Bug 65302 - Add support for setting com.sun.jndi.ldap.tls.cbtype
Summary: Add support for setting com.sun.jndi.ldap.tls.cbtype
Status: NEW
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 9.0.39
Hardware: PC Linux
: P2 enhancement (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-12 15:54 UTC by Mike Millson
Modified: 2021-05-27 16:37 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Millson 2021-05-12 15:54:53 UTC
Microsoft advises using LDAP channel binding:
https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023

LDAP channel binding was implemented in OpenJDK 16:
https://bugs.openjdk.java.net/browse/JDK-8247311

And was backported to OpenJDK 11:
https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2021-April/005860.html

The tomcat JNDIRealm.getDirectoryContextEnvironment() method needs to be updated to provide the capability to set  'com.sun.jndi.ldap.tls.cbtype' to 'tls-server-end-point' for channel-binding to work[1].

References:
[1]https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/realm/JNDIRealm.java#L2603
Comment 1 Michael Osipov 2021-05-12 17:24:34 UTC
Why? I did several reviews of the ticket when it was discussed with security-dev@. The only SASL mech supporting this is GSSAPI and you can request GSS-API to completely encrypt your traffic with Kerberos (auth-conf), no TLS necessary. SSPI offers other mechs besides GSSAPI to use channel binding (Digest MD5 which is dead).
This is a case (auth-conf) even MS considers to be secure and no need to enforce TLS channel binding.
Comment 2 Christopher Schultz 2021-05-12 18:26:06 UTC
Would it hurt anything to unconditionally add com.sun.jndi.ldap.tls.cbtype=tls-server-end-point to the properties used to initialize to the InitialContext? Or does this really need to be something controlled by configuration?
Comment 3 Michael Osipov 2021-05-13 15:56:01 UTC
(In reply to Christopher Schultz from comment #2)
> Would it hurt anything to unconditionally add
> com.sun.jndi.ldap.tls.cbtype=tls-server-end-point to the properties used to
> initialize to the InitialContext? Or does this really need to be something
> controlled by configuration?

I don't think that this makes sense, for two reasons:
* It adds some computational overhead, maybe irrelevant
* It works only IF you use SASL GSSAPI mech which I don't expect most people to use
Comment 4 romain.manni-bucau 2021-05-13 16:05:00 UTC
Hi,

Maybe a side question/issue: JNDI realm is actually not a JNDI realm but more a sun JNDI realm in the sense its configuration is quite bound to a particular implementation.
Assuming a new "String properties" property is added (with its setter) and read with Properties#load and appended to the getDirectoryContextEnvironment if not null then it will enable to use any implementation (and even not yet supported sun impl - https://github.com/openjdk/jdk11u/blob/73eef16128417f4a489c4dde47383bb4a00f39d4/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtx.java#L148).
In the context of this issue it will also enable to add any other com.sun.jndi property and avoid tomcat to be updated each time.
Can't this issue move to a more generic properties support?
Comment 5 Christopher Schultz 2021-05-13 20:38:57 UTC
(In reply to romain.manni-bucau from comment #4)
> Assuming a new "String properties" property is added (with its setter) ... Can't this issue move to a more generic properties support?

Of course. I was looking for a one-liner fix to this issue, but it looks like maybe it can't (or shouldn't) be that simple.
Comment 6 Mike Millson 2021-05-27 15:56:00 UTC
(In reply to Michael Osipov from comment #1)
> The only SASL mech supporting this is GSSAPI and you can
> request GSS-API to completely encrypt your traffic with Kerberos
> (auth-conf), no TLS necessary.

Do you have an example of a configuration that does this that I could propose as an alternative?
Comment 7 Michael Osipov 2021-05-27 16:37:11 UTC
(In reply to Mike Millson from comment #6)
> (In reply to Michael Osipov from comment #1)
> > The only SASL mech supporting this is GSSAPI and you can
> > request GSS-API to completely encrypt your traffic with Kerberos
> > (auth-conf), no TLS necessary.
> 
> Do you have an example of a configuration that does this that I could
> propose as an alternative?

Yes, see my DirContextSource [1] which I have been using the last eight years. Works pefectly in Tomcat also.
In production:
<Resource name="gc/ad.example.com"
	type="net.sf.michaelo.dirctxsrc.DirContextSource"
	factory="net.sf.michaelo.dirctxsrc.DirContextSourceFactory"
	urls="ldap://ad.example.com:3268"
	auth="gssapi" loginEntryName="tomcat-initiate" referral="ignore"
	qop="auth-conf"	additionalProperties="com.sun.jndi.ldap.connect.timeout=1000;com.sun.jndi.ldap.read.timeout=1000" />

In the world's largest forest.


[1] http://dirctxsrc.sourceforge.net/dircontextsourcefactory.html