Hi all,<br><br>I'm trying to use SASL_SSF_EXTERNAL to account for the security mechanism provided by our transport layer (SSL). I'm trying the following test:<br><br>1) set the SASL_SFF_EXTERNAL to 90 on both server and client. (yeah, 90 is arbitrary, but I wanted it to be > 56 for the test).<br>
2) set the min-ssf to 10 on the client and the server<br>3) specify the GSSAPI mechanism and attempt to authenticate....<br><br>I don't understand the resulting behaviour. I'm a noob, so I was hoping someone could clarify this for me...<br>
<br>On the server side, I see the authentication take place:<br><br>2009-09-18 10:59:29 info SETTING SSF EXTERNAL = 90<br>2009-09-18 10:59:29 info SASL: Mechanism list: ANONYMOUS PLAIN DIGEST-MD5 LOGIN GSSAPI CRAM-MD5<br>
2009-09-18 10:59:29 info SASL: Starting authentication with mechanism: GSSAPI<br>2009-09-18 10:59:29 info SASL: Authentication succeeded for: <a href="mailto:testuser@EXAMPLE.COM">testuser@EXAMPLE.COM</a><br><br>However, an SSF of 56 gets negotiated (I'm assuming this is supplied by GSSAPI):<br>
<br>2009-09-18 10:59:29 info getprop SSF: 56<br>2009-09-18 10:59:29 info Installing security layer, SSF: 56<br><br>Since the external ssf is already stronger than the GSSAPI security layer, I was expecting that the external ssf would take precedence, and keep GSSAPI encryption from happening. Instead, it seems like the external ssf factor is ignored, and I end up double encrypting (once at TLS, once at sasl).<br>
<br>Sorry if this is an obvious question - I'm new to this and can't find an answer elsewhere...<br><br>BTW, I'm using rev 2.1.22 of cyrus sasl (from fedora core 11).<br><br><br>thanks!<br><br>-- <br>Ken Giusti (<a href="mailto:kgiusti@gmail.com">kgiusti@gmail.com</a>)<br>