On Tue, Jan 30, 2007 at 12:13:01AM -0800, Howard Chu wrote:
> When invoked from Cyrus SASL it will only offer confidentiality if the
> sasl-secprops are set with minssf > 1. Since you're talking about your own
> private SASL implementations obviously we can't tell.
Hmmm. I have to look at Cyrus SASL, but I don't see a way
how it would be able to not negotiate it. I'm talking about
line 514ff in src/lib/gssapi/krb5/init_sec_context.c of MIT
krb 1.5.1:
ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
GSS_C_TRANS_FLAG |
((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)));
This way it does not look at the req_flags given to it via
gss_init_sec_context(), it just unconditionally sets
GSS_C_CONF_FLAG. If I change it to take GSS_C_CONF_FLAG and
GSS_C_INTEG_FLAG from req_flags, then it does work as I
would expect.
I hope I don't look stupid here... :-)
Volker
Attachment:
pgpOxuMUS92WQ.pgp
Description: PGP signature