Learn more about these different git repos.
Other Git URLs
According to a report, sign/seal always fail when SPNEGO is negotiated.
Also when NTLM is negotiated we fore gss_wrap() to always seal, reggardless of the conf_req flag, this may be incorrect.
Tests with various combinations vs Windows server and returned errors server_side_dump.txt
This is a very helpful comment from Rahul [via email]:
[...] we've came to know about a bug specific to using NTLM under SPNEGO regarding resetting the state of RC4 cipher and it is documented in MS-SPNG (https://msdn.microsoft.com/en-us/library/cc247021.aspx) section 3.3.5.1, as a deviation of the Microsoft implementation of SPNEGO from the specification:
3.3.5.1 NTLM RC4 Key State for MechListMIC and First Signed Message When NTLM is negotiated, the SPNG client MUST set OriginalHandle to ClientHandle before generating the mechListMIC and then set ClientHandle to OriginalHandle after generating the mechListMIC. This results in the RC4 key state being the same for the mechListMIC and for the first message signed by the application. Because the RC4 key state is the same for the mechListMIC and for the first message signed by the application, the SPNG server MUST set OriginalHandle to ServerHandle before validating the mechListMIC and then set ServerHandle to OriginalHandle after validating the mechListMIC.
Metadata Update from @simo: - Issue assigned to simo
project migrated to github, please reopen there if still an issue
Metadata Update from @simo: - Issue close_status updated to: None - Issue priority set to: None (was: 3) - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.