Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8285840

Release Note: HTTPS Channel Binding support for Java GSS/Kerberos



    • Type: Backport
    • Status: Resolved
    • Priority: P4
    • Resolution: Delivered
    • Affects Version/s: 8u341, 11.0.16-oracle, 17.0.4-oracle
    • Fix Version/s: 8u341
    • Component/s: core-libs


      Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.

      Channel binding tokens are increasingly required as an enhanced form of security which can mitigate certain kinds of socially engineered, man in the middle (MITM) attacks. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.

      The feature is controlled through a new system property `jdk.https.negotiate.cbt` which is described fully as below:

      **`jdk.https.negotiate.cbt`** (default: <"never">)
      This controls the generation and sending of TLS channel binding tokens (CBT) when Kerberos or the Negotiate authentication scheme using Kerberos are employed over HTTPS with HttpsURLConnection. There are three possible settings:

      "never". This is also the default value if the property is not set. In this case, CBTs are never sent.

      "always". CBTs are sent for all Kerberos authentication attempts over HTTPS.

      "domain:<comma separated domain list>" Each domain in the list specifies destination host or hosts for which a CBT is sent. Domains can be single hosts like foo, or foo.com, or literal IP addresses as specified in RFC 2732, or wildcards like *.foo.com which matches all hosts under foo.com and its sub-domains. CBTs are not sent to any destinations that don't match one of the list entries

      The channel binding tokens generated are of the type "tls-server-end-point" as defined in RFC 5929.


          Issue Links



              pkumaraswamy Prajwal Kumaraswamy
              michaelm Michael McMahon
              0 Vote for this issue
              1 Start watching this issue