JDK-8214331 : Restrict Sasl mechanisms
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.security
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 13
  • Submitted: 2018-11-27
  • Updated: 2019-05-10
  • Resolved: 2019-05-09
Related Reports
CSR :  
JDK-8200400 - Allow Sasl mechanisms to be restricted
Description
Summary
-------

Provide a security property to restrict the mechanisms used by SASL.

Problem
-------

https://tools.ietf.org/html/rfc6331 states that "The MD5 hash is sufficiently weak to make a brute force attack on DIGEST-MD5 easy with common hardware." DIGEST-MD5 was intended to be an improvement over CRAM-MD5, which also has various weaknesses. Finally, PLAIN is even weaker since the password is sent as plaintext and not protected.

That said, SASL is often used within a secure channel (For example, SMTP with STARTTLS) and in this case even PLAIN may be acceptable when the communication is protected by TLS (although it is still preferable to use a stronger mechanism in case the TLS server is compromised). This is similar to using the Basic WWW-Authenticate scheme in HTTPS.

Solution
--------

Add a security property to disable these SASL mechanisms. The default value is empty which means no mechanism is disabled out-of-box. The user can set it to include more mechanisms, especially if their application protocol is not protected by a secure channel like TLS.

Specification
-------------

Changes to `src/java.security.sasl/share/classes/javax/security/sasl/Sasl.java`:

    /*
     * @implNote
     * ....
     * If a mechanism is listed in the
     * {@code jdk.sasl.disabledMechanisms} security property,
     * it will be ignored and won't be negotiated.
     */
    public static SaslClient createSaslClient(
        String[] mechanisms,
        String authorizationId,
        String protocol,
        String serverName,
        Map<String,?> props,
        CallbackHandler cbh);

    /*
     * @implNote
     * ....
     * If {@code mechanism} is listed in the
     * {@code jdk.sasl.disabledMechanisms} security property,
     * it will be ignored and this method will return {@code null}.
     */
    public static SaslServer
        createSaslServer(String mechanism,
                    String protocol,
                    String serverName,
                    Map<String,?> props,
                    javax.security.auth.callback.CallbackHandler cbh)

Add the following lines into `conf/security/java.security`:

    #
    # Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
    #
    # Disabled mechanisms will not be negotiated by both SASL clients and servers.
    # These mechanisms will be ignored if they are specified in the mechanisms argument
    # of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
    #
    # The value of this property is a comma-separated list of SASL mechanisms.
    # The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
    #
    # Note: This property is currently used by the JDK Reference implementation.
    # It is not guaranteed to be examined and used by other implementations.
    #
    # Example:
    #   jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5
    jdk.sasl.disabledMechanisms=
Comments
Thanks.
10-05-2019
[~weijun], I took the liberty of updating the spec to use a code javadoc tag rather than a systemProperty javadoc tag based on your last comment. Moving back to Approved.
09-05-2019
Re-requested. In the updated request, it is only a security property and no more a system property. This is to be consistent with other jdk.*.disabled* properties.
07-05-2019
Moving to Approved.
05-05-2019