRAM_SHA_1_PLUS
SCRAM_SHA_256
SCRAM_SHA_256_PLUS
SCRAM_SHA_384
SCRAM_SHA_384_PLUS
SCRAM_SHA_512
SCRAM_SHA_512_PLUS
{code}
I think we should change this order so that the PLUS mechanisms are offered first, as shown below. WDYT?
{code}
SCRAM_SHA_1_PLUS
SCRAM_SHA_256_PLUS
SCRAM_SHA_384_PLUS
SCRAM_SHA_512_PLUS
SCRAM_SHA_1
SCRAM_SHA_256
SCRAM_SHA_384
SCRAM_SHA_512
{code}
> Channel binding SASL mechanisms should be preferred by Elytron clients
> ----------------------------------------------------------------------
>
> Key: ELY-1283
> URL: https://issues.jboss.org/browse/ELY-1283
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Josef Cacek
> Assignee: Farah Juma
> Priority: Critical
>
> The *\*-PLUS* SASL mechanisms (i.e. variants with channel binding) should be preferred by Elytron over the non-plus ones.
> The channel binding [RFC-5056|https://tools.ietf.org/html/rfc5056#section-2.1] in section 2.1 states:
> {noformat}
> * If the authentication protocol used by the application supports
> channel binding, the application SHOULD use it.
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list