Hi all,
Following our discussion over cyrus-sasl PR 601 [1], I worked out a new wip patch: https://git.openldap.org/iboukris/openldap/-/commits/cbind_v3
It changes the sasl channel-binding to be passed optionally (none by default), controlled via ldap.conf / slapd.conf, and adds "tls-server-end-point" binding type which is compatible with Windows.
In addition, I noticed the current "tls-unique" implementation in openldap doesn't pass the prefix of the channel-binding as defined in RFC 5056, quote:
Specifications of channel bindings for any secure channels MUST provide for a single, canonical octet string encoding of the channel bindings. Under this framework, channel bindings MUST start with the channel binding unique prefix followed by a colon (ASCII 0x3A).
So I fixed that too, by adding "tls-unique:" prefix as per RFC 5929 registration. Note that this won't be compatible with older versions of openldap (say for GS2 users, if any), so it is another reason to not send any bindings by default, to avoid mismatches.
I've only tested the openssl client backend code so far (on top of cyrus-sasl PR 601), the rest is pretty much pseudo code for now. I plan to work out the other backends, and add some unit-tests showing the expected binding are being passed by both client and server (tips and help welcome).
Thoughts?
Refs [1]: https://github.com/cyrusimap/cyrus-sasl/pull/601 https://bugs.openldap.org/show_bug.cgi?id=9189
Thanks!
Isaac Boukris wrote:
Hi all,
Following our discussion over cyrus-sasl PR 601 [1], I worked out a new wip patch: https://git.openldap.org/iboukris/openldap/-/commits/cbind_v3
It changes the sasl channel-binding to be passed optionally (none by default), controlled via ldap.conf / slapd.conf, and adds "tls-server-end-point" binding type which is compatible with Windows.
In addition, I noticed the current "tls-unique" implementation in openldap doesn't pass the prefix of the channel-binding as defined in RFC 5056, quote:
Specifications of channel bindings for any secure channels MUST provide for a single, canonical octet string encoding of the channel bindings. Under this framework, channel bindings MUST start with the channel binding unique prefix followed by a colon (ASCII 0x3A).So I fixed that too, by adding "tls-unique:" prefix as per RFC 5929 registration. Note that this won't be compatible with older versions of openldap (say for GS2 users, if any), so it is another reason to not send any bindings by default, to avoid mismatches.
I've only tested the openssl client backend code so far (on top of cyrus-sasl PR 601), the rest is pretty much pseudo code for now. I plan to work out the other backends, and add some unit-tests showing the expected binding are being passed by both client and server (tips and help welcome).
Thanks for this. Would be nice to get other testers' eyes on it.
Don't spend any time on the MozNSS backend, we are removing it.
Thoughts?
Refs [1]: https://github.com/cyrusimap/cyrus-sasl/pull/601 https://bugs.openldap.org/show_bug.cgi?id=9189
Thanks!
On Tue, Mar 31, 2020 at 9:35 PM Howard Chu hyc@symas.com wrote:
Don't spend any time on the MozNSS backend, we are removing it.
Thanks for the heads up!
Meanwhile I've tested and fixed the gnutls backend too.
-
Howard Chu -
Isaac Boukris