Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8284769

HTTPS Channel Binding support for Java GSS/Kerberos



    • behavioral
    • low
    • The feature is disabled by default. This may change in future.
    • System or security property
    • JDK


      Exact copy of JDK-8280581 covering JDK11u and later. (Note that 8u is also affected, but the systemProperty javadoc tag doesn't exist in 8u, so it will need a slightly different spec.)


      Add networking system property to control generation of Channel Binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.


      Channel binding tokens are increasingly required as an enhanced form of security which can mitigate certain kinds of socially engineered, man in the middle attacks. They work by communicating from a client to a server the client's understanding of the binding between connection security (eg as represented by a TLS server cert) and higher level authentication credentials (eg a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.


      A system property "jdk.https.negotiate.cbt" is added which controls the feature. It can have values "never", "always", or a value that specifies a set of domains that the feature is enabled for. The default behavior when the property is not set is "never".


      Add following text to src/java.base/share/classes/java/net/doc-files/net-properties.html:

      <LI><P><B>{@systemProperty jdk.https.negotiate.cbt}</B> (default: &lt;never&gt;)<BR>
      This controls the generation and sending of TLS channel binding tokens (CBT) when Kerberos 
          or the Negotiate authentication scheme using Kerberos are employed over HTTPS with
          {@code HttpsURLConnection}. There are three possible settings:</P>
            <LI><P>"never". This is also the default value if the property is not set. In this case,
                CBTs are never sent.</P>
            <LI><P>"always". CBTs are sent for all Kerberos authentication attempts over HTTPS.</P>
            <LI><P>"domain:&lt;comma separated domain list&gt;" Each domain in the list specifies destination
                host or hosts for which a CBT is sent. Domains can be single hosts like foo, or foo.com,
                or literal IP addresses as specified in RFC 2732, or wildcards like *.foo.com which matches 
                all hosts under foo.com and its sub-domains. CBTs are not sent to any destinations 
                that don't match one of the list entries</P>
      <P>The channel binding tokens generated are of the type "tls-server-end-point" as defined in
             RFC 5929.</P>


        Issue Links



              mdoerr Martin Doerr
              pkumaraswamy Prajwal Kumaraswamy
              Goetz Lindenmaier
              0 Vote for this issue
              3 Start watching this issue