-
Enhancement
-
Resolution: Fixed
-
P4
-
5.0
-
b63
-
x86
-
windows_2000
Name: js151677 Date: 08/24/2004
FULL PRODUCT VERSION :
java version "1.5.0-beta2"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-beta2-b51)
Java HotSpot(TM) Client VM (build 1.5.0-beta2-b51, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows 2000 [Version 5.00.2195]
A DESCRIPTION OF THE PROBLEM :
In most cases, the com.sun.security.sasl.digest.DigestMD5Server class will return an exception (javax.security.sasl.SaslException: DIGEST-MD5: No common protection layer between client and server) if the client and server specify incompatible QOP values in property 'javax.security.sasl.qop';
If, however, on the server-side the 'javax.security.sasl.qop' property is not defined at all (not even a blank value), then the server lets the connection proceed as 'auth' level even if the client requested a high level of security, e.g. 'javax.security.sasl.qop=auth-conf'.
This can lead a client to believe they have achieved a level of security that has not actually been granted.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
In SASL testbed with DIGEST-MD5 mechanism, set property 'javax.security.sasl.qop' as follows:
on client: javax.security.sasl.qop=auth-conf
on server: not defined at all
Have client connect to server.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
An exception should be thrown similar to:
javax.security.sasl.SaslException: DIGEST-MD5: No common protection l
ayer between client and server
at com.sun.security.sasl.digest.DigestMD5Client.checkQopSupport(DigestMD5Client.java:394)
at com.sun.security.sasl.digest.DigestMD5Client.evaluateChallenge(DigestMD5Client.java:208)
at com.sun.jmx.remote.opt.security.SASLClientHandler.consumeMessage(SASLClientHandler.java:194)
at com.sun.jmx.remote.opt.security.AdminClient.connectionOpen(AdminClient.java:137)
at com.sun.jmx.remote.generic.ClientSynchroMessageConnectionImpl.connect(ClientSynchroMessageConnectionImpl.java:73)
at javax.management.remote.generic.GenericConnector.connect(GenericConnector.java:169)
at javax.management.remote.jmxmp.JMXMPConnector.connect(JMXMPConnector.java:117)
at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248)
ACTUAL -
No exception is thrown; client proceeds at 'auth' level (not auth-int or auth-conf)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Make sure that property ' javax.security.sasl.qop' is always set to something (even if just blank or 'auth') on the server-side of the SASL DIGEST-MD5 connection
(Incident Review ID: 300524)
======================================================================
FULL PRODUCT VERSION :
java version "1.5.0-beta2"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-beta2-b51)
Java HotSpot(TM) Client VM (build 1.5.0-beta2-b51, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows 2000 [Version 5.00.2195]
A DESCRIPTION OF THE PROBLEM :
In most cases, the com.sun.security.sasl.digest.DigestMD5Server class will return an exception (javax.security.sasl.SaslException: DIGEST-MD5: No common protection layer between client and server) if the client and server specify incompatible QOP values in property 'javax.security.sasl.qop';
If, however, on the server-side the 'javax.security.sasl.qop' property is not defined at all (not even a blank value), then the server lets the connection proceed as 'auth' level even if the client requested a high level of security, e.g. 'javax.security.sasl.qop=auth-conf'.
This can lead a client to believe they have achieved a level of security that has not actually been granted.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
In SASL testbed with DIGEST-MD5 mechanism, set property 'javax.security.sasl.qop' as follows:
on client: javax.security.sasl.qop=auth-conf
on server: not defined at all
Have client connect to server.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
An exception should be thrown similar to:
javax.security.sasl.SaslException: DIGEST-MD5: No common protection l
ayer between client and server
at com.sun.security.sasl.digest.DigestMD5Client.checkQopSupport(DigestMD5Client.java:394)
at com.sun.security.sasl.digest.DigestMD5Client.evaluateChallenge(DigestMD5Client.java:208)
at com.sun.jmx.remote.opt.security.SASLClientHandler.consumeMessage(SASLClientHandler.java:194)
at com.sun.jmx.remote.opt.security.AdminClient.connectionOpen(AdminClient.java:137)
at com.sun.jmx.remote.generic.ClientSynchroMessageConnectionImpl.connect(ClientSynchroMessageConnectionImpl.java:73)
at javax.management.remote.generic.GenericConnector.connect(GenericConnector.java:169)
at javax.management.remote.jmxmp.JMXMPConnector.connect(JMXMPConnector.java:117)
at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248)
ACTUAL -
No exception is thrown; client proceeds at 'auth' level (not auth-int or auth-conf)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Make sure that property ' javax.security.sasl.qop' is always set to something (even if just blank or 'auth') on the server-side of the SASL DIGEST-MD5 connection
(Incident Review ID: 300524)
======================================================================