Current semantics for channel-bindings in GSSAPI
Isaac Boukris
iboukris at gmail.com
Thu Feb 27 20:27:32 EST 2020
Hi Greg, all
Following the discussion on IRC, there is currently a difference in
between Heimdal and MIT, when the client does not send bindings, and
the server does pass bindings to accept(), in MIT it fails, in Heimdal
it succeeds.
In Windows, there is a three option flag:
LdapEnforceChannelBindings=0 - not enforced at all.
LdapEnforceChannelBindings=1 - enforced on supporting clients
(bindings not zeroes, and that ad-element).
LdapEnforceChannelBindings=2 - enforced for all clients.
To my understanding, we can implement LdapEnforceChannelBindings=2 in
MIT and LdapEnforceChannelBindings=1 in Heimdal by passing the
bindings to accept(), but not vise versa.
In my opinion MIT behavior is correct, allowing to enforce
channel-binding indeed, and I think we should consider the same in
Heimdal.
Nevertheless, we need a way to implement both option. The only way I
can think how to currently implement LdapEnforceChannelBindings=1 in
MIT is to call accept() twice and hope not to get replay-errors.
Thoughts?
More information about the krbdev
mailing list