Re: GSSAPI signing/encryption for unsuspectingly applications (its not a bug)

[mikbec <mikbec@web.de>]

Quanah Gibson-Mount wrote:
> --On May 14, 2009 3:14:46 PM -0700 Quanah Gibson-Mount 
> <quanah@zimbra.com> wrote:
>
> > --On May 14, 2009 3:05:25 PM -0700 Howard Chu <hyc@symas.com> wrote:
> >
> > > Quanah Gibson-Mount wrote:
> > > > --On May 14, 2009 2:22:46 PM -0700 Howard Chu<hyc@symas.com>  wrote:
> > > >
> > > > > > Secondly it seems so that Cyrus SASL code does not support SSF larger
> > > > > > than 56 for GSSAPI based signing/encryption (aka
> > > > > > integrity/confidential
> > > > >
> > > > > Also wrong, Cyrus SASL/GSSAPI is known to work with up to ssf=112.
>
>
> In any case, the way cyrus-sasl current works, the reported SSF value is 
> pretty irrelevant, since it is hard coded.  If you (Mike) are 
That is absolutly correct. SSF is hard coded to 56 in Cyrus SASL for
GSSAPI. Additionally I have made some tests to change that define to 128
but this doesn't change anything. It seems so that encyption type will
not negotiated .... but that is only an assumption by me.

> particularly interested in improving the SASL/GSSAPI interactions in 
> OpenLDAP, I'd advise you work on re-working the Cyrus SASL GSSAPI plugin 
yes .. I'm very interested in to get this work and ...


> to do things like get the SSF from the underlying kerberos libraries, 
> and back when it's negotiated, so OpenLDAP can report the accurate 
> values.  The folks on the Cyrus-sasl project are actively developing 
> again, so now is the time to start contributing to that project.
... if they work again on SASL I will give this opportunity a try.


best regards
  Mike

> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration