Uploaded image for project: 'Couchbase C client library libcouchbase'
  1. Couchbase C client library libcouchbase
  2. CCBC-1307

Cannot connect to external-auth clusters on non-TLS



    • Bug
    • Resolution: Fixed
    • Blocker
    • 3.0.5
    • 3.0.4
    • library
    • None
    • 1


      Due to the underlying requirements of LDAP external authentication, only PLAIN authentication is capable of using an externally defined user. To this end, in SDK 3.0, there was a safe-by-default heuristic devised to define the behaviour of an SDK with regards to authentication mechanism selection. The idea was that the SDK would have a predefined list of allowed mechanisms, and this would be matched to the servers list of mechanisms, and the most secure mechanism that existed in both lists would be selected. A part of this was that non-TLS and TLS connections would have a different set of predefined lists. TLS connections would contain only the PLAIN mechanism (since the server only has PLAIN on TLS anyways). Non-TLS connections would only contain SCRAM mechanisms (so we aren't as susceptible to downgrade attacks). Additionally, the user would be able to configured their own list of supported mechanisms. This means that by default, the SDK would never transmit user credentials over a non-TLS connection in PLAIN. Currently it appears that the C SDK has a block in place which makes it impossible for a user to force PLAIN usage over non-TLS connections, even purposefully (see: https://github.com/couchbase/libcouchbase/blob/12d8fcd63d1768525506358a4cb815400d051059/src/mcserver/negotiate.cc#L291-L293).

      The logic inside the C SDK should be modified such that:

      • Non-TLS connections should use (by default): SCRAM_SHA512, SCRAM_SHA256 or SCRAM_SHA1
      • TLS connections should use (by default): PLAIN
      • User-specified mechanism lists should be allowed, and permit the use of ANY mechanism (including PLAIN).

      Cheers, Brett


        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.



              brett19 Brett Lawson
              brett19 Brett Lawson
              0 Vote for this issue
              1 Start watching this issue



                Gerrit Reviews

                  There are no open Gerrit changes