On Tue, Jan 30, 2007 at 12:13:01AM -0800, Howard Chu wrote:
When invoked from Cyrus SASL it will only offer confidentiality if the sasl-secprops are set with minssf > 1. Since you're talking about your own private SASL implementations obviously we can't tell.
Hmmm. I have to look at Cyrus SASL, but I don't see a way how it would be able to not negotiate it. I'm talking about line 514ff in src/lib/gssapi/krb5/init_sec_context.c of MIT krb 1.5.1:
ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | GSS_C_TRANS_FLAG | ((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)));
This way it does not look at the req_flags given to it via gss_init_sec_context(), it just unconditionally sets GSS_C_CONF_FLAG. If I change it to take GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG from req_flags, then it does work as I would expect.
I hope I don't look stupid here... :-)
Volker