• Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: openjdk8u232
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Compatibility Kind:
    • Compatibility Risk:
    • Compatibility Risk Description:
      The default property value is empty so there is no out-of-box behavior change.
    • Interface Kind:
      System or security property
    • Scope:


      Original CSR:


      Provide a security property to restrict the mechanisms used by SASL.

      Problem states that "The MD5 hash is sufficiently weak to make a brute force attack on DIGEST-MD5 easy with common hardware." DIGEST-MD5 was intended to be an improvement over CRAM-MD5, which also has various weaknesses. Finally, PLAIN is even weaker since the password is sent as plaintext and not protected.

      That said, SASL is often used within a secure channel (For example, SMTP with STARTTLS) and in this case even PLAIN may be acceptable when the communication is protected by TLS (although it is still preferable to use a stronger mechanism in case the TLS server is compromised). This is similar to using the Basic WWW-Authenticate scheme in HTTPS.


      Add a security property to disable these SASL mechanisms. The default value is empty which means no mechanism is disabled out-of-box. The user can set it to include more mechanisms, especially if their application protocol is not protected by a secure channel like TLS.


      Changes to src/share/classes/javax/security/sasl/

       * Creates a {@code SaslClient} using the parameters supplied.
       * ...
       * <p>
       * If a mechanism is listed in the {@code jdk.sasl.disabledMechanisms}
       * security property, it will be ignored and won't be negotiated.
       * ...
      public static SaslClient createSaslClient(
          String[] mechanisms,
          String authorizationId,
          String protocol,
          String serverName,
          Map<String,?> props,
          CallbackHandler cbh) throws SaslException {
       * Creates a {@code SaslServer} for the specified mechanism.
       * ...
       * <p>
       * If {@code mechanism} is listed in the {@code jdk.sasl.disabledMechanisms}
       * security property, it will be ignored and this method returns {@code null}.
       * ...
      public static SaslServer
          createSaslServer(String mechanism,
                      String protocol,
                      String serverName,
                      Map<String,?> props,

      Add the following lines into src/share/lib/security/*:

      # Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
      # Disabled mechanisms will not be negotiated by both SASL clients and servers.
      # These mechanisms will be ignored if they are specified in the mechanisms argument
      # of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
      # The value of this property is a comma-separated list of SASL mechanisms.
      # The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
      # Note: This property is currently used by the JDK Reference implementation.
      # It is not guaranteed to be examined and used by other implementations.
      # Example:
      #   jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5

      (*) OS: aix, linux, macosx, solaris, windows


          Issue Links



              • Assignee:
                mbalao Martin Balao
                weijun Weijun Wang
                Reviewed By:
                Andrew Hughes
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: