[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI signing/encryption for unsuspectingly applications (its not a bug)

--On May 14, 2009 3:14:46 PM -0700 Quanah Gibson-Mount <quanah@zimbra.com> wrote:

--On May 14, 2009 3:05:25 PM -0700 Howard Chu <hyc@symas.com> wrote:

Quanah Gibson-Mount wrote:
--On May 14, 2009 2:22:46 PM -0700 Howard Chu<hyc@symas.com>  wrote:

Secondly it seems so that Cyrus SASL code does not support SSF larger
than 56 for GSSAPI based signing/encryption (aka

Also wrong, Cyrus SASL/GSSAPI is known to work with up to ssf=112.

In any case, the way cyrus-sasl current works, the reported SSF value is pretty irrelevant, since it is hard coded. If you (Mike) are particularly interested in improving the SASL/GSSAPI interactions in OpenLDAP, I'd advise you work on re-working the Cyrus SASL GSSAPI plugin to do things like get the SSF from the underlying kerberos libraries, and back when it's negotiated, so OpenLDAP can report the accurate values. The folks on the Cyrus-sasl project are actively developing again, so now is the time to start contributing to that project.



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration