-
Backport
-
Resolution: Delivered
-
P4
-
8u341, 11.0.16-oracle, 17.0.4-oracle
Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.
Channel binding tokens are increasingly required as an enhanced form of security. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.
The feature is controlled through a new system property `jdk.https.negotiate.cbt` which is described fully as below:
**`jdk.https.negotiate.cbt`** (default: <"never">)
This controls the generation and sending of TLS channel binding tokens (CBT) when Kerberos or the Negotiate authentication scheme using Kerberos are employed over HTTPS with HttpsURLConnection. There are three possible settings:
"never". This is also the default value if the property is not set. In this case, CBTs are never sent.
"always". CBTs are sent for all Kerberos authentication attempts over HTTPS.
"domain:<comma separated domain list>" Each domain in the list specifies destination host or hosts for which a CBT is sent. Domains can be single hosts like foo, or foo.com, or literal IP addresses as specified in RFC 2732, or wildcards like *.foo.com which matches all hosts under foo.com and its sub-domains. CBTs are not sent to any destinations that don't match one of the list entries
The channel binding tokens generated are of the type "tls-server-end-point" as defined in RFC 5929.
Channel binding tokens are increasingly required as an enhanced form of security. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.
The feature is controlled through a new system property `jdk.https.negotiate.cbt` which is described fully as below:
**`jdk.https.negotiate.cbt`** (default: <"never">)
This controls the generation and sending of TLS channel binding tokens (CBT) when Kerberos or the Negotiate authentication scheme using Kerberos are employed over HTTPS with HttpsURLConnection. There are three possible settings:
"never". This is also the default value if the property is not set. In this case, CBTs are never sent.
"always". CBTs are sent for all Kerberos authentication attempts over HTTPS.
"domain:<comma separated domain list>" Each domain in the list specifies destination host or hosts for which a CBT is sent. Domains can be single hosts like foo, or foo.com, or literal IP addresses as specified in RFC 2732, or wildcards like *.foo.com which matches all hosts under foo.com and its sub-domains. CBTs are not sent to any destinations that don't match one of the list entries
The channel binding tokens generated are of the type "tls-server-end-point" as defined in RFC 5929.
- backport of
-
-
- Resolved
-