Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8280581

HTTPS Channel Binding support for Java GSS/Kerberos

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 19
    • core-libs
    • None
    • behavioral
    • low
    • The feature is disabled by default. This may change in future.
    • System or security property
    • JDK

      Summary

      Add networking system property to control generation of Channel Binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.

      Problem

      Channel binding tokens are increasingly required as an enhanced form of security which can mitigate certain kinds of socially engineered, man in the middle attacks. They work by communicating from a client to a server the client's understanding of the binding between connection security (eg as represented by a TLS server cert) and higher level authentication credentials (eg a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.

      Solution

      A system property "jdk.https.negotiate.cbt" is added which controls the feature. It can have values "never", "always", or a value that specifies a set of domains that the feature is enabled for. The default behavior when the property is not set is "never".

      Specification

      Add following text to src/java.base/share/classes/java/net/doc-files/net-properties.html:

      <LI><P><B>{@systemProperty jdk.https.negotiate.cbt}</B> (default: &lt;never&gt;)<BR>
This controls the generation and sending of TLS channel binding tokens (CBT) when Kerberos 
    or the Negotiate authentication scheme using Kerberos are employed over HTTPS with
    {@code HttpsURLConnection}. There are three possible settings:</P>
    <OL>
      <LI><P>"never". This is also the default value if the property is not set. In this case,
          CBTs are never sent.</P>
      <LI><P>"always". CBTs are sent for all Kerberos authentication attempts over HTTPS.</P>
      <LI><P>"domain:&lt;comma separated domain list&gt;" Each domain in the list specifies destination
          host or hosts for which a CBT is sent. Domains can be single hosts like foo, or foo.com,
          or literal IP addresses as specified in RFC 2732, or wildcards like *.foo.com which matches 
          all hosts under foo.com and its sub-domains. CBTs are not sent to any destinations 
          that don't match one of the list entries</P>
</OL>
<P>The channel binding tokens generated are of the type "tls-server-end-point" as defined in
       RFC 5929.</P>

            michaelm Michael McMahon
            pkumaraswamy Prajwal Kumaraswamy
            Daniel Fuchs
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: