Loading...

XML

Word

Printable

Type: CSR
Resolution: Approved
Priority: P3
Fix Version/s: openjdk8u232
Component/s: security-libs
Labels:
None

Subcomponent:
javax.security
Compatibility Kind:

behavioral
Compatibility Risk:
minimal
Compatibility Risk Description:
The default property value is empty so there is no out-of-box behavior change.
Interface Kind:

System or security property
Scope:
JDK

Original CSR: https://bugs.openjdk.java.net/browse/JDK-8214331

Summary

Provide a security property to restrict the mechanisms used by SASL.

Problem

https://tools.ietf.org/html/rfc6331 states that "The MD5 hash is sufficiently weak to make a brute force attack on DIGEST-MD5 easy with common hardware." DIGEST-MD5 was intended to be an improvement over CRAM-MD5, which also has various weaknesses. Finally, PLAIN is even weaker since the password is sent as plaintext and not protected.

That said, SASL is often used within a secure channel (For example, SMTP with STARTTLS) and in this case even PLAIN may be acceptable when the communication is protected by TLS (although it is still preferable to use a stronger mechanism in case the TLS server is compromised). This is similar to using the Basic WWW-Authenticate scheme in HTTPS.

Solution

Add a security property to disable these SASL mechanisms. The default value is empty which means no mechanism is disabled out-of-box. The user can set it to include more mechanisms, especially if their application protocol is not protected by a secure channel like TLS.

Specification

Changes to src/share/classes/javax/security/sasl/Sasl.java:

/**
 * Creates a {@code SaslClient} using the parameters supplied.
 *
 * ...
 * <p>
 * If a mechanism is listed in the {@code jdk.sasl.disabledMechanisms}
 * security property, it will be ignored and won't be negotiated.
 * ...
 */
public static SaslClient createSaslClient(
    String[] mechanisms,
    String authorizationId,
    String protocol,
    String serverName,
    Map<String,?> props,
    CallbackHandler cbh) throws SaslException {

/**
 * Creates a {@code SaslServer} for the specified mechanism.
 *
 * ...
 * <p>
 * If {@code mechanism} is listed in the {@code jdk.sasl.disabledMechanisms}
 * security property, it will be ignored and this method returns {@code null}.
 * ...
 **/
public static SaslServer
    createSaslServer(String mechanism,
                String protocol,
                String serverName,
                Map<String,?> props,
                javax.security.auth.callback.CallbackHandler cbh)

Add the following lines into src/share/lib/security/java.security-*:

# Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
#
# Disabled mechanisms will not be negotiated by both SASL clients and servers.
# These mechanisms will be ignored if they are specified in the mechanisms argument
# of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
#
# The value of this property is a comma-separated list of SASL mechanisms.
# The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
#   jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5
jdk.sasl.disabledMechanisms=

(*) OS: aix, linux, macosx, solaris, windows

csr of

JDK-8230490 Allow Sasl mechanisms to be restricted

In Progress

Assignee:: Martin Balao Alonso

Reporter:: Weijun Wang

Reviewed By:: Andrew Hughes

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2019-09-03 08:27

Updated:: 2019-12-14 10:16

Resolved:: 2019-12-14 10:16

Details

Description

Summary

Problem

Solution

Specification

Attachments

Issue Links

Activity

People

Dates