HTTP && HTTPS Transport Review

Robbie Harwood rharwood at
Thu Aug 8 17:41:55 EDT 2013


I have written code to add support for HTTP && HTTPS transport of
Kerberos traffic to the KDC which I would like to submit for review.  It
can be found on my github[0].

The (currently only) way to specify a HTTP/HTTPS connection to the KDC
is through editing the krb5.conf file.  As such, the specification of a
KDC location has changed; it can now have an optional protocol
prepended.  Since the protocol is _optional_ and the behavior when no
protocol is specified is unchanged from the current behavior, this will
not break any existing configurations.

HTTP && HTTPS transport of traffic is carried out through a POST request
with body containing (what would be) the request if it were to be sent
over TCP, base64-encoded; the response has the same structure.
Currently, the only option for securing HTTPS is OpenSSL, though NSS
support is planned for the future (a configure flag is included).

Code for testing can be found in my krb-proxies repository[1].  This
includes a reference implementation (in Python using WSGI) for the KDC's
end of HTTP transport (which can be used to test HTTPS as well using
e.g., Apache with mod_ssl or similar).  Additionally, a client-side
proxy (in C optionally using OpenSSL) is included as well for use with
versions of Kerberos which do not yet support HTTP && HTTPS transport.

I have already written all of the code mentioned above.  Copyright for
the changes to krb5 is assigned to Red Hat, Inc. under the same 3-clause
BSD license previously used.  Questions/comments welcome.

IRC: freenode/rharwood


More information about the krbdev mailing list