Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8279842

HTTPS Channel Binding support for Java GSS/Kerberos

    XMLWordPrintable

    Details

    • Subcomponent:
    • Resolved In Build:
      b08

      Backports

        Description

        For few of the services provided by server, channel binding is made mandatory for more secure communication.
        In such a case, HTTPS connection must support channel binding, with WWW-Authenticate: Negotiate {token generated with channel binding info} in the request header.

        Ex.
        On Microsoft 2019 standard server, with CES installed, Microsoft provides the option to enable EPA (Channel binding is mandatory).

        In such a case, end user can connect to server via HTTPS, from a token generated via GSSContext as below.
          
        HttpsURLConnection httpsConnection = (HttpsURLConnection) targetUrl.openConnection();
        httpsConnection.setRequestProperty("Authorization", "Negotiate " + token);

        As of now, the only way to get this code working is to set channel binding in GSSContext using TlsChannelBinding and TlsChannelBindingImpl

        // Sets CBT
        X509Certificate cert = getX509ServerCertificate("C:\\Users\\oracle\\Downloads\\chbindpgms","cacer_ie.cer");
        TlsChannelBinding tlsCB = TlsChannelBinding.create(cert);
        clientContext.setChannelBinding(new TlsChannelBindingImpl(tlsCB.getData()));

        However both TlsChannelBindingImpl and TlsChannelBinding is not visible for other modules and also we need a fix similar to that of JDK-8245527

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                michaelm Michael McMahon
                Reporter:
                pkumaraswamy Prajwal Kumaraswamy
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: