Q: using SASL_SSF_EXTERNAL - seeing unexpected behavior
Dan White
dwhite at olp.net
Fri Sep 18 15:57:34 EDT 2009
On 18/09/09 11:07 -0400, Ken Giusti wrote:
>Hi all,
>
>I'm trying to use SASL_SSF_EXTERNAL to account for the security mechanism
>provided by our transport layer (SSL). I'm trying the following test:
>
>1) set the SASL_SFF_EXTERNAL to 90 on both server and client. (yeah, 90 is
>arbitrary, but I wanted it to be > 56 for the test).
>2) set the min-ssf to 10 on the client and the server
>3) specify the GSSAPI mechanism and attempt to authenticate....
>
>However, an SSF of 56 gets negotiated (I'm assuming this is supplied by
>GSSAPI):
>
>2009-09-18 10:59:29 info getprop SSF: 56
>2009-09-18 10:59:29 info Installing security layer, SSF: 56
>
>Since the external ssf is already stronger than the GSSAPI security layer, I
>was expecting that the external ssf would take precedence, and keep GSSAPI
>encryption from happening. Instead, it seems like the external ssf factor
>is ignored, and I end up double encrypting (once at TLS, once at sasl).
I'm not clear on how cyrus handles this logic exactly, but you should be
able to accomplish this by setting your your max-ssf to '1', which directs
the sasl library to do no encryption for your selected mechanism (but it
will do integrity protection).
However, I'm not sure what happens if you also set SASL_SSF_EXTERNAL to a
high value.
--
Dan White
More information about the Cyrus-sasl
mailing list