Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 13
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      The default property value is empty so there is no out-of-box behavior change.
    • Interface Kind:
      System or security property
    • Scope:
      JDK

      Description

      Summary

      Provide a security property to restrict the mechanisms used by SASL.

      Problem

      https://tools.ietf.org/html/rfc6331 states that "The MD5 hash is sufficiently weak to make a brute force attack on DIGEST-MD5 easy with common hardware." DIGEST-MD5 was intended to be an improvement over CRAM-MD5, which also has various weaknesses. Finally, PLAIN is even weaker since the password is sent as plaintext and not protected.

      That said, SASL is often used within a secure channel (For example, SMTP with STARTTLS) and in this case even PLAIN may be acceptable when the communication is protected by TLS (although it is still preferable to use a stronger mechanism in case the TLS server is compromised). This is similar to using the Basic WWW-Authenticate scheme in HTTPS.

      Solution

      Add a security property to disable these SASL mechanisms. The default value is empty which means no mechanism is disabled out-of-box. The user can set it to include more mechanisms, especially if their application protocol is not protected by a secure channel like TLS.

      Specification

      Changes to src/java.security.sasl/share/classes/javax/security/sasl/Sasl.java:

      /*
       * @implNote
       * ....
       * If a mechanism is listed in the
       * {@code jdk.sasl.disabledMechanisms} security property,
       * it will be ignored and won't be negotiated.
       */
      public static SaslClient createSaslClient(
          String[] mechanisms,
          String authorizationId,
          String protocol,
          String serverName,
          Map<String,?> props,
          CallbackHandler cbh);
      
      /*
       * @implNote
       * ....
       * If {@code mechanism} is listed in the
       * {@code jdk.sasl.disabledMechanisms} security property,
       * it will be ignored and this method will return {@code null}.
       */
      public static SaslServer
          createSaslServer(String mechanism,
                      String protocol,
                      String serverName,
                      Map<String,?> props,
                      javax.security.auth.callback.CallbackHandler cbh)

      Add the following lines into conf/security/java.security:

      #
      # Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
      #
      # Disabled mechanisms will not be negotiated by both SASL clients and servers.
      # These mechanisms will be ignored if they are specified in the mechanisms argument
      # of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
      #
      # The value of this property is a comma-separated list of SASL mechanisms.
      # The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
      #
      # Note: This property is currently used by the JDK Reference implementation.
      # It is not guaranteed to be examined and used by other implementations.
      #
      # Example:
      #   jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5
      jdk.sasl.disabledMechanisms=

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                weijun Weijun Wang
                Reviewed By:
                Sean Mullan, Valerie Peng
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: