On 18/09/09 11:07 -0400, Ken Giusti wrote:
Hi all, I'm trying to use SASL_SSF_EXTERNAL to account for the security mechanism provided by our transport layer (SSL). I'm trying the following test: 1) set the SASL_SFF_EXTERNAL to 90 on both server and client. (yeah, 90 is arbitrary, but I wanted it to be > 56 for the test). 2) set the min-ssf to 10 on the client and the server 3) specify the GSSAPI mechanism and attempt to authenticate.... However, an SSF of 56 gets negotiated (I'm assuming this is supplied by GSSAPI): 2009-09-18 10:59:29 info getprop SSF: 56 2009-09-18 10:59:29 info Installing security layer, SSF: 56 Since the external ssf is already stronger than the GSSAPI security layer, I was expecting that the external ssf would take precedence, and keep GSSAPI encryption from happening. Instead, it seems like the external ssf factor is ignored, and I end up double encrypting (once at TLS, once at sasl).
I'm not clear on how cyrus handles this logic exactly, but you should be able to accomplish this by setting your your max-ssf to '1', which directs the sasl library to do no encryption for your selected mechanism (but it will do integrity protection). However, I'm not sure what happens if you also set SASL_SSF_EXTERNAL to a high value. -- Dan White
