Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8230491

Restrict Sasl mechanisms



    • CSR
    • Status: Closed
    • P3
    • Resolution: Approved
    • openjdk8u232
    • security-libs
    • None
    • behavioral
    • minimal
    • The default property value is empty so there is no out-of-box behavior change.
    • System or security property
    • JDK


      Original CSR: https://bugs.openjdk.java.net/browse/JDK-8214331


      Provide a security property to restrict the mechanisms used by SASL.


      https://tools.ietf.org/html/rfc6331 states that "The MD5 hash is sufficiently weak to make a brute force attack on DIGEST-MD5 easy with common hardware." DIGEST-MD5 was intended to be an improvement over CRAM-MD5, which also has various weaknesses. Finally, PLAIN is even weaker since the password is sent as plaintext and not protected.

      That said, SASL is often used within a secure channel (For example, SMTP with STARTTLS) and in this case even PLAIN may be acceptable when the communication is protected by TLS (although it is still preferable to use a stronger mechanism in case the TLS server is compromised). This is similar to using the Basic WWW-Authenticate scheme in HTTPS.


      Add a security property to disable these SASL mechanisms. The default value is empty which means no mechanism is disabled out-of-box. The user can set it to include more mechanisms, especially if their application protocol is not protected by a secure channel like TLS.


      Changes to src/share/classes/javax/security/sasl/Sasl.java:

       * Creates a {@code SaslClient} using the parameters supplied.
       * ...
       * <p>
       * If a mechanism is listed in the {@code jdk.sasl.disabledMechanisms}
       * security property, it will be ignored and won't be negotiated.
       * ...
      public static SaslClient createSaslClient(
          String[] mechanisms,
          String authorizationId,
          String protocol,
          String serverName,
          Map<String,?> props,
          CallbackHandler cbh) throws SaslException {
       * Creates a {@code SaslServer} for the specified mechanism.
       * ...
       * <p>
       * If {@code mechanism} is listed in the {@code jdk.sasl.disabledMechanisms}
       * security property, it will be ignored and this method returns {@code null}.
       * ...
      public static SaslServer
          createSaslServer(String mechanism,
                      String protocol,
                      String serverName,
                      Map<String,?> props,
                      javax.security.auth.callback.CallbackHandler cbh)

      Add the following lines into src/share/lib/security/java.security-*:

      # Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
      # Disabled mechanisms will not be negotiated by both SASL clients and servers.
      # These mechanisms will be ignored if they are specified in the mechanisms argument
      # of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
      # The value of this property is a comma-separated list of SASL mechanisms.
      # The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
      # Note: This property is currently used by the JDK Reference implementation.
      # It is not guaranteed to be examined and used by other implementations.
      # Example:
      #   jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5

      (*) OS: aix, linux, macosx, solaris, windows


        Issue Links



              mbalao Martin Balao
              weijun Weijun Wang
              Andrew Hughes
              0 Vote for this issue
              2 Start watching this issue