You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Alex Rudyy (JIRA)" <ji...@apache.org> on 2016/05/30 11:54:12 UTC
[jira] [Created] (QPID-7282) Java Broker should always send
server-final message (if required) to the client on succesful SASL
negotiation
Alex Rudyy created QPID-7282:
--------------------------------
Summary: Java Broker should always send server-final message (if required) to the client on succesful SASL negotiation
Key: QPID-7282
URL: https://issues.apache.org/jira/browse/QPID-7282
Project: Qpid
Issue Type: Bug
Components: Java Broker
Affects Versions: qpid-java-6.0.3, qpid-java-6.0.2, qpid-java-6.0.1, qpid-java-6.0, 0.32, 0.30, qpid-java-6.1
Reporter: Alex Rudyy
On Scram Sha SASL negotiation Broker does not send server-final challenge (ServerSignature) with the following authentication providers:
* Simple (SimpleAuthenticationManager)
* Base64MD5PasswordFile (Base64MD5PasswordDatabaseAuthenticationManager)
* PlainPasswordFile (PlainPasswordDatabaseAuthenticationManager)
The sasl negotiation for Scram Sha SASL mechanisms should always include sending of server-final message in order to give a chance to verify server signature on a client as per [RFC 5802|https://tools.ietf.org/html/rfc5802#page-7]
{quote}
The client then authenticates the server by computing the
ServerSignature and comparing it to the value sent by the server. If
the two are different, the client MUST consider the authentication
exchange to be unsuccessful, and it might have to drop the
connection.
{quote}
We need to change all existing Authentication Provider to support sending of final message
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org