Open
Bug 630315
Opened 13 years ago
Updated 2 years ago
Enable Extended Protection (channel and service bindng) for NTLM authentication on linux
Categories
(Core :: Networking: HTTP, enhancement, P5)
Core
Networking: HTTP
Tracking
()
NEW
People
(Reporter: mayhemer, Unassigned)
References
Details
(Keywords: sec-low, Whiteboard: [sg:low][necko-would-take][ntlm])
Attachments
(1 file)
8.84 KB,
patch
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #573043 +++ Only a windows code has been landed as part of bug 573043. This bug should finish the linux part of the fix.
Updated•13 years ago
|
Whiteboard: [sg:high]
Comment 2•13 years ago
|
||
What more needs to be done here -- ready for review?
Assignee: nobody → honzab.moz
Reporter | ||
Comment 3•13 years ago
|
||
Two issues I know about: - no testing, but Brian Smith should work on that - major issue with HTTP NTLM proxies (we try to go with the EP on them what fails)
Updated•13 years ago
|
Group: core-security
Reporter | ||
Comment 5•13 years ago
|
||
For reference: https://lists.samba.org/archive/samba-technical/2011-November/080314.html
Version: unspecified → Trunk
Comment 6•13 years ago
|
||
Honza, do you expect to need to make changes to your patch, based on your work in the Windows version (bug 573043)? Would this Linux version also work on mobile?
Reporter | ||
Comment 7•13 years ago
|
||
I believe there will be need to update this patch. I never actually tested it. The samba patches will IMO change too, so this patch will need to be updated. Not sure about mobile at the moment. I think this bug should be removed from the goals, i.e. lower its priority. We are too much dependent on other project, it doesn't seems to me realistic to get this done in Q4 at all.
Since samba isn't ready and the number of people affected by this is probably very low I'd agree with an sg:low rating.
Whiteboard: [sg:high] → [sg:low]
Reporter | ||
Updated•10 years ago
|
Assignee: honzab.moz → nobody
Updated•8 years ago
|
Whiteboard: [sg:low] → [sg:low][necko-would-take][ntlm]
Comment 9•8 years ago
|
||
Honza I'm proposing to implement these changes in security/manager/ssl/nsNTLMAuthModule.cpp. Fixing this fill allow the switching to the internal implementation by default for bug 1261591
Flags: needinfo?(honzab.moz)
Reporter | ||
Comment 10•8 years ago
|
||
(In reply to Gary Lockyer from comment #9) > Honza > I'm proposing to implement these changes in > security/manager/ssl/nsNTLMAuthModule.cpp. > > Fixing this fill allow the switching to the internal implementation by > default for bug 1261591 What exactly is your plan? Are you not going to implement this on top of ntlm_auth binary? Is the WIP patch here completely obsolete? I mostly don't care that much where is this going to be implemented eventually. Maybe just outline the plan a bit more in detail (I'm not a linux guy, btw)
Flags: needinfo?(honzab.moz) → needinfo?(gary)
Comment 11•8 years ago
|
||
My understanding is that the patches to ntlm_auth have not been applied, and are not likely to be. So I'm proposing to add the channel binding functionality to the internal NTLM module in security/manager/ssl/nsNTLMAuthModule.cpp
Flags: needinfo?(gary) → needinfo?(honzab.moz)
Reporter | ||
Comment 12•8 years ago
|
||
Sounds good to me. What will a user have to do to enable/allow EP? Sounds like the network.auth.force-generic-ntlm pref should be turned on. But that's probably OK, at least not blocking the work. Thanks.
Flags: needinfo?(honzab.moz)
Comment 13•8 years ago
|
||
On Windows, it just means that both options, force-generic-ntlm and the SSPI implemenation will use EP, which is why we want to do this, so that the user can choose the generic one over SSPI without loss of EP.
Reporter | ||
Comment 14•8 years ago
|
||
(In reply to Andrew Bartlett from comment #13) > On Windows, it just means that both options, force-generic-ntlm and the SSPI > implemenation will use EP, which is why we want to do this, so that the user > can choose the generic one over SSPI without loss of EP. Sounds good. Thanks.
Comment 15•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P5
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•