-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
spnego_gssapi: implement TLS channel bindings for openssl #13098
Conversation
a0d34ca
to
7acadc0
Compare
"Linux / hyper" CI failed during |
7acadc0
to
5b8c0eb
Compare
Rebased to bring PR up-to-date with master due to time passed. Minor changes
|
d916f49
to
d776382
Compare
a1a6fad
to
3d924fa
Compare
dff77a8
to
c464df2
Compare
Reverted Explicit Fetching implementation, for now, in order to be in-line with the rest of CURL source code. Potential migration from Implicit to Explicit Fetching is outside the scope of this specific PR. Also resolved merge conflicts to keep branch up-to-date. |
@bagder We've been running this change in Production on hundreds of clients for several months, and it's been working great. What is the next step for this to be merged? |
d5a4b56
to
3c771e4
Compare
Channel Bindings are used to tie the session context to a specific TLS channel. This is to provide additional proof of valid identity, mitigating authentication relay attacks. Major web servers have the ability to require (None/Accept/Require) GSSAPI channel binding, rendering Curl unable to connect to such websites unless support for channel bindings is implemented. IIS calls this feature Extended Protection (EPA), which is used in Enterprise environments using Kerberos for authentication. This change require krb5 >= 1.19, otherwise channel bindings won't be forwarded through SPNEGO. Co-Authored-By: Steffen Kieß <947515+steffen-kiess@users.noreply.github.com>
This reverts commit 3d924fa.
3c771e4
to
be3512c
Compare
Some tests failed because Launchpad was temporarily down. |
All tests pass now! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, thanks! It's a pity that nothing can be shared with the existing SSPI implementation as that's based on SSPI-specific types. I would appreciate more reviews from others interested in the topic (not necessarily curl maintainers).
Thanks! |
Channel Bindings are used to tie the session context to a specific TLS channel. This is to provide additional proof of valid identity, mitigating authentication relay attacks.
Major web servers have the ability to require (None/Accept/Require) GSSAPI channel binding, rendering Curl unable to connect to such websites unless support for channel bindings is implemented.
IIS calls this feature Extended Protection (EPA), which is used in Enterprise environments using Kerberos for authentication.
This change require krb5 >= 1.19, otherwise channel bindings won't be forwarded through SPNEGO.