[Date Prev][Date Next]
Re: Disable GSSAPI confidentiality
On Fri, 12 Dec 2008, Jeremiah Martell wrote:
> Interesting. I wanted to do this because Microsoft servers complain
> about redundant encryption.
> If your GSSAPI provides confidentiality, and you're trying to use TLS,
> they barf out this error:
> Cannot start kerberos signing/sealing when using TLS/SSL
> I'll experiment with setting it to 1, but perhaps I'm already
> protected by using TLS from the things you mentioned?
Short answer: yes.
All the normally enabled TLS cipher suites provide integrity protection
(and confidentiality, for that matter).
Long answer: it depends
The issue is that there's no 'binding' of the GSSAPI authentication to the
TLS channel: the GSSAPI bits on the two ends can't be sure that they're
actually talking across the same secure channel.
The classic illustration is a server that requires confidentiality, but a
client that doesn't. If the client sends a bind that doesn't request
confidentiality without first doing StartTLS, the server will reject it
(or require confidentiality to be negotiated anyway, I don't remember
which). However, an active attacker could intercept the client's
connection, then make its own connection to the server and negotiate TLS
and pass the data between those. The server would think the connection
has confidentiality and let it go forward, but that's not actually true.
There are two solutions to this:
1) enforce the confidentiality requirement in the client (if TLS is used,
then checking of the server's cert must be done for this to be secure)
2) use a SASL mechanism that supports "channel bindings"
The latter is still a work in progress and will require time for support
to be taken up by clients and servers.
Right now, if you're using an LDAP client with ldaps or that requires
StartTLS (ala the -ZZ option) and it does proper server certificate
checking (which has been the default in OpenLDAP since at least 2.2), then
you're fine, but keep in mind that enforcing the confidentiality of the
connection is incumbent on the client doing those correctly.