Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8279842

HTTPS Channel Binding support for Java GSS/Kerberos

XMLWordPrintable

    • b08

        For few of the services provided by server, channel binding is made mandatory for more secure communication.
        In such a case, HTTPS connection must support channel binding, with WWW-Authenticate: Negotiate {token generated with channel binding info} in the request header.

        Ex.
        On Microsoft 2019 standard server, with CES installed, Microsoft provides the option to enable EPA (Channel binding is mandatory).

        In such a case, end user can connect to server via HTTPS, from a token generated via GSSContext as below.
          
        HttpsURLConnection httpsConnection = (HttpsURLConnection) targetUrl.openConnection();
        httpsConnection.setRequestProperty("Authorization", "Negotiate " + token);

        As of now, the only way to get this code working is to set channel binding in GSSContext using TlsChannelBinding and TlsChannelBindingImpl

        // Sets CBT
        X509Certificate cert = getX509ServerCertificate("C:\\Users\\oracle\\Downloads\\chbindpgms","cacer_ie.cer");
        TlsChannelBinding tlsCB = TlsChannelBinding.create(cert);
        clientContext.setChannelBinding(new TlsChannelBindingImpl(tlsCB.getData()));

        However both TlsChannelBindingImpl and TlsChannelBinding is not visible for other modules and also we need a fix similar to that of JDK-8245527

          1.
          		 Release Note: HTTPS Channel Binding Support for Java GSS/Kerberos Sub-task Resolved Michael McMahon  

              michaelm Michael McMahon
              pkumaraswamy Prajwal Kumaraswamy
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: