[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Channel binding being attempted even when SCRAM PLUS not advertized
|
From: |
Simon Josefsson |
|
Subject: |
Re: Channel binding being attempted even when SCRAM PLUS not advertized |
|
Date: |
Mon, 15 Aug 2022 20:22:09 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Manvendra Bhangui <mbhangui@gmail.com> writes:
> On Mon, 15 Aug 2022 at 14:32, Manvendra Bhangui <mbhangui@gmail.com> wrote:
>>
>> "Clients that do not support mechanism negotiation never use a "y"
>> gs2-cbind-flag, they use either "p" or "n" according to whether they
>> require and support the use of channel binding or whether they do not,
>> respectively."
>
> RFC 5802 isn't explicit on what to do when the client supports channel
> binding but the server does not.
For SMTP, the client should select a non-PLUS SCRAM mechanisms and not
supply libgsasl with a channel binding. The server signals to the
client that it supports channel bindings by announcing PLUS mechanisms.
If the server supports negotiation, it will announce both. It was the
downgrade-protection with 'y' that kicked in here.
/Simon
signature.asc
Description: PGP signature