Open Bug 630315 Opened 13 years ago Updated 2 years ago

Enable Extended Protection (channel and service bindng) for NTLM authentication on linux

Categories

(Core :: Networking: HTTP, enhancement, P5)

Product:
Core
Component:
Networking: HTTP
Type:
enhancement

Tracking

()

People

(Reporter: mayhemer, Unassigned)

References

Details

(Keywords: sec-low, Whiteboard: [sg:low][necko-would-take][ntlm])

Attachments

(1 file)

v1, linux additions only
8.84 KB, patch
Details | Diff | Splinter Review 
+++ This bug was initially created as a clone of Bug #573043 +++

Only a windows code has been landed as part of bug 573043.

This bug should finish the linux part of the fix.
Forgot to drop cloned blocking flag.
blocking2.0: betaN+ → ---
Whiteboard: [sg:high]
What more needs to be done here -- ready for review?
Assignee: nobody → honzab.moz
Two issues I know about:
- no testing, but Brian Smith should work on that
- major issue with HTTP NTLM proxies (we try to go with the EP on them what fails)
Is there any reason we can't open this bug up?
Group: core-security
For reference:
https://lists.samba.org/archive/samba-technical/2011-November/080314.html
Version: unspecified → Trunk
Honza, do you expect to need to make changes to your patch, based on your work in the Windows version (bug 573043)?

Would this Linux version also work on mobile?
I believe there will be need to update this patch.  I never actually tested it.

The samba patches will IMO change too, so this patch will need to be updated.

Not sure about mobile at the moment.

I think this bug should be removed from the goals, i.e. lower its priority.  We are too much dependent on other project, it doesn't seems to me realistic to get this done in Q4 at all.
Since samba isn't ready and the number of people affected by this is probably very low I'd agree with an sg:low rating.
Whiteboard: [sg:high] → [sg:low]
Assignee: honzab.moz → nobody
Whiteboard: [sg:low] → [sg:low][necko-would-take][ntlm]
Honza
      I'm proposing to implement these changes in security/manager/ssl/nsNTLMAuthModule.cpp.

Fixing this fill allow the switching to the internal implementation by default for bug 1261591
Flags: needinfo?(honzab.moz)
(In reply to Gary Lockyer from comment #9)
> Honza
>       I'm proposing to implement these changes in
> security/manager/ssl/nsNTLMAuthModule.cpp.
> 
> Fixing this fill allow the switching to the internal implementation by
> default for bug 1261591

What exactly is your plan?  Are you not going to implement this on top of ntlm_auth binary?  Is the WIP patch here completely obsolete?  I mostly don't care that much where is this going to be implemented eventually.  Maybe just outline the plan a bit more in detail (I'm not a linux guy, btw)
Flags: needinfo?(honzab.moz) → needinfo?(gary)
My understanding is that the patches to ntlm_auth have not been applied, and are not likely to be.  So I'm proposing to add the channel binding functionality to the internal NTLM module in security/manager/ssl/nsNTLMAuthModule.cpp
Flags: needinfo?(gary) → needinfo?(honzab.moz)
Sounds good to me.  

What will a user have to do to enable/allow EP?  Sounds like the network.auth.force-generic-ntlm pref should be turned on.  But that's probably OK, at least not blocking the work.

Thanks.
Flags: needinfo?(honzab.moz)
On Windows, it just means that both options, force-generic-ntlm and the SSPI implemenation will use EP, which is why we want to do this, so that the user can choose the generic one over SSPI without loss of EP.
(In reply to Andrew Bartlett from comment #13)
> On Windows, it just means that both options, force-generic-ntlm and the SSPI
> implemenation will use EP, which is why we want to do this, so that the user
> can choose the generic one over SSPI without loss of EP.

Sounds good.  Thanks.
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P5
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: