Bug 3480 - gssapi (cvs) breaks when external_ssf >= max_ssf
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue Apr 21 11:24:35 EDT 2015
>We were dealing recently with this bug in our environment and since
>there is no official statement from authors, I'm CC'ing also author of
>this commit [1], who is also author of RFC [2], if I got this right. I
>was reading through the RFC and this commit does it exactly according to
>specification, but it looks like it is not backward compatible with some
>other implementations, namely M$ ActiveDirectory or even
>cyrus-sasl-2.1.23. Interoperability is important for us and we can't
>leave this change here only because of "it's in RFC". If I see
>correctly, most of distributions reverted this commit in their releases
>and they are still doing fine. We will probably join them, if there will
>not be any other solution to maintain backward compatibility.
You know, a reading of the RFC says that if you're requesting a security
layer you MUST set the mutual_req_flag flag to TRUE, but it does not
say that you MUST set it to false if you are not. So my reading of
the code says that it's RFC compliant without this change. And honestly,
I cannot really envision a reason why you ever NOT want mutual
authentication (I am neutral on the sequence flag, but I cannot see the
harm in setting it).
--Ken
More information about the Cyrus-sasl
mailing list