Hi all,
I'm trying to use SASL_SSF_EXTERNAL to account for the security mechanism provided by our transport layer (SSL). I'm trying the following test:
1) set the SASL_SFF_EXTERNAL to 90 on both server and client. (yeah, 90 is arbitrary, but I wanted it to be > 56 for the test).
2) set the min-ssf to 10 on the client and the server
3) specify the GSSAPI mechanism and attempt to authenticate....
I don't understand the resulting behaviour. I'm a noob, so I was hoping someone could clarify this for me...
On the server side, I see the authentication take place:
2009-09-18 10:59:29 info SETTING SSF EXTERNAL = 90
2009-09-18 10:59:29 info SASL: Mechanism list: ANONYMOUS PLAIN DIGEST-MD5 LOGIN GSSAPI CRAM-MD5
2009-09-18 10:59:29 info SASL: Starting authentication with mechanism: GSSAPI
2009-09-18 10:59:29 info SASL: Authentication succeeded for: testuser@xxxxxxxxxxx
However, an SSF of 56 gets negotiated (I'm assuming this is supplied by GSSAPI):
2009-09-18 10:59:29 info getprop SSF: 56
2009-09-18 10:59:29 info Installing security layer, SSF: 56
Since the external ssf is already stronger than the GSSAPI security layer, I was expecting that the external ssf would take precedence, and keep GSSAPI encryption from happening. Instead, it seems like the external ssf factor is ignored, and I end up double encrypting (once at TLS, once at sasl).
Sorry if this is an obvious question - I'm new to this and can't find an answer elsewhere...
BTW, I'm using rev 2.1.22 of cyrus sasl (from fedora core 11).
thanks!
--
Ken Giusti (kgiusti@xxxxxxxxx)
