[31499] in Kerberos
Re: MS IWA - extended protection - SSPI - channel binding
daemon@ATHENA.MIT.EDU (Peter)
Wed Sep 23 01:09:11 2009
From: Peter <peter@motyka.org>
Date: Tue, 22 Sep 2009 19:41:57 -0700 (PDT)
Message-ID: <4123d4d6-7213-403a-943a-2e24459bfba9@l35g2000vba.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Sep 22, 5:04 pm, Peter <pe...@motyka.org> wrote:
> On Sep 22, 2:33 pm, Nicolas Williams <Nicolas.Willi...@sun.com> wrote:
>
>
>
> > On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote:
> > > From what I can tell, this change was not pushed as a critical update,
> > > I had to install a patch manually to get channel binding capability
> > > for Windows XP (http://support.microsoft.com/kb/968389). I've done
> > > some experimenting with both Windows 7 and Windows XP and channel
> > > binding definitely behaves differently on the two platforms. With
> > > Windows 7, IWA authentication appears to provide channel binding
> > > regardless if the application requests extended protection. Actually,
> > > this is causing a runtime failure in my Java application using jgss
> > > without any channel bindings defined on the acceptor:
>
> > > GSSException: Channel binding mismatch (Mechanism level:
> > > ChannelBinding not provided!)
>
> > The JGSS issue is CR #6851973:
>
> > 6851973 ignore incoming channel binding if acceptor does not set one
>
> > The fix will be in the October 2009 updates. (The fix was integrated
> > into build b64.)
>
> > Nico
> > --
>
> Thanks for the info, Nico. I went to preview the update, but I'm not
> seeing a b64. Am I looking in the wrong place?http://download.java.net/jdk6/latest_binaries/
>
> Latest available seems to be b02.
>
> Peter
Apologies Nico, I assumed you meant 6851973 would be part of updates
for the Java SE 6 Update 18 release. I noticed the fix in the
OpenJDK7 code base (http://hg.openjdk.java.net/jdk7/tl/jdk/rev/
37ed72fe7561) and will see about having backported to OpenJDK6 for
Update 18 via the jdk6-dev mail list.
Peter
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
