Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Duplicate
-
None
-
None
-
None
Description
QPID-7282 addressed the issue that the Java Broker was not sending the server-final message in the SCRAM-* SASL exchange, however this omission was not causing the clients to fail, since they blindly accept the server's acceptance of their credentials.
Clients implementing SCRAM-* or similar protocols which include a client verification step, should perform the verification of the server and fail or warn (to be configured by a system property) if the verification does not occur or it fails.
Attachments
Issue Links
- duplicates
-
QPIDJMS-294 The SCRAM-SHA-* SASL mechanisms should verify the server final message if it is sent in the additional-data field of sasl-outcome
- Closed
- relates to
-
QPID-7292 Qpid clients should verify the server-final message when using SCRAM-* authentication
- Closed